Ensure a separate partition for containers has been created (Automated)

[osorito]

Describe the bug
A clear and concise description of what the bug is.

The docker-bench-security gives the following error
Ensure a separate partition for containers has been created (Automated)

Steps followed

git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh

Tested it
sudo ./docker-bench-security.sh

Verified /var is on a separate partition

omar@Blaze:~$ sudo df -h
Filesystem      Size  Used Avail Use% Mounted on
tmpfs           197M  1.3M  196M   1% /run
/dev/sda1       3.9G  2.7G  1.2G  70% /
tmpfs           984M  3.1M  981M   1% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
/dev/sda16      881M   62M  758M   8% /boot
/dev/sda15      105M  6.1M   99M   6% /boot/efi
/dev/sdb2       6.1G  1.1G  4.8G  18% /var
/dev/sdb3       6.1G   88K  5.8G   1% /tmp
/dev/sdb1        13G  5.6M   12G   1% /home
tmpfs           197M   12K  197M   1% /run/user/1000

omar@Blaze:~$ sudo lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
sda       8:0    0    5G  0 disk 
├─sda1    8:1    0    4G  0 part /
├─sda14   8:14   0    4M  0 part 
├─sda15   8:15   0  106M  0 part /boot/efi
└─sda16 259:0    0  913M  0 part /boot
sdb       8:16   0   25G  0 disk 
├─sdb1    8:17   0 12.5G  0 part /home
├─sdb2    8:18   0  6.3G  0 part /var
└─sdb3    8:19   0  6.2G  0 part /tmp
sr0      11:0    1    4M  0 rom  

Version

Distribution [Ubuntu 24.04]

omar@Blaze:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 24.04.1 LTS
Release:	24.04
Codename:	noble

Expected behavior
A clear and concise description of what you expected to happen.

Those warnings should not happen.

Output
If applicable, add output that you get from the tool or the related section

omar@Blaze:~/docker-bench-security$ sudo ./docker-bench-security.sh
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.6.0
#
# Docker, Inc. (c) 2015-2024
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.6.0.
# --------------------------------------------------------------------------------------------

Initializing 2024-08-28T21:26:43+00:00


Section A - Check results

[INFO] 1 - Host Configuration
[INFO] 1.1 - Linux Hosts Specific Configuration
[WARN] 1.1.1 - Ensure a separate partition for containers has been created (Automated)

[thaJeztah]

I suspect the check expects "/var/lib/docker" to be in a partition separate from other "/var/" paths (as those will be used by other tools)

[osorito]

Since Ansible is on the table, I modified the server creation script.

omar@Blaze:~/docker-bench-security$ sudo lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS
sda       8:0    0    5G  0 disk 
├─sda1    8:1    0    4G  0 part /
├─sda14   8:14   0    4M  0 part 
├─sda15   8:15   0  106M  0 part /boot/efi
└─sda16 259:0    0  913M  0 part /boot
sdb       8:16   0   25G  0 disk 
├─sdb1    8:17   0 12.5G  0 part /home
├─sdb2    8:18   0    5G  0 part /var
├─sdb3    8:19   0  6.3G  0 part /tmp
└─sdb4    8:20   0  1.2G  0 part /var/lib/docker
sr0      11:0    1    4M  0 rom 

#cloud-config
disk_setup:
  /dev/sdb:
    table_type: "gpt"
    layout:
      - 50
      - 20
      - 25
      - 5
    overwrite: true
.....
  - label: var_docker_disk
    filesystem: "ext4"
    device: "/dev/sdb"
    partition: "sdb4"
.....
  - cmd: mkfs -t %(filesystem)s -L %(label)s %(device)s
    label: var_lib_dockr
    filesystem: "ext4"
    device: "/dev/sdb4"

mounts:
  - ["/dev/sdb1", "/home"]
  - ["/dev/sdb4", "/var/lib/docker"]

Code should check to see if /var is on a separate partition.
How big should said /var/lib/docker partition be? on my case I made it 5% of disk size.

[konstruktoid]

The code expects docker info -f '{{ .DockerRootDir }}' to be a separate partition.
Regarding size, it's always site specific. 5% might be enough in your case, if you increase the number of containers you might need to increase the size.