#273 anonymous volume check

[Anonymous]

Originally created by: mosonyi

The Problem

How does it look, for instance:

# Dockerfile
FROM ubuntu:24.04

RUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*

VOLUME /data

CMD ["bash", "-c", "echo hello > /data/test.txt && sleep infinity"]

:::bash
docker build -t anon-volume-demo:latest .

:::yaml
# stack.yaml
# If we don't define a volume it will create one
version: "3.8"

services:
  demo:
    image: anon-volume-demo:latest
    deploy:
      replicas: 1

:::bash
docker stack deploy -c stack.yml demo

With every redeploy, a new volume will be generated, and the old one will remain as an orphan on the node.

Solution

To fix this, we need the agent deployed.

SAFE

The service explicitly defines all mounts, and the image does not declare any additional VOLUME paths that are not covered. This means the container will not create anonymous volumes at runtime.

POSSIBLE_ANON_VOLUME

The image declares one or more VOLUME paths, but the service does not explicitly mount those paths. In this situation, Docker may create anonymous volumes when the task container starts.

CONFIRMED_ANON_VOLUME

A node-level inspection (via an agent running on the Swarm nodes) has confirmed that the running container actually created and is using an anonymous volume. This can only be verified by inspecting the container’s mounts and the local volumes on the node where the task is running.