Docker read-only socket volume

New to docker and was listening to the talk given here (relevant part from 14:40 to about 16:00). The relevant portion talks about having a read-only volume for sockets to communicate with, say, a MySQL server. The scenario he presents is that it prevents someone who’s hacked into the server from deleting the MySQL socket.

I’m just having trouble understanding what security threat this means to deal with. He says that all the hacker would be able to do is “select my email address” (presumably meaning he has access to all the data). Is this not a huge security breach?

  • Rancher can't find link when net=host
  • Does docker storage driver matter for applications that don't write a lot?
  • Multiple folders in one docker volume
  • How to create docker base image from Amazon Linux AMI
  • Wifi stopped working after docker installation on Linux
  • FROM Command in Docker File
  • Secondly, what is the advantage of this method over connecting using TCP/IP? Is it simply so you don’t have to expose that port in your container?

    From my understanding, the only security it provides is to prevent them from deleting the unix domain socket from the read-only server. Is this actually a big deal from a security standpoint if it were to happen?

  • kubernetes failing to connect on fresh installation of CoreOS
  • AWS Gogs deployment using Docker image
  • Debug Django project with environment in docker container
  • Docker run tomcat errors
  • How can I use a docker container with a self signed certificate on osx?
  • Adding docker container to running OpenShift pod
  • One Solution collect form web for “Docker read-only socket volume”

    You understand correctly. A read-only volume will be as secure as an exposed TCP port.

    You may want to use UNIX sockets for performance or compatibility reasons. In such case you don’t want the compromised container to be able delete the socket and cause a DoS for all other MySQL clients. With TCP this is impossible since you cannot “delete” a TCP server socket.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.