Docker read-only socket volume

New to docker and was listening to the talk given here (relevant part from 14:40 to about 16:00). The relevant portion talks about having a read-only volume for sockets to communicate with, say, a MySQL server. The scenario he presents is that it prevents someone who’s hacked into the server from deleting the MySQL socket.

I’m just having trouble understanding what security threat this means to deal with. He says that all the hacker would be able to do is “select my email address” (presumably meaning he has access to all the data). Is this not a huge security breach?

  • Using same containers with multiple project on local host
  • Application takes different amount of memory on different systems
  • docker-compose not downloading additions to requirements.txt file
  • Coupling Compojure application with rethinkdb and docker-compose
  • How to make postgres.app db accessible to docker container?
  • elastic beanstalk can not find Dockerfile
  • Secondly, what is the advantage of this method over connecting using TCP/IP? Is it simply so you don’t have to expose that port in your container?

    From my understanding, the only security it provides is to prevent them from deleting the unix domain socket from the read-only server. Is this actually a big deal from a security standpoint if it were to happen?

  • Unable to install chef-server on docker container
  • AWS Elastic Beanstalk Application and Static Assets Deployment Isolation
  • Dockerfile unexpected behaviour between RUN commands
  • DevOps Simple Setup
  • Port unreachable after deploying NGINX image to IBM Bluemix Container Cloud
  • Installing seaborn on Docker Alpine
  • One Solution collect form web for “Docker read-only socket volume”

    You understand correctly. A read-only volume will be as secure as an exposed TCP port.

    You may want to use UNIX sockets for performance or compatibility reasons. In such case you don’t want the compromised container to be able delete the socket and cause a DoS for all other MySQL clients. With TCP this is impossible since you cannot “delete” a TCP server socket.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.