Docker read-only socket volume
New to docker and was listening to the talk given here (relevant part from 14:40 to about 16:00). The relevant portion talks about having a read-only volume for sockets to communicate with, say, a MySQL server. The scenario he presents is that it prevents someone who’s hacked into the server from deleting the MySQL socket.
I’m just having trouble understanding what security threat this means to deal with. He says that all the hacker would be able to do is “select my email address” (presumably meaning he has access to all the data). Is this not a huge security breach?
Secondly, what is the advantage of this method over connecting using TCP/IP? Is it simply so you don’t have to expose that port in your container?
From my understanding, the only security it provides is to prevent them from deleting the unix domain socket from the read-only server. Is this actually a big deal from a security standpoint if it were to happen?
One Solution collect form web for “Docker read-only socket volume”
You understand correctly. A read-only volume will be as secure as an exposed TCP port.
You may want to use UNIX sockets for performance or compatibility reasons. In such case you don’t want the compromised container to be able delete the socket and cause a DoS for all other MySQL clients. With TCP this is impossible since you cannot “delete” a TCP server socket.