Docker read-only socket volume

New to docker and was listening to the talk given here (relevant part from 14:40 to about 16:00). The relevant portion talks about having a read-only volume for sockets to communicate with, say, a MySQL server. The scenario he presents is that it prevents someone who’s hacked into the server from deleting the MySQL socket.

I’m just having trouble understanding what security threat this means to deal with. He says that all the hacker would be able to do is “select my email address” (presumably meaning he has access to all the data). Is this not a huge security breach?

  • Run Docker in daemon mode
  • Socketplane and Docker : How to connect 2 (or more) physical hosts with each others
  • Build .NET Core Console Application into Docker
  • Unable to connect to docker container
  • Docker toolbox cannot allocate memory
  • how to run nginx docker container with custom config?
  • Secondly, what is the advantage of this method over connecting using TCP/IP? Is it simply so you don’t have to expose that port in your container?

    From my understanding, the only security it provides is to prevent them from deleting the unix domain socket from the read-only server. Is this actually a big deal from a security standpoint if it were to happen?

  • Restricting access to a Docker container
  • Persisting RabbitMQ Configuration in Docker Image
  • How to change the docker image installation directory?
  • jar file with arguments in docker
  • has the linux kernel support sctp protocol in container of LXC/docker yet?
  • How to use VSTS Build/Release to continuously integrate/deploy Docker containers to Azure Service Fabric?
  • One Solution collect form web for “Docker read-only socket volume”

    You understand correctly. A read-only volume will be as secure as an exposed TCP port.

    You may want to use UNIX sockets for performance or compatibility reasons. In such case you don’t want the compromised container to be able delete the socket and cause a DoS for all other MySQL clients. With TCP this is impossible since you cannot “delete” a TCP server socket.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.