15

Back story below, but here's the question: I've discovered that if I have postgresql running on my docker host, I can connect to it in a container via a domain socket mounted as a file:

docker run -v /var/run/postgresql/:/var/run/postgresql

This feels like a major hack, so I'm curious if this is truly horrible in a production environment. Thoughts?


The backstory

The backstory is that I have postgresql running on the docker host because I don't trust docker to run postgresql directly.

So I need to connect to that postgresql instance from a docker container running on the same server. I tried:

  • Using --add-host

    But this was also a hack because it required that docker run be put inside a script to figure out the right IP of the host machine. Something like:

     docker run --add-host=postgres-host:$(ip route show | awk {print $2})
    

    I didn't like having to do that.

  • I tried using --net=host, but...that's not what we want. We want an overlay network.

  • I tried setting this from within the container by looking up the IP address of the host there, but I didn't feel great running a script just for this purpose.

So...I thought: "What about using the domain socket?"

Community
  • 1
  • 1
mlissner
  • 17,359
  • 18
  • 106
  • 169

2 Answers2

6

Mounting sockets doesn't sound like a hack to me. In fact, mounting /var/run/docker.sock is the standard method used if you want to use docker commands from inside a container.

Alassane Ndiaye
  • 4,427
  • 1
  • 10
  • 19
  • 1
    Huh. Hadn't seen that concept yet. Looks like there's a good explainer here: https://stackoverflow.com/questions/35110146/can-anyone-explain-docker-sock/35110344. Thanks! – mlissner May 07 '19 at 16:41
2

What I thought is security & scalability.

  • security

    With docker, even if the container was attack by hackers, you still can have one protect between container(web server) & host(database server), but with unix socket, I guess the data will exposed to hacker directly.

  • scalability

    One reason we need to separate web server & database server is: if we encountered performance issue, we could easily extend web server, with more web server connect to one database server, the application can support more people visit.

    But with unix-socket, the web server in docker not be scalable, you had to put the web server(container) in one machine to utilize unix-socket of db.

atline
  • 28,355
  • 16
  • 77
  • 113
  • 2
    This approach seems no less secure to me than having a TCP connection to the database on the host. – David Maze May 07 '19 at 10:01
  • Not sure, with TCP, hackers may need more effort to find which port is open, and with network, may have more ways(firewall, etc) to control the access. But with unix socket, no additional protect from container. Not familiar with security about network & hacker, just a thought. In fact, I guess this is not a thing related to docker, just related to reverse proxy's benefit. But I guess scalability is a thing user need to think. – atline May 07 '19 at 10:05