[lxc-users] Unix Sockets communications between containers

Michael H. Warfield mhw at WittsEnd.com
Tue Nov 11 19:34:48 UTC 2014


On Tue, 2014-11-11 at 20:20 +0100, Hans Feldt wrote:
> With a dir potentially you get a bunch of other sockets available in the container, how can such 
> security issue be handled?

Use tailored application specific directories for the sockets?  That's
no different than using application specific subdirectories for temp
files.  Even if it's just one socket in one directory, creating that
additional directory provides the isolation from other sockets you
desire while supporting socket recreation as Serge points out.

> /Hans

Mike

> On 11/11/2014 08:03 PM, Serge Hallyn wrote:
> > Yup - the dir is generally recommended since if the daemon
> > dies and restarts, you'll be able to pick up the new socket
> > without restarting the container.
> >
> > Quoting Hans Feldt (hans.feldt at ericsson.com):
> >> I tested something similar (using docker) and just did a bind mount
> >> of the host directory where the UNIX socket was created into the
> >> container and that worked just fine. I think you can bind mount just
> >> the socket file (and not the dir).
> >> /Hans
> >>
> >> On 11/11/2014 02:28 PM, CDR wrote:
> >>> Dear friends
> >>> I have a container with mysql and wish to have all other containers, and the host, being able to use
> >>> a socket to post queries to my database. I thought of sharing a common host-directory, such as
> >>> /temp. Once all containers can access the same directory, will they actually be able to talk to
> >>> mysql? Mysql uses sockets to communicate with applications in the same box. It is much faster and
> >>> uses far less resources than tcp. Does this make any sense? What would it take to make this scenario
> >>> work?
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> lxc-users mailing list
> >>> lxc-users at lists.linuxcontainers.org
> >>> http://lists.linuxcontainers.org/listinfo/lxc-users
> >>>
> >> _______________________________________________
> >> lxc-users mailing list
> >> lxc-users at lists.linuxcontainers.org
> >> http://lists.linuxcontainers.org/listinfo/lxc-users
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> >
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
> 

-- 
Michael H. Warfield (AI4NB) | (770) 978-7061 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 465 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20141111/8e9f4b94/attachment.sig>


More information about the lxc-users mailing list