
How to pass docker.sock to your containers while keeping security - titpetric
https://scene-si.org/2016/04/25/exposing-your-docker-api/
======
jjn2009
This is a great idea, I've always been wary of mounting docker.sock into a
container. Does a read only mount make any difference I wonder?

~~~
fpoling
From security point of view there is little practical differences. The
container can still communicate with docker normally and trivially become a
root on the host. What it prevents is altering ownership and permissions of
the socket.

~~~
jjn2009
Ah okay so thats why I see people using read only mount on a docker socket.
that makes sense. Some how I never thought of that implication I was just
thinking about how in the world a file descriptor permission would effect the
http traffic as it travels over the socket, but obviously it doesn't.

