Menu
Back story below, but here's the question: I've discovered that if I have postgresql running on my docker host, I can connect to it in a container via a domain socket mounted as a file:
docker run -v /var/run/postgresql/:/var/run/postgresql
This feels like a major hack, so I'm curious if this is truly horrible in a production environment. Thoughts?
The backstory is that I have postgresql running on the docker host because I don't trust docker to run postgresql directly.
So I need to connect to that postgresql instance from a docker container running on the same server. I tried:
Using --add-host
But this was also a hack because it required that docker run be put inside a script to figure out the right IP of the host machine. Something like:
docker run --add-host=postgres-host:$(ip route show | awk {print $2})
I didn't like having to do that.
I tried using --net=host, but...that's not what we want. We want an overlay network.
I tried setting this from within the container by looking up the IP address of the host there, but I didn't feel great running a script just for this purpose.
So...I thought: "What about using the domain socket?"
447
A socket is an endpoint in a network that passes data between software. Docker. sock is a Unix socket that enables the Docker server-side daemon, dockerd, to communicate with its command-line interface via a REST API. The socket appears as the /var/run/docker. sock file.
Postgres natively exposes the port 5432, and we have to map that port (that lives within Docker) to a local port. In this case, the local 5455 port maps to Docker's 5432 port.
Unix Sockets use the local filesystem for communication, while IP Sockets use the network. The Docker daemon can listen for Docker Engine API requests via three different types of Socket: unix, tcp, and fd .
Mounting sockets doesn't sound like a hack to me. In fact, mounting /var/run/docker.sock is the standard method used if you want to use docker commands from inside a container.
110
What I thought is security & scalability.
security
With docker, even if the container was attack by hackers, you still can have one protect between container(web server) & host(database server), but with unix socket, I guess the data will exposed to hacker directly.
scalability
One reason we need to separate web server & database server is: if we encountered performance issue, we could easily extend web server, with more web server connect to one database server, the application can support more people visit.
But with unix-socket, the web server in docker not be scalable, you had to put the web server(container) in one machine to utilize unix-socket of db.
38
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
