Using Redis to serve data to unsafe docker container
I am making a webapp with docker, i need to run code made by public user (not safe at all), i use redis to push some data between my containers (using a socket shared in a named volume)
How can i forbid unsafe containers to send data to Redis?
my docker-compose.yml
version: "3"
services:
redis:
image: redis:latest
command: >
sh -c "chown redis /tmp/redis/
redis-server /usr/local/etc/redis/redis.conf"
volumes:
- redis_socket:/tmp/redis
unsafe_container:
build:
context: ./docker
dockerfile: Dockerfile
command: python unsafe.py
volumes:
- redis_socket:/tmp/redis:ro
links:
- redis
depends_on:
- redis
data_in:
build:
context: ./docker
dockerfile: Dockerfile-data
command: >
sh -c "python3 /code/manage.py wait_db
python3 /code/manage.py start_dc"
volumes:
- redis_socket:/tmp/redis
links:
- redis
depends_on:
- redis
volumes:
redis_socket:
If i make a redis slave, can i set this one to only accept read from every connections except for the master redis?
Thanks
EDIT: After some tests, a slave is read only by default, but i can't connect the slave to the master using a socket, i dont find anything about this feature / issue on the docs
docker redis
asked Nov 18 '18 at 0:26
Bast
374111
add a comment |
I am making a webapp with docker, i need to run code made by public user (not safe at all), i use redis to push some data between my containers (using a socket shared in a named volume)
How can i forbid unsafe containers to send data to Redis?
my docker-compose.yml
version: "3"
services:
redis:
image: redis:latest
command: >
sh -c "chown redis /tmp/redis/
redis-server /usr/local/etc/redis/redis.conf"
volumes:
- redis_socket:/tmp/redis
unsafe_container:
build:
context: ./docker
dockerfile: Dockerfile
command: python unsafe.py
volumes:
- redis_socket:/tmp/redis:ro
links:
- redis
depends_on:
- redis
data_in:
build:
context: ./docker
dockerfile: Dockerfile-data
command: >
sh -c "python3 /code/manage.py wait_db
python3 /code/manage.py start_dc"
volumes:
- redis_socket:/tmp/redis
links:
- redis
depends_on:
- redis
volumes:
redis_socket:
If i make a redis slave, can i set this one to only accept read from every connections except for the master redis?
Thanks
EDIT: After some tests, a slave is read only by default, but i can't connect the slave to the master using a socket, i dont find anything about this feature / issue on the docs
docker redis
asked Nov 18 '18 at 0:26
Bast
374111
add a comment |
I am making a webapp with docker, i need to run code made by public user (not safe at all), i use redis to push some data between my containers (using a socket shared in a named volume)
How can i forbid unsafe containers to send data to Redis?
my docker-compose.yml
version: "3"
services:
redis:
image: redis:latest
command: >
sh -c "chown redis /tmp/redis/
redis-server /usr/local/etc/redis/redis.conf"
volumes:
- redis_socket:/tmp/redis
unsafe_container:
build:
context: ./docker
dockerfile: Dockerfile
command: python unsafe.py
volumes:
- redis_socket:/tmp/redis:ro
links:
- redis
depends_on:
- redis
data_in:
build:
context: ./docker
dockerfile: Dockerfile-data
command: >
sh -c "python3 /code/manage.py wait_db
python3 /code/manage.py start_dc"
volumes:
- redis_socket:/tmp/redis
links:
- redis
depends_on:
- redis
volumes:
redis_socket:
If i make a redis slave, can i set this one to only accept read from every connections except for the master redis?
Thanks
EDIT: After some tests, a slave is read only by default, but i can't connect the slave to the master using a socket, i dont find anything about this feature / issue on the docs
docker redis
asked Nov 18 '18 at 0:26
Bast
374111
I am making a webapp with docker, i need to run code made by public user (not safe at all), i use redis to push some data between my containers (using a socket shared in a named volume)
How can i forbid unsafe containers to send data to Redis?
my docker-compose.yml
version: "3"
services:
redis:
image: redis:latest
command: >
sh -c "chown redis /tmp/redis/
redis-server /usr/local/etc/redis/redis.conf"
volumes:
- redis_socket:/tmp/redis
unsafe_container:
build:
context: ./docker
dockerfile: Dockerfile
command: python unsafe.py
volumes:
- redis_socket:/tmp/redis:ro
links:
- redis
depends_on:
- redis
data_in:
build:
context: ./docker
dockerfile: Dockerfile-data
command: >
sh -c "python3 /code/manage.py wait_db
python3 /code/manage.py start_dc"
volumes:
- redis_socket:/tmp/redis
links:
- redis
depends_on:
- redis
volumes:
redis_socket:
If i make a redis slave, can i set this one to only accept read from every connections except for the master redis?
Thanks
EDIT: After some tests, a slave is read only by default, but i can't connect the slave to the master using a socket, i dont find anything about this feature / issue on the docs
docker redis
docker redis
asked Nov 18 '18 at 0:26
Bast
374111
asked Nov 18 '18 at 0:26
Bast
374111
edited Nov 18 '18 at 1:27
asked Nov 18 '18 at 0:26
Bast
374111
asked Nov 18 '18 at 0:26
Bast
374111
asked Nov 18 '18 at 0:26
Bast
374111
374111
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Redis replicas are primarily designed to allow high availability, and as such, connect over the network. They do not support UDS connections to the master.
You can, however, use socat to expose a Unix socket as TCP (for example https://serverfault.com/questions/517906/how-to-expose-a-unix-domain-socket-directly-over-tcp).
answered Nov 18 '18 at 18:32
Itamar Haber
28.1k43760
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53356830%2fusing-redis-to-serve-data-to-unsafe-docker-container%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Redis replicas are primarily designed to allow high availability, and as such, connect over the network. They do not support UDS connections to the master.
You can, however, use socat to expose a Unix socket as TCP (for example https://serverfault.com/questions/517906/how-to-expose-a-unix-domain-socket-directly-over-tcp).
answered Nov 18 '18 at 18:32
Itamar Haber
28.1k43760
add a comment |
Redis replicas are primarily designed to allow high availability, and as such, connect over the network. They do not support UDS connections to the master.
You can, however, use socat to expose a Unix socket as TCP (for example https://serverfault.com/questions/517906/how-to-expose-a-unix-domain-socket-directly-over-tcp).
answered Nov 18 '18 at 18:32
Itamar Haber
28.1k43760
add a comment |
Redis replicas are primarily designed to allow high availability, and as such, connect over the network. They do not support UDS connections to the master.
You can, however, use socat to expose a Unix socket as TCP (for example https://serverfault.com/questions/517906/how-to-expose-a-unix-domain-socket-directly-over-tcp).
answered Nov 18 '18 at 18:32
Itamar Haber
28.1k43760
Redis replicas are primarily designed to allow high availability, and as such, connect over the network. They do not support UDS connections to the master.
You can, however, use socat to expose a Unix socket as TCP (for example https://serverfault.com/questions/517906/how-to-expose-a-unix-domain-socket-directly-over-tcp).
answered Nov 18 '18 at 18:32
Itamar Haber
28.1k43760
answered Nov 18 '18 at 18:32
Itamar Haber
28.1k43760
answered Nov 18 '18 at 18:32
Itamar Haber
28.1k43760
answered Nov 18 '18 at 18:32
Itamar Haber
28.1k43760
28.1k43760
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53356830%2fusing-redis-to-serve-data-to-unsafe-docker-container%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
