You are giving access to the docker socket (/var/run/docker.sock), so this container can create/edit/remove any container from your system, even add,edit, remove volumes or host path.
I have no idea if you can send modification API commands to a ReadOnly socket. I think you could, in the same way that you can do something with just HTTP-GET. Example: curl --unix-socket /var/run/docker.sock http:/images/json
You are giving access to the docker socket (
/var/run/docker.sock), so this container can create/edit/remove any container from your system, even add,edit, remove volumes or host path.I have no idea if you can send modification API commands to a ReadOnly socket. I think you could, in the same way that you can do something with just HTTP-GET. Example:
curl --unix-socket /var/run/docker.sock http:/images/jsonDoc: https://docs.docker.com/reference/api/engine/version/v1.41/#tag/Container/operation/ContainerInspect