Use systemd unix sockets to expose the db to running job containers

[bloodearnest]

Currently, when we run an ehrql job, we need to give it network access so it can access the db.

We don't want to give it unrestricted access, and the only way to do that is to create a custom docker network, and attach some iptables rules to that, then run the container with that network

This is all a bit complex and brittle, and the failure modes are likely insecure.

Instead, we could leverage systemd socket support and socat to expose the db over a unix socket, which we can then just mount into the ehrql container. There would no need to grant network access container, and we could remove all the docker network and iptables complexity.

Something like this should work:

db-proxy.socket:

Description=TPP db socket

[Socket]
ListenStream=/srv/high_privacy/run/db.socket
SocketUser=opensafely
SocketGroup=opensafely
SocketMode=0660

[Install]
WantedBy=sockets.target

db-proxy.service:

Description=TPP db proxy
Requires=db-proxy.socket
After=db-proxy.socket

[Service]
Type=simple
User=opensafely
Group=opensafely
ExecStart=/usr/bin/socat STDIO TCP:$DB_IP:$DB_PORT
StandardInput=socket

We are moving complexity around here, as we have a forked socat proxying each ehrql db connection. But socat is small, fast and battle tested reliable, so I think it may be a better solution than the current one. And I really like that we control network access via mounting explicit services as sockets, rather than allow but then block of the current approach.

We could also use this approach if we need other network services in containers, e.g. if we want to expose the otel-collector to allow db telemetry, we could just add a new socket proxy and mount that in too: opensafely-core/ehrql#2481

[bloodearnest]

There are a few things we need to check for this to work:

• does the above systemd config work as expected?
• is pymssql able to connect ok to a unix socket?
• what are the overheads? Anecdotally, we'd expect 1-2mb of memory per connection, and <1ms of latency (latency is not really a concern for ehrql usage)

[evansd]

This is a great idea.

I think latency and per-connection overheads are basically irrelevant given our query patterns. The only issue would be resource consumption when pulling down a lot of data over the connection. But, assuming socat doesn't leak memory, I can't see that that would be a problem.

As well as testing pymssql we need to know if trino can support this as well. And I'd want to be confident that it's a reasonably well supported pattern generally as who knows what db libraries we'll need to use in future.

A final question would be whether this pattern would be usable as and when we move to lightweight VMs (Kata Containers or whatever)? I don't know enough about the low level implementation here to think through whether it would still be possible to share host sockets into the guest.

If the answer there is "no" that doesn't mean we shouldn't do it now; but it does slightly change the story I think if it's incompatible with our preferred long term roadmap.

[bloodearnest]

Good point on trino support, that I expect will be a problem.

As for kata, it will depend on how it implements the host filesystem mounting, it does something clever. Will need testing.

Might be could to spike these issues and check if they are blockers sooner rather than later.

[evansd]

Just adding a note here while I think of it that if we go down this route then we'll need to ennure that the configuration of ehrQL's Pledge sandboxing is still sufficient to deny network access. It might be already, but we can't assume so.

[suzannehamilton]

Moving this to Deck Scrubbing to do a proof of concept. The actual implementation will probably need more planning. Could be part of a larger ehrQL initiative, or could be part of RAP phase 3?