How to prohibit access to internals of Docker container?
Solution 1
In short, you cannot prevent your customers from modifying containers they run in their own infrastructure. Containers are not like binaries that can be obfuscated; they are runtime environments. The code you distribute inside the container, however, can be obfuscated.
Your question alludes to a third-party support issue: clients modifying software they run in their own environments. If you provide tools to operate the containers you supply (e.g. monitoring and logging) then the clients should agree (as part of a software license) not to make unauthorized modifications to them. This applies to all types of third-party software, not just containers.
Depending on your situation, you may also have the option to provide your app as Software As A Service (SaaS) running in a cloud infrastructure.
If your client requires your containers be run on their infrastructure, and refuses to abide by modification restrictions, then you probably don't want to try to support their use of your software.
Solution 2
Docker doesn't provide any means to preclude user access to the container, however as the image developer you could follow a few strategy
- Obfuscate your software (ruby, python and etc)
- Build your image from a base image that doesn't have shell, and other binaries that the user can use to tramper the image.
Of course they can always export the container and repackage it but those are extreme measures...
Solution 3
If your client is ready to invest money then you should go with Docker enterprise edition. In Docker EE you have one tool that is UCP(Universal Control Plane)
UCP. By UCP you can create roles and access rights and restrict the user to change/modify containers.
If you want to test UCP than DDC(Docker Data Center) having one month trial license which will help you to elaborate the things as per your requirements.
Solution 4
You can remove the users from the docker group and create sudos for the docker start
and docker stop
.
Solution 5
Give your delivery via ansible scripts. Keep all sort of restrictions and checks in the ansible script.
Related videos on Youtube
Comments
-
ben almost 2 years
I want to deliver my app to customers in form of docker image. But it is crucial to ensure that end-user do not alter anything inside the container. User should only be able to run/stop the container and interact with the container via network.
Is it possible to prohibit access to internals of container? Is it possible to verify integrity of image that container made from?
-
Admin about 7 yearsUnless you do manage the docker host I believe you can't. What problem are you willing to solve by preventing this access?
-
Admin about 7 yearsAs Tensibai mentions, it depends. If you need to know that the container is unmodified for security reasons, you basically have to run it on your own servers. If you just want to discourage people from modifying it so they don't break things, there probably are ways you could do that. Describing your use case will help here.
-
-
Dan Cornilescu about 7 yearsonly possible/effective if you own those servers...
-
Tensibai about 7 yearsAs the solution about docker groups, this works if you do manage the docker host system only, OP sounds more like distributing an image...
-
earlNameless almost 7 yearsHow would this prevent access to the container? Try yo explain how your proposition would actually solve OP's problem.
-
AjaxLeung almost 6 yearsWhy are Ruby and Python given as examples for obfuscating code? Code in those languages are usually kept as clear-text source files on the executing OS. Wouldn't it be preferred to use a compiled language like C++, C#, Java or one which can be "minified" like JS?
-
Michael A. about 4 years@AjaxLeung sorry for necroposting :) echo "print('Hello')" > test.pyx; cython test.pyx --embed; gcc -Os -I /usr/include/python3.8/ -o test test.c -lpython3.8 -lpthread -lm -lutil -ldl