How to prohibit access to internals of Docker container?

docker security
11,376

Solution 1

In short, you cannot prevent your customers from modifying containers they run in their own infrastructure. Containers are not like binaries that can be obfuscated; they are runtime environments. The code you distribute inside the container, however, can be obfuscated.

Your question alludes to a third-party support issue: clients modifying software they run in their own environments. If you provide tools to operate the containers you supply (e.g. monitoring and logging) then the clients should agree (as part of a software license) not to make unauthorized modifications to them. This applies to all types of third-party software, not just containers.

Depending on your situation, you may also have the option to provide your app as Software As A Service (SaaS) running in a cloud infrastructure.

If your client requires your containers be run on their infrastructure, and refuses to abide by modification restrictions, then you probably don't want to try to support their use of your software.

Solution 2

Docker doesn't provide any means to preclude user access to the container, however as the image developer you could follow a few strategy

  • Obfuscate your software (ruby, python and etc)
  • Build your image from a base image that doesn't have shell, and other binaries that the user can use to tramper the image.

Of course they can always export the container and repackage it but those are extreme measures...

Solution 3

If your client is ready to invest money then you should go with Docker enterprise edition. In Docker EE you have one tool that is UCP(Universal Control Plane) UCP. By UCP you can create roles and access rights and restrict the user to change/modify containers.

If you want to test UCP than DDC(Docker Data Center) having one month trial license which will help you to elaborate the things as per your requirements.

Solution 4

You can remove the users from the docker group and create sudos for the docker start and docker stop.

Solution 5

Give your delivery via ansible scripts. Keep all sort of restrictions and checks in the ansible script.

Share:
11,376

Related videos on Youtube

ben
Author by

ben

Statistically insignificant, gets lucky all the time.

Updated on September 17, 2022

Comments

  • ben
    ben almost 2 years

    I want to deliver my app to customers in form of docker image. But it is crucial to ensure that end-user do not alter anything inside the container. User should only be able to run/stop the container and interact with the container via network.

    Is it possible to prohibit access to internals of container? Is it possible to verify integrity of image that container made from?

    • Admin
      Admin about 7 years
      Unless you do manage the docker host I believe you can't. What problem are you willing to solve by preventing this access?
    • Admin
      Admin about 7 years
      As Tensibai mentions, it depends. If you need to know that the container is unmodified for security reasons, you basically have to run it on your own servers. If you just want to discourage people from modifying it so they don't break things, there probably are ways you could do that. Describing your use case will help here.
  • Dan Cornilescu
    Dan Cornilescu about 7 years
    only possible/effective if you own those servers...
  • Tensibai
    Tensibai about 7 years
    As the solution about docker groups, this works if you do manage the docker host system only, OP sounds more like distributing an image...
  • earlNameless
    earlNameless almost 7 years
    How would this prevent access to the container? Try yo explain how your proposition would actually solve OP's problem.
  • AjaxLeung
    AjaxLeung almost 6 years
    Why are Ruby and Python given as examples for obfuscating code? Code in those languages are usually kept as clear-text source files on the executing OS. Wouldn't it be preferred to use a compiled language like C++, C#, Java or one which can be "minified" like JS?
  • Michael A.
    Michael A. about 4 years
    @AjaxLeung sorry for necroposting :) echo "print('Hello')" > test.pyx; cython test.pyx --embed; gcc -Os -I /usr/include/python3.8/ -o test test.c -lpython3.8 -lpthread -lm -lutil -ldl

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Securing a Docker container with HTTP BASIC AUTH
Execute host commands from within a docker container
Contain Docker Engine with AppArmor
How should I configure SELinux when running nginx inside Docker
"docker-compose up" as root user or non-root user?
How do I mount a private /proc inside a namespace inside a docker container?
Restricting the network access of Docker container
How to use docker secrets without a swarm cluster?
How to handle security updates within Docker containers?
How can you pass private environment variables to FARGATE tasks specified from a Docker Compose config