24

I am interested in using Docker to host a project I am helping develop in work. However I have a few questions about it's suitability.

Firstly, I wonder is it at all possible to keep the source code hidden from potential users/customers? Obviously part of Docker's policies is that the code is open, but would there be any way to add permissions to lock out any one other than the designated users/developers?

Secondly, in terms of the product we are developing - certain users may wish to access only one aspect of the product. Is there any way we can add permissions to the docker registry so that customers can access only what they request?

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
User588233
  • 481
  • 2
  • 5
  • 16

2 Answers2

8

Not sure if this is needed for the OP, but depending on the context of the questing the answer by VonC might be incomplete:

If the project has deliverables that can be shared that are separate from the sources of your project, then you can do indeed what is proposed. For instance you make an image using a Dockerfile that sets up the system, gets the source-code, compiles the project into the deliverables and removes the source (or compile it somewhere else and copy it). This is a good and save way to build this package and release it to your customer. This is what @VonC proposes in his answer.

I wanted to add, that if you are looking at, for instance, a web system where the code is somewhat hard te separate from the deliverable it is going to be tricky. This could be in the case of a web-system like HTML/PHP and the likes.

The thing is, the final image would be the same as a clients server. It is, one way or another, completely accessible and everything on it is readable. So while you do not have to keep sources and your secrets on the system at all if they are not needed, you cannot use docker as a sort of packaging method to deliver a self-contained system hiding the sources.

So you can NOT lock out anyone from the image; the only thing you can do is make sure that anything that is only needed for compilation of your project is not available on the final image. And this is only a solution if the 'secret' stuff isn't needed after compilation.

Nanne
  • 64,065
  • 16
  • 119
  • 163
  • I need to clarify something: For web applications such as PHP & MySQL, could we make docker running the application, i.e the docker's web server such as Apache, to read, write and execute the application source, while we prevent any other users to get inside docker to read or write that source code. Of course full access to theses files could be happened by a mean of password or something like sudo user of docker itself not the hosting system. – SaidbakR Feb 27 '18 at 13:14
  • 1
    If the user you want to protect against has full access to the server where the container is running on then they can 'enter' the container as root. From there I don't see how you can protect your code, so no. Bottomline is that you should not use docker as a protection system. Any system that would work for non-docker would work here but then there's no need to use docker (at least, not specifically for this use-case) – Nanne Feb 27 '18 at 13:26
  • So do you think, to protect the code we may use a mean of byte code compilation such as Zend Guard or encrypt the `public_html' folder? – SaidbakR Feb 27 '18 at 13:39
  • 1
    Sure you can, as long as you keep the actual source away from the container. But then it has nothing to do specifically with docker anymore. Which is not a bad thing per se, its just the same as you would release it to a private server which your client has full access to. – Nanne Feb 27 '18 at 13:47
5

Docker does not "host a project": it provides the possibility to specify an execution environment (Dockerfile and docker build) and to run it.

The "source" (Dockerfile and the resources like your project sources) don't have to be available at all: only the built image must be there in order to docker run it.
That image can be stored in a private registry (docker distribution), and it won't includes the sources of your projects, but only the deliveries (executable) built from those sources and installed in the image by the Dockerfile directives.

certain users may wish to access only one aspect of the product.

A simple solution is to have:

  • several images (each one with a certain aspect of your product installed in it)
  • several docker image registries (each one accessible to only a certain group of your clients, and including only the relevant image)

Kauê Oliveira asks in the comments the interesting question:

It doesn't prevent anyone from accessing the code once the container is running. You can sh in the container and do whatever you want

You would find a similar debate in "Does container image contains application source code?"

It depends on the application, of course:

  • a compiled one can take advantage of a multi-stage build, and include only the executable
  • an interpreted one could keep sources separated, but still visible and mounted through a volume (so the sources are still visible in the container, but not in the image).

From that thread:

The idea is that your container image has everything needed to run your application and nothing more (or at least as little more as possible).

For example, if you have a Java app, you don’t want to have to ship the full JDK, all build tools and plugins, etc. when, at the end of the day, you only need the final compiled Java code and a JRE.
It reduces your overall image size and your security footprint of the final running app.

And (using an application in PHP, arguably interpreted):

Why not pull the source in from GitHub? Store your credentials as env variable. That way, any random person that pulls your image wont see your code, if that’s your concern

Honestly, though. PHP code doesn’t ever seem so complex that you’re at a loss as to how some function was done. If someone wants to steal your idea, they’re going to do that, regardless of how you try to make obfuscate it.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Sure, but it doesnt prevent anyone from acessing the code once the container is running. You can sh in the container and do whatever you want ( as docker always run on sudo mode) – Kauê Oliveira Nov 25 '22 at 03:45
  • @KauêOliveira *Where* would you look for said code source though? If the Dockerfile did [not `COPY` it](https://docs.docker.com/engine/reference/builder/#copy), it should not be accessible. And inside a container, you are the user specified by the [Dockerfile `USER` directive](https://docs.docker.com/engine/reference/builder/#user), which is not always root. – VonC Nov 25 '22 at 06:49
  • If the docker file didn't copy it, how is it supposed to run genius? If the application is running, it means the code is inside the image. Plus setting a local user is used for making the host files accessible from within the container, and has ZERO effect on protection access, as docker process run as root. – Kauê Oliveira Nov 25 '22 at 07:08
  • @KauêOliveira It depends on the application indeed. If the application is first [*compiled* in a **multi-stage build**](https://docs.docker.com/build/building/multi-stage/), only the resulting executable is copied in the final image. – VonC Nov 25 '22 at 07:12
  • @KauêOliveira I have included your interesting question in the answer for more visibility, as well as a reference to another thread which discusses a similar issue. – VonC Nov 27 '22 at 19:23
  • Thanks for pointing me in this direction. I have looked into the link you provided and did some extra research on multi stage build, and it does seem like a reliable way to assist with hiding the source code. I have a concern though. With multi stage build, each stage is a separate image, which (please correct me if I'm wrong) needs to be present on the server when we up the container, therefore still leaving the source on the server. – Kauê Oliveira Dec 01 '22 at 02:51
  • @KauêOliveira No, any intermediate images can be discarded entirely. Only the last one needs to be published to a Docker registry, and then used by a `docker run` command. – VonC Dec 01 '22 at 06:42