How to disable the root access of a docker container?

Question

We have offshore developers who would like to run our server locally but for security reasons, we do not want to give them the server code. So a solution is that they run a Docker container, which is a self-contained version of our server! So no complicated setup on their side! :)

The problem is that it is always possible to access the Linux shell of the Docker instance as root, thus giving access to the source code.

How is it possible to disable the Docker container a root access? Or how can we isolate our source code from the root access?

How they can execute or use the source code without seeing it? — Robert, May 06 '17 at 00:50
If they got the code, they got the code. Simple as that. Sorry. Docker does _not_ isolate. — johnharris85, May 06 '17 at 03:54
I think its a good question and a common use case. Can anyone suggest alternative workflow that would meet the requirements? — roman, May 06 '19 at 08:30

OscarAkaElvis · Answer 1 · 2017-05-05T22:49:35.403

3

You can modify your container creating a user (foo for example) and assigning to him the right permissions. Then you can run the docker container on docker run command using the arguments -u foo. If you run for example: docker run --rm -ti -u foo myCustomImage sh. This will open the sh shell with the $ instead of #. Of course on your Dockerfile you must create foo user before.

If you want more restrictions like for example to disable some kernel features, you have available since docker 1.10 the seccomp security feature. Check it out:

https://docs.docker.com/engine/security/seccomp/

Using this you can disable and restrict a lot of system features... and easy example to deny the mkdir command. Create a json file like this (name it as sec.json for example):

{
    "defaultAction": "SCMP_ACT_ALLOW",
        "syscalls": [
                {
                    "name": "mkdir",
                    "action": "SCMP_ACT_ERRNO"
                }
            ]
}

Then run your container doing: docker run --rm -ti --security-opt seccomp=/path/on/host/to/sec.json ubuntu:xenial sh. You can check inside the container you are not able to run mkdir command.

Hope this helps.

edited May 05 '17 at 22:49

answered May 05 '17 at 22:44

OscarAkaElvis

5,384
4
27
51

3

This provides no actual protection for the source code though, as soon as a user has the image, they what's inside the image. – Matt May 06 '17 at 03:38
2

The developers can just choose not to run with seccomp. This is only of use when you control the runtime environment _and_ the image, the OP is only in control of the image. – Dan Lowe May 06 '17 at 04:30
In that case it makes no sense. How to prevent access to something they are controlling? You need at least control of how to run the container and then give access to it for the developers by ssh or however. – OscarAkaElvis May 06 '17 at 09:49
Exactly @OscarAkaElvis, which is why this question is silly :p – johnharris85 May 06 '17 at 15:31

How to disable the root access of a docker container?

1 Answers1

Linked