Preventing access to code inside of a docker container

Question

I am wanting to build a production ready image for clients to use and I am wondering if there is a way to prevent access to my code within the image?

My current approach is storing my code in /root/ and creating a "customer" user that only has a startup script in their home dir.

My Dockerfile looks like this

FROM node:8.11.3-alpine

# Tools
RUN apk update && apk add alpine-sdk

# Create customer user
RUN adduser -s /bin/ash -D customer

# Add code
COPY ./code /root/code
COPY ./start.sh /home/customer/

# Set execution permissions
RUN chown root:root /home/customer/start.sh
RUN chmod 4755 /home/customer/start.sh

# Allow customer to execute start.sh
RUN echo 'customer    ALL=(ALL) NOPASSWD: /home/customer/start.sh' | EDITOR='tee -a' visudo

# Default to use customer
USER customer

ENTRYPOINT ["sudo","/home/customer/start.sh"]

This approach works as expected, if I were to enter the container I won't be able to see the codebase but I can start up services.

The final step in my Dockerfile would be to either, set a password for the root user or remove it entirely.

I am wondering if this is a correct production flow or am I attempting to use docker for something it is not meant to?

If this is the correct, what other things should I lock down?

any tips appreciated!

Your approach won't work. You can run e.g. `docker run --user=root imagename` to supersede `USER` in Dockerfile. — mviereck, Jul 28 '18 at 20:02
`-u 0` will always work, even if `root` isn't in the container's `/etc/passwd`. — David Maze, Jul 28 '18 at 20:15

score 7 · Accepted Answer · answered Jul 28 '18 at 20:06

Anybody who has your image can always do

docker run -u root imagename sh

Anybody who can run Docker commands at all has root access to their system (or can trivially give it to themselves via docker run -v /etc:/hostetc ...) and so can freely poke around in /var/lib/docker to see what's there. It will have all of the contents of all of the images, if scattered across directories in a system-specific way.

If your source code is actually secret, you should make sure you're using a compiled language (C, Go, Java kind of) and that your build process doesn't accidentally leak the source code into the built image, and it will be as secure as anything else where you're distributing binaries to end users. If you're using a scripting language (Python, JavaScript, Ruby) then intrinsically the end user has to have the code to be able to run the program.

Ahhh yep, big oversight! Thanks for taking the time to explain — Dimitrije M, Jul 28 '18 at 20:08
For python script, the code can be compiled to .pyc to hide the source code. — kstn, Jul 25 '22 at 08:59

score 2 · Answer 2 · answered Nov 17 '20 at 18:13

Something else to consider is the use of docker container export. This would allow anyone to export the containers file system, and therefore have access to code files.

I believe this bypasses removing the sh/bash and any user permission changes as others have mentioned.

prabha · Answer 3 · 2020-11-17T06:53:43.163

-1

You can protect your source-code even it can't be have a build stage or state,By removing the bash and sh in your base Image.

By this approach you can restrict the user to not enter into your docker container and Image either through these commands

docker (exec or run) -it (container id) bash or sh.

To have this kind of approach after all your build step add this command at the end of your build stage.

RUN rm -rf bin/bash bin/sh

you can also refer more about google distroless images which follow the same approach above.

edited Nov 17 '20 at 06:53

answered Nov 17 '20 at 06:40

prabha

5
3

1

We can copy the bash again. https://stackoverflow.com/questions/44548607/disable-interactive-mode-in-docker – jasoos Dec 17 '20 at 05:49

score -1 · Answer 4 · answered Nov 17 '20 at 07:03

-1

You can remove the users from the docker group and create sudos for the docker start and docker stop

answered Nov 17 '20 at 07:03

Santosh Suresh

1
2

Preventing access to code inside of a docker container

4 Answers4