0

I'm new to using Docker and need to use a lean OpenJDK 17 base-image to create an image of a Java web application and disable the ability of a user to log into a running container.

I've tried to use amazoncoretto 17 alpine image which purportedly has shell access disabled.

FROM amazoncorretto:17-alpine3.15    
ENTRYPOINT ["java","-jar","/myapp.jar"]

But still you can log in to a container created off of this image, using docker exec -it my-container sh, which I need to prevent.

What is the best way of accomplishing this? Thanks in advance.

OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
Mac
  • 3
  • 3
  • You need to uninstall bash/ash/sh if you want to remove exec capabilites – OneCricketeer Sep 19 '22 at 13:43
  • Alternatively, use distroless java... Or, clarify what you mean by "purportedly" – OneCricketeer Sep 19 '22 at 13:44
  • "Disable the user to run into a running container" -- if that user has root and is a competent sysadmin, you can't. Full-stop impossible. Someone with root can use `nsenter` to get into any container they like. Someone with root can add more files to a container even if it _has_ no shell. Remember, the tools that Docker itself is built on top of are all _things that someone with root can do without Docker_. – Charles Duffy Sep 19 '22 at 13:53
  • 1
    There's also some discussion of this in [How do I prevent root access to my docker container](https://stackoverflow.com/questions/57731428/how-do-i-prevent-root-access-to-my-docker-container) (TL;DR: you can't). With Java the situation is a little better than purely-interpreted languages since the most an end user could do is extract the jar file, rather than the source code directly (but a true compiled language would be better still). What are you trying to protect against? – David Maze Sep 19 '22 at 14:18

1 Answers1

1

Simplest way would be to remove the sh symlink from the container, with RUN rm /bin/sh.

Alpine uses links to busybox for these functionalities, which can be deleted to remove the functionality

# ls -l /bin/sh
lrwxrwxrwx 1 root  root 12 Aug  9 08:47 /bin/sh -> /bin/busybox

Any other non required functionality can be disabled same way.

Busybox doc

BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as.

  • That'll stop `docker exec` from working. It certainly won't stop `nsenter` from working. – Charles Duffy Sep 19 '22 at 13:54
  • @CharlesDuffy `nsenter` is also symlink to busybox, can be disabled similar to sh, by deleting the symlink `/usr/bin/nsenter -> /bin/busybox` –  Sep 19 '22 at 13:57
  • You miss the point. `nsenter` can be used _outside_ the container to enter it. It doesn't matter if there's a copy inside the container at all. – Charles Duffy Sep 19 '22 at 13:59
  • 1
    ...and while a stock copy of nsenter may not be able to set an arbitrary argv[0], it wouldn't be hard to compile one that can, such that as long as _any_ busybox binary is available, `sh` also remains available. – Charles Duffy Sep 19 '22 at 14:01
  • Thanks for all the answers. @s3vt, I tried this but it actually prevented the container from running on `docker run`. – Mac Sep 20 '22 at 19:26
  • @s3vt What functionalities are the minimum required for the system to run or can I delete the whole folder and run a java app inside the image? – Tim Schwalbe Nov 03 '22 at 11:34