0

For my use case I am exposing the docker remote API (hosted on AWS) publicly so that users can attach their tty (xterm.js) to that of shell inside docker containers using web sockets as shown here.

Since the API is public there is nothing preventing the users from running commands on docker engine, like stopping or starting other containers ..etc.

  1. So how can I prevent users from running commands on docker engine
  2. And if possible how can I authenticate the users connecting to container via socket

Abd
  • 85
  • 7
  • Please Google "Docker cryptojacking" and consider the possibility that your EC2 instance and your end users' credentials are compromised. You should _never_ make access to the Docker API publicly available since you can trivially use it to root the host. I'd delete the instance as quickly as you can and reconsider your application architecture. – David Maze Oct 11 '22 at 14:59
  • Thank you david for your swift response. Is there any way I can make end users access the shell inside docker without making the docker remote API public ? – Abd Oct 11 '22 at 15:24

1 Answers1

0

Ok, I found the solution for the problem. It is possible to expose docker shell to external users safely with the help of web terminals like ttyd also there is docker image for ttdy

tsl0922/ttyd:alpine

And thanks to David for pointing out flaws in my architecture.

✌️

Abd
  • 85
  • 7