0

I am delivering an application demo for a sponsor and my deployment is through docker compose, mine is IaaS, so i need to deploy my code as container in their infra. Once I deploy the container he has my code and use it on his own. so how can I prevent this?

enabling read only mode is making container to restart, not working

varun
  • 1
  • (1) You can't prevent reverse engineering of a container; someone can always just extend it and add bash, or disect it (decompile contents &c) without trying to run anything inside it at all in the first place. (2) If you don't want people to be able to run bash in your container, don't include bash in the container at all. If you're using a programming language that lets you compile the software you're distributing down to a single executable, start `FROM empty` and generate a container that has that executable and nothing else. – Charles Duffy Feb 13 '23 at 16:21
  • That said, in general, most people who put serious R&D effort into making reverse engineering difficult have their priorities wrong. A great deal of the value of a software product comes from having staff who understand it and are able to support it; a codebase without people who understand it is often worth a lot less than what you expect. Just because it's valuable in _your_ hands doesn't mean it'll have that same value in anyone else's, without you / your staff there to explain/support/extend. (The expensive way to learn this lesson is to try to buy a defunct company's code from their bank) – Charles Duffy Feb 13 '23 at 16:24
  • If you're in a place where you're not one of those "most people" but have some secret sauce that _genuinely_ needs to be protected, don't deliver that secret sauce as part of the container. Keep something critical behind a cloud service, or in a piece of dedicated hardware, or otherwise in a position where it's not running on a general-purpose CPU under someone else's control. – Charles Duffy Feb 13 '23 at 16:29
  • I'll also comment that anyone who can run any `docker` command can trivially get root on the host system, and from there poke around in `/var/lib/docker`; the data there isn't directly usable but if you have distributed your application in an interpreted language it will be fairly easy to pick out. – David Maze Feb 13 '23 at 19:14
  • @CharlesDuffy multi stage build can not help? at least to some extent. – Richard Rublev Feb 13 '23 at 19:15
  • 1
    @RichardRublev, a multi-stage built can keep your build tools out of the runtime environment, but anyone competent wouldn't have build tools or source code in the runtime environment in the first place. Sure, it's better not to make big, foolish mistakes; but a competent reverse engineer can do quite a lot even if you _aren't_ making those mistakes. – Charles Duffy Feb 13 '23 at 19:17

0 Answers0