How to disable the root access of a docker container?

We have offshore developers who would like to run our server locally but for security reasons, we do not want to give them the server code. So a solution is that they run a Docker container, which is a self-contained version of our server! So no complicated setup on their side! 🙂

The problem is that it is always possible to access the Linux shell of the Docker instance as root, thus giving access to the source code.

  • Docker performances for getting information: polling vs events
  • Starting new Docker container with every new Bamboo build run and using the container to run the build in
  • How do you start a Docker-ubuntu container into bash?
  • Is there a straight way to get html response from a unix socket in Go (like curl does)?
  • OS Container vs Application Container
  • Not able to use a Dockerfile when using Jenkins CloudBees Docker Custom Build Environment Plugin
  • How is it possible to disable the Docker container a root access? Or how can we isolate our source code from the root access?

  • Docker: unable to execute the mount command inside an ubuntu 16.10 container [duplicate]
  • Docker php excel error (php://output) i/o stream
  • maven-docker-plugin: how to get container ip address
  • Framework auto-scale container docker on AWS
  • go-dockerclient `UploadToContainer` tar examples
  • boot2docker resulting in “Cannot connect to the Docker daemon. Is 'docker -d' running on this host?”
  • One Solution collect form web for “How to disable the root access of a docker container?”

    You can modify your container creating a user (foo for example) and assigning to him the right permissions. Then you can run the docker container on docker run command using the arguments -u foo. If you run for example: docker run --rm -ti -u foo myCustomImage sh. This will open the sh shell with the $ instead of #. Of course on your Dockerfile you must create foo user before.

    If you want more restrictions like for example to disable some kernel features, you have available since docker 1.10 the seccomp security feature. Check it out:

    https://docs.docker.com/engine/security/seccomp/

    Using this you can disable and restrict a lot of system features… and easy example to deny the mkdir command. Create a json file like this (name it as sec.json for example):

    {
        "defaultAction": "SCMP_ACT_ALLOW",
            "syscalls": [
                    {
                        "name": "mkdir",
                        "action": "SCMP_ACT_ERRNO"
                    }
                ]
    }
    

    Then run your container doing: docker run --rm -ti --security-opt seccomp=/path/on/host/to/sec.json ubuntu:xenial sh. You can check inside the container you are not able to run mkdir command.

    Hope this helps.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.