How to disable the root access of a docker container?

We have offshore developers who would like to run our server locally but for security reasons, we do not want to give them the server code. So a solution is that they run a Docker container, which is a self-contained version of our server! So no complicated setup on their side! 🙂

The problem is that it is always possible to access the Linux shell of the Docker instance as root, thus giving access to the source code.

  • How to organize containers “horizontally” inside Kubernetes pods?
  • Having Docker image renaming issue
  • pre-cache node_modules in Docker container
  • Docker container write permissions
  • Functional tests with vagrant in docker
  • Keeping a Play framework app running in a Docker container without a pseudo-TTY
  • How is it possible to disable the Docker container a root access? Or how can we isolate our source code from the root access?

  • get IP address of node app running in docker container
  • can't build the docker image with error saying image not found
  • GKE kuberentes uploading yaml file with docker image error
  • How would one specify which containers to start and not to start in docker-compose? (docker run vs docker create)
  • Cannot start container lstat no such file or directory
  • Atomic OS/Core OS for large scale Mesos cluster?
  • One Solution collect form web for “How to disable the root access of a docker container?”

    You can modify your container creating a user (foo for example) and assigning to him the right permissions. Then you can run the docker container on docker run command using the arguments -u foo. If you run for example: docker run --rm -ti -u foo myCustomImage sh. This will open the sh shell with the $ instead of #. Of course on your Dockerfile you must create foo user before.

    If you want more restrictions like for example to disable some kernel features, you have available since docker 1.10 the seccomp security feature. Check it out:

    Using this you can disable and restrict a lot of system features… and easy example to deny the mkdir command. Create a json file like this (name it as sec.json for example):

        "defaultAction": "SCMP_ACT_ALLOW",
            "syscalls": [
                        "name": "mkdir",
                        "action": "SCMP_ACT_ERRNO"

    Then run your container doing: docker run --rm -ti --security-opt seccomp=/path/on/host/to/sec.json ubuntu:xenial sh. You can check inside the container you are not able to run mkdir command.

    Hope this helps.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.