How to disable the root access of a docker container?

We have offshore developers who would like to run our server locally but for security reasons, we do not want to give them the server code. So a solution is that they run a Docker container, which is a self-contained version of our server! So no complicated setup on their side! 🙂

The problem is that it is always possible to access the Linux shell of the Docker instance as root, thus giving access to the source code.

  • How do I use docker on Win 8.1 (boot2docker) both behind a proxy and without a proxy?
  • Will single docker container scale automatically on Amazon's EC2?
  • Docker - what does `docker run --restart always` actually do?
  • Development workflow on Minikube and docker
  • How to use docker with gradle while having private docker registry server
  • How to access postgres database on host from within docker container?
  • How is it possible to disable the Docker container a root access? Or how can we isolate our source code from the root access?

  • Renaming a file on Docker build does not persist
  • How to list docker mounted volumes from within the container
  • how to debug container images using openshift
  • How to mount directory in docker (Hyper-V, tensorflow container)
  • How to create ssh tunnel to dockerfile/mysql container
  • docker proxy pull windows 10
  • One Solution collect form web for “How to disable the root access of a docker container?”

    You can modify your container creating a user (foo for example) and assigning to him the right permissions. Then you can run the docker container on docker run command using the arguments -u foo. If you run for example: docker run --rm -ti -u foo myCustomImage sh. This will open the sh shell with the $ instead of #. Of course on your Dockerfile you must create foo user before.

    If you want more restrictions like for example to disable some kernel features, you have available since docker 1.10 the seccomp security feature. Check it out:

    https://docs.docker.com/engine/security/seccomp/

    Using this you can disable and restrict a lot of system features… and easy example to deny the mkdir command. Create a json file like this (name it as sec.json for example):

    {
        "defaultAction": "SCMP_ACT_ALLOW",
            "syscalls": [
                    {
                        "name": "mkdir",
                        "action": "SCMP_ACT_ERRNO"
                    }
                ]
    }
    

    Then run your container doing: docker run --rm -ti --security-opt seccomp=/path/on/host/to/sec.json ubuntu:xenial sh. You can check inside the container you are not able to run mkdir command.

    Hope this helps.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.