I require your help for a specific topic: is it possible to create a “blackbox” container with Docker? I mean, I would like to create a container with a predefined entrypoint (ex: /usr/bin/entrypoint) and impeach the user to define another entrypoint (such as “/bin/bash”, or “/bin/echo ‘0’ > /dev/cpuset/docker/cpuset_cpu_exclusive”).
Is it possible to implement such a container?
If I understand your question correctly, the closest you’ll get is to create a container that only contains a single statically linked binary. Some Go-based application containers are like this. (If you can build a statically-linked Linux binary of your application, then distributing it via Docker has somewhat minimal benefits.)
Remember that the ability to
docker run anything implies unrestricted root access on the host system, the
docker history of an image can be readily inspected, and a sufficiently curious user can create their own Docker image of your image plus, say, Busybox, and see what was in the base layer. It’s pretty tricky to put actually secret things into Docker images.
Thank you for your answer !
If I understand well, I’ll have to implement “artisanal” solutions to complete this objective.
Another question on the same topic : is it possible to automatically encrypt the data present in /var/lib/docker? (so that the user cannot explore the data of the container through this way…)