Docker Community Forums

Share and learn in the Docker community.

Docker container as a black-box


(Bunjee) #1

Hi,

I am new to Docker and recently I started reading about it’s capabilities and I would like to use it for an application that I’m developing.
What I want to do is to start a container and after that I want to restrict any access (even root) to that container so nobody will be able to access and see what’s running inside.
So basically I would like to create a container which acts like a black-box which gets some input and creates some output.

Is it possible to do that with Docker?

Thank you!


(Sam) #2

no, i don’t think so… anyone with access to the docker host would be able to docker exec/inspect into it…

unless you put the docker commands in a special group…(which might cause other problems)


(Bunjee) #3

Thank you very much for the answer.

What problems might cause if I put the docker commands in a special group?
Is there another solution to this that you are aware of?


(David Maze) #4

Anyone with root on the host who’s willing to explore /var/lib/docker can find the contents of the running container (and of the image that backs it). I believe a sufficiently adventurous host-privileged user can even attach a debugger to an arbitrary process and explore its memory space, effectively breaking into a containerized process from outside. (And remember, anyone who can docker run at all has root on the host.)

If you’re merely trying to prevent interactive shell access to your container, depending on what you’re building and how, there’s no particular requirement that a container has to include a shell or other niceties like that. Typically in this case you’d have a compiled statically linked binary as basically the only thing in your Docker image. (A host root user can still run strings on that binary.)


(Bunjee) #5

What I want to achieve is to prevent the host machine (or even better anyone) from accessing the running container. So everything that is used inside the container remains “private” to the outside world.


(Sam) #6

you cannot get to ‘anyone’… system admins will need to have access. to shut it down and restart it at minimum.

as David said, you could eliminate the shell function, so that docker exec or docker attach doesn’t work. but this will make it hard for you if three are troubles (and there are always troubles to deal with)