I am new to Docker and recently I started reading about it’s capabilities and I would like to use it for an application that I’m developing.
What I want to do is to start a container and after that I want to restrict any access (even root) to that container so nobody will be able to access and see what’s running inside.
So basically I would like to create a container which acts like a black-box which gets some input and creates some output.
Anyone with root on the host who’s willing to explore /var/lib/docker can find the contents of the running container (and of the image that backs it). I believe a sufficiently adventurous host-privileged user can even attach a debugger to an arbitrary process and explore its memory space, effectively breaking into a containerized process from outside. (And remember, anyone who can docker run at all has root on the host.)
If you’re merely trying to prevent interactive shell access to your container, depending on what you’re building and how, there’s no particular requirement that a container has to include a shell or other niceties like that. Typically in this case you’d have a compiled statically linked binary as basically the only thing in your Docker image. (A host root user can still run strings on that binary.)
What I want to achieve is to prevent the host machine (or even better anyone) from accessing the running container. So everything that is used inside the container remains “private” to the outside world.
you cannot get to ‘anyone’… system admins will need to have access. to shut it down and restart it at minimum.
as David said, you could eliminate the shell function, so that docker exec or docker attach doesn’t work. but this will make it hard for you if three are troubles (and there are always troubles to deal with)