How to hide mountpoints and hosts hardware info from container? what directories are necessary to mount for running game servers in container?

i am trying to run some game servers like fivem txAdmin , samp, mta , minecraft and etc. on docker,
what directories of the ones that docker mask/mount by default are necessary to mount as read and write for running game servers in container?
also i am binding some directories from host to container, and when i execute “df -h” on container i can see which path is volume mounted from in host, how can i hide/mask this information from container?
an other thing is , if i execute “free -m” in container i get the total memory of the host while the container is limited to 1gb of ram when i created it, is there a way to hide/correct this to 1gb? same thing for cpu as well.

an other question i have is :
this containers are going to be controlled and accessed by untrusted users, so far i am limiting the volumes size with zfs , running the process inside container as “container” user, using “container” ns remapping, limiting the usage of ram,cpu and memory swap. and PID limit is set to 512 , everything else is set to default.
what more steps/configurations i need to take, in order to make the host machine more secure? and limit the unnecessary permissions/access of the container?

A container is just an isolated process on the host. Though, your questions sound like you expect it to behave like a vm, which it does not.

You already have user namespace remapping in place, as such I expect your application to be started as a restricted user, and your container to be dropping all capabilities, and only adding those really required.

If your images support it, you could try to use a read-only filesystem and mount volumes into the folders that handle writes. This will prevent download of further os packages. If you combine it with removing every binary that can be used to download files from the internet, you can prevent people from actually downloading and running unwanted binaries in your container.

Note: A container started as --privileged is never secure.

Instead of asking for steps/configuration, isn’t it better to share your compose file, so we can see what can be improved? The problems are usually hidden in parts that users don’t share because they think it’s irrelevant.

sure thing.
here is a example of my images : , let me know if i can set the filesystems to read-only and how can i do it

FROM debian:bullseye-slim
ENV port0=8080

RUN mkdir -p /usr/share/man/man1
RUN         apt update \
            && apt -y install npm build-essential pkg-config git sqlite3 libsqlite3-dev python3 python3-dev ca-certificates dnsutils tzdata zip tar curl build-essential libtool iputils-ping screen \
            && useradd -u 1000 -m -d /home/container container \
            && curl -sL | bash - \
            && apt-get install -y nodejs
RUN         npm install npm@latest -g
RUN         mkdir -p /run/systemd && echo 'docker' > /run/systemd/container
RUN         rm -rf /var/lib/apt/lists/*
RUN         echo "" > /etc/apt/sources.list

RUN mkdir /server
RUN mkdir /logs
WORKDIR /server

VOLUME /server
VOLUME /logs
VOLUME /exec

USER        container
ENV         USER=container HOME=/home/container

CMD sed -i "s/8080/${port0}/g" /server/.config/code-server/config.yaml && chmod -R 777 /server/projects && PATH="/server/.local/lib/code-server-4.15.0/bin:$PATH" && chmod +x /server/.local/lib/code-server-4.15.0/bin/code-server && screen  -L -Logfile /logs/log.log -S server -d -m sh -c "sh /server/.local/lib/code-server-4.15.0/bin/code-server --user-data-dir /server --config /server/.config/code-server/config.yaml /server/projects" && screen -S server -X colon "logfile flush 0^M" && echo "" > /logs/log.log && screen -d -r server

As @meyay already wrote, you seem to use a Docker container as a replacement of a virtual machine. I wouldn’t choose a container for it either. It’s just choosing one tool to make it look exactly like the other. You also have a CMD instruction which is really not something you should have. A proper CMD instruction is short, uses the “exec form” and runs only one process. That CMD should be in a script and called like this:

CMD ["/"]

in which you should execute the server command like this at the end:

exec server

so the stop signal can work when you run docker stop. I would never use screen in a container either.

You could use lxd to run containers with an almost full operating system. You could also run virtual machines easily. I have a short tutorial about this:

But I’m also working on a new one. It will be published in days in video and also in a blogpost (I will also install Docker in the VM, but that is not important now).

thanks for your reply and advice , i didn’t know such a tool like LXD exists, for sure i will try it. thanks again, its the prefect tool for me.
just one thing , why is it when i run “lxc launch ubuntu:22.04 ubuntu-vm --vm” i get the message that kvm is not supported in the system?
i am running a ubuntu vm using hyper-v

It is because you didn’t enable nested virtualization for the hyper-v vm.

The best would be if you could run LXD on a physical machine, but if you just want to test it, nested virtualization is required as @meyay suggested. Since LXD VM is not Docker and not even container, you may want to check the LXD forum for LXD related questions: It takes some time and activity (reading) before you have right to create a new topic. Since I have an issue too, I look at the topics more frequently recently.

If you dont have a Linux host to run LXD VMs, but you have HyperV, woudln’t a HyperV VM solve your problem?

You can also try something like KataContainer (with Docker) . I don’t remember how mounts look like from inside, but it makes containers small virtual machines. It won’t change how the process starts inside so you would still need to optimize your CMD and of course you would still need nested virtualization if you don’t have a physical Linux host.

no , im just building my app on top of hyper-v ,
i solved the issue following this tutorial:

thanks for your suggestions

Thanks for the solution.