I’m not sure if this is possible but I would like to know if there is a way to lock-down a Docker image/container so that no user can ssh into it to have a poke around.
This is the problem to solve. A user is buying my software to put on their server. I’m planning to pass them a docker image that would run on their system. But my system contains items (not just codes, like models) that are unique to me. Is there a way I can ‘lock-down’ the image/container so that nobody can look into it at all (even me)?
Even if you find a way to look down your container, there is no way to lock down the image. If someone realy wants to know how you image looks like, they can save it as a tar archive, analyze the individual layers, which are nothing else then a tar achive themself + metadata that tells if a file is a new, updates a file from an underlaying layer or delete (actualy hide) a file from an underlaying layer.
Does this mean that there is no way to stop someone from copying the codes/models in the docker and then run them on their own system?
If that is the case, is there a forum or discussion group I can ask in regards to secure my codes for deployment on a client’s servers? I’m using python as my programming language.
This is my understanding. Heck you can even copy files from a running container with
docker cp. I am currious why you think this would be a responsiblility for a container runtime?
If you feel this is a missing feature, go raise an issue ticket on github.
You could add least use the docker store and restrict access to your images to paying customers.
It seems like Docker doesn’t provide any solutions to common problem of “how can I sell my software without people stealing it?” One approach is to run the software yourself and sell SaaS, but I can understand how that might be undesirable.
The other approach is some level of legal and/or technical protection through licensing/copy-protection/obfuscation/DRM, but those aren’t specific to Docker. Here’s a StackOverflow post specific to python.
You can sell your image in the docker store and restrict access to your image to paying customers.
Though, this is not the solution for your question, as the images still remains unprotected.
Docker is more like a deploy system. If you need to lock down some data, you need to do it software side, locking your files with a compression/encryption system, them dockerize and sell.
Quite an effective way may be watermarking. If you’re selling only to identified customers, provide each one a slightly different model. The differences should be subtle - the customer shouldn’t know what exactly is different.
If you then discover illegal distribution of your code, you should be able to tell who leaked it. If the customers are aware of such scheme and they’re at least somewhat reputable/traceable, it can be an effective way of protection without locking anything down.