Needed your kind suggestion to know if there is a workaround to restrict user A from accessing containers created by user B (both users A and B sharing the same host machine). Docker is running as root. I understand this is a Docker feature, was curious to know if this can be solved if I use rootless docker. I have never used rootless docker before and unsure if it can help to isolate users in a host.
Any other workaround too will be highly appreciated.
TIA.
On the other hand, you can take a look at podman, which is a drop-in replacement for docker. Most commands are identical (even the bloody --format options) and as far as I have seen looks like it provides a per user context. For me the most challenging part with it is.
if you want a clean and polished solution: take a look at kubernetes. It does everything you are looking for effortles. Though, the learning curve is steep. While learning Docker is basicly comparible to learning how to ride a children’s balance bike, learning Kubernetes is more like learning to fly multiple types of planes. In this comparision learning Docker Swarm (no, swarm does not solve your problem) would be something like learning how to ride a bike.
Thank you for spending time on this and your suggestions. I will give podman and kubernetes a try, but for my current project, much has been done and deployed with docker. I understand there is no way to restrict users (even if there is a way, that can always be broken as long as docker.sock access is present).
Take a look at Sysbox. It’s a new type of runc that works under Docker and allows you to deploy rootless containers inside of which you can run docker (both the CLI and daemon, and even systemd and k8s too) in total isolation from the underlying host. E.g.,:
docker run --runtime=sysbox-runc -it nestybox/ubuntu-bionic-systemd-docker
deploys such a container. These are not privileged containers, they are protected via the Linux user-namespace (i.e., rootless).
You can deploy multiple of these on the same host and assign them to your users. Users can access them via ssh or maybe by exposing the inner dockerd port to host ports … whatever you think is best. This way each users gets a dedicated docker environment, totally isolated from the host docker and from each other.