Looking for a Workaround to restrict users in a host from accessing containers

sarkarsouvik829 · September 18, 2020, 6:03am

Hi,

Needed your kind suggestion to know if there is a workaround to restrict user A from accessing containers created by user B (both users A and B sharing the same host machine). Docker is running as root. I understand this is a Docker feature, was curious to know if this can be solved if I use rootless docker. I have never used rootless docker before and unsure if it can help to isolate users in a host.
Any other workaround too will be highly appreciated.
TIA.

Regards,
Souvik

meyay · September 23, 2020, 6:57am

As the docker engine always runs as root, there is only a global context. Who ever has granted access to the docker.sock will be able to do whatever they want in this context. Though with GitHub - open-policy-agent/opa-docker-authz: A policy-enabled authorization plugin for Docker. you could restrict what a user is able to do.

On the other hand, you can take a look at podman, which is a drop-in replacement for docker. Most commands are identical (even the bloody --format options) and as far as I have seen looks like it provides a per user context. For me the most challenging part with it is.

if you want a clean and polished solution: take a look at kubernetes. It does everything you are looking for effortles. Though, the learning curve is steep. While learning Docker is basicly comparible to learning how to ride a children’s balance bike, learning Kubernetes is more like learning to fly multiple types of planes. In this comparision learning Docker Swarm (no, swarm does not solve your problem) would be something like learning how to ride a bike.

sarkarsouvik829 · October 1, 2020, 5:31am

Thank you for spending time on this and your suggestions. I will give podman and kubernetes a try, but for my current project, much has been done and deployed with docker. I understand there is no way to restrict users (even if there is a way, that can always be broken as long as docker.sock access is present).

nestybox · October 9, 2020, 9:34pm

Take a look at Sysbox. It’s a new type of runc that works under Docker and allows you to deploy rootless containers inside of which you can run docker (both the CLI and daemon, and even systemd and k8s too) in total isolation from the underlying host. E.g.,:

docker run --runtime=sysbox-runc -it nestybox/ubuntu-bionic-systemd-docker

deploys such a container. These are not privileged containers, they are protected via the Linux user-namespace (i.e., rootless).

You can deploy multiple of these on the same host and assign them to your users. Users can access them via ssh or maybe by exposing the inner dockerd port to host ports … whatever you think is best. This way each users gets a dedicated docker environment, totally isolated from the host docker and from each other.

Hope that helps!