Make a image inaccessible by bash


I’m trying do something but I don’t know if this is possible: I want make a image inaccessible by bash.

If I run a image, I can’t connect to this container by docker exec but I can run a new container from this image in -it mode and connect to it. How can I make my image inaccessible?

I try, using sed in my Dockerfile, change the shell of the users (/bin/bash to /usr/sbin/nologin), but still can connect to it.

I don’t think that’s possible.

Why do you want to do it? What are you trying to protect against?

It’s certainly possible to build an image by creating a static binary and adding only that binary to a FROM scratch image, and then it won’t have a shell at all. Many images based on Go programs are built this way. If you have an image like that, then you can’t really docker exec into it, because there’s nothing to exec.

But, if I have that image, I can write a Dockerfile that starts from that image, adds a copy of Busybox to it, and now I have an image with the binary and a shell. Once I have that I can also do things like docker cp the binary out, and mine whatever I want from it. For that matter, a dedicated attacker can probably find the container’s actual content in /var/lib/docker pretty easily.

@dmaze is correct. If an attacker has Docker access you’re already hosed. You certainly could remove the shells from your images, but it’d arguably be more useful to simply limit what they are capable of, e.g., by ensuring your containers are run as unprivileged users.

Thank you guys for your answers.

I understand. I was thinking that this is not possible, so I wanted a confirmation, and now I have.

My goal was know if a client can distribute his web application to his clients hosted locally. So, look for this environment I think that virtualization is the solution.

Again, thank you!


I would also like to achieve something similar to that. Basically I would like to have an image and then run a container based on that image somewhere on a host but nobody will be able to access it (not even the host as root) .
Did you solve this problem somehow?