Securing container for hosting java processes

I’m new to docker and am incredibly excited to dive into this awesome platform.

I’m currently running a hosting service that runs bukkit minecraft servers. My goal is to allow users to have FTP access to their server’s files and upload their own java server plugins.

I have setup a docker image running the Java JRE. Will I need to take any additional steps to fully secure the container against malicious java plugins? I’m worried, with the nature of java, there may be some exploits that allow someone to “break” out of the docker container.

Thanks for the help!

Docker won’t do anything to protect you against a user-provided plugin launching a denial-of-service attack from your server. Depending on how your server is set up, user-provided code running in your server process might be able to steal things like your internal database credentials. Depending on the application code, a plugin might be able to snoop on other users’ login information and personal details like email addresses. Docker helps with none of this.

There are a couple of common-but-inadvisable setups (sshd in a container, --privileged containers) that probably would make it straightforward to get an interactive shell, either in the container or on the host.

In short, the setup you describe, where you allow people you don’t trust to send you code and you run it, is incredibly dangerous from a computer security perspective, and no, Docker doesn’t really make it much safer.

As of now, I have a server spinner launches each sub-process in their respected directory. I was planning on just having the server spinner create a new docker container for each server that gets started.

Are you saying that, with java, the user can break completely out of the docker container? I’m not worried about the untrusted user accessing any info inside the container. I won’t have any credentials placed inside the container itself, but there will be credentials outside of the container obviously.

It looks like remoteinterview.io successfully uses docker to create some sort of sandbox environment. I was checking out their https://github.com/remoteinterview/compilebox repository and it looks pretty straightforward.