Set password for container when use docker exec

FROM nginx
ARG EXEC_PASSWORD

RUN apt-get update && apt-get install -y passwd \
    && useradd -ms /bin/bash testuser \
    && echo "testuser:${EXEC_PASSWORD}" | chpasswd

USER testuser
COPY html /usr/share/nginx/html

i want when anyone who pull my image and run container, if want use docker exec must typing password

That is not how (OCI/docker) containers work. Containers ā€œvirtualizeā€ on process level. Docker exec starts an arbitrary process. It is not a full OS with a login dialog.

If this is a hard requirement, then you will need to look for another technology like LXC, which runs os-level containers, or use a good old vm.

oh, So I can’t do that or shouldn’t,
Because I want to block users with insufficient permissions from accessing some commands of my application.
Tks @meyay

1 Like

You can’t do it as you would expect it. In fact, LXC has an lxc exec and lxc shell command as well which works the same way, so you don’t need to use a password. But since it runs a full OS, it is easier to configure SSH connection which is possible in a Docker container as well, but usualy not recommended. We run a single or just a few processes in the container.

On the other hand, you can manage who have access to the Docker socket and when you execute a command, that command has to go through the API. If you have something that intercepts API calls, you can restrict what can be executed. I’m not sure what happens when you run a bash shell and run other commands in the shell though. What I’m sure you could do is deny using the exec subcommand for the users which they shouldn’t use anyway unless they are debugging.

@rimelek sorry because we have different timezone, so i response you late.

ā€œWhat I’m sure you could do is deny using the exec subcommand for the users which they shouldn’t use anyway unless they are debuggingā€

Can this be done in docker images or does it have to be configured in the application I use? Can I add an option to the dockerfile to block the application’s alias with name is cli of app?

@rimelek wrote about an authz plugin for the docker engine itself. It allows settings policies for resources on the docker api.

This has nothing to do with your image, or a container created from it. It would only apply to your docker host, If you manage to create a policy that only allows to use the login command with exec the user indeed would need to actually log in.