Set password for container when use docker exec

Docker Engine General
,
1 
FROM nginx
ARG EXEC_PASSWORD

RUN apt-get update && apt-get install -y passwd \
    && useradd -ms /bin/bash testuser \
    && echo "testuser:${EXEC_PASSWORD}" | chpasswd

USER testuser
COPY html /usr/share/nginx/html

i want when anyone who pull my image and run container, if want use docker exec must typing password

2

That is not how (OCI/docker) containers work. Containers ā€œvirtualizeā€ on process level. Docker exec starts an arbitrary process. It is not a full OS with a login dialog.

If this is a hard requirement, then you will need to look for another technology like LXC, which runs os-level containers, or use a good old vm.

3

oh, So I canā€™t do that or shouldnā€™t,
Because I want to block users with insufficient permissions from accessing some commands of my application.
Tks @meyay

1 Like
4

You canā€™t do it as you would expect it. In fact, LXC has an lxc exec and lxc shell command as well which works the same way, so you donā€™t need to use a password. But since it runs a full OS, it is easier to configure SSH connection which is possible in a Docker container as well, but usualy not recommended. We run a single or just a few processes in the container.

On the other hand, you can manage who have access to the Docker socket and when you execute a command, that command has to go through the API. If you have something that intercepts API calls, you can restrict what can be executed. Iā€™m not sure what happens when you run a bash shell and run other commands in the shell though. What Iā€™m sure you could do is deny using the exec subcommand for the users which they shouldnā€™t use anyway unless they are debugging.

5

@rimelek sorry because we have different timezone, so i response you late.

ā€œWhat Iā€™m sure you could do is deny using the exec subcommand for the users which they shouldnā€™t use anyway unless they are debuggingā€

Can this be done in docker images or does it have to be configured in the application I use? Can I add an option to the dockerfile to block the applicationā€™s alias with name is cli of app?

6

@rimelek wrote about an authz plugin for the docker engine itself. It allows settings policies for resources on the docker api.

This has nothing to do with your image, or a container created from it. It would only apply to your docker host, If you manage to create a policy that only allows to use the login command with exec the user indeed would need to actually log in.