I want to use one server to host multiple docker-containers. I want to give another user a possibility to manage new docker-containers, but I do not want to give him access to all other containers, which I started, since they may contain sensitive data.
Is there a way to create a secure configuration which doesn't require creating virtual machine?
Original question: How to allow the user to spin new containers of his own and not access the other containers?
(This was my answer originally but perhaps I misunderstood the question or the question was not so clear, I kept the original solution here anyway)
Docker does not provide this feature on its own but there are multiple ways to do this.
The idea is that docker commands require either the user to be in sudo or docker group to run, so if you only want the user to spin a new container, instead of adding the user to sudo or docker group which provides full access to all docker commands, you can whitelist only several docker commands for that user.
For example if you want to allow user tom to run the following container:
sudo docker container run --it --name ubuntu-tom ubuntu:latest bash
You may add the following line to your sudoers file by running sudo visudo:
tom ALL=NOPASSWD: /usr/bin/docker container run --it --name ubuntu-tom ubuntu:latest bash
This allows user tom to run this particular docker command as root without requiring a password. Any other docker commands remains unavailable to user tom.
Another alternative is to setup restricted shell but I will not go into details here.
Updated question: How to limit the user to manage new containers?
I am not aware of a possible solution using Docker only.
It sounds like you need an orchestrator such as Kubernetes or ECS.
This way the orchestrator owns the docker daemon and you can utilize the permission layer provided by the orchestrator. This article provides a great example of restricting user access to a namespace.
It should be quite straight forward to run dockerd on a per user basis, and utilizing file permissions to separate user access.
Just found a tutorial using systemd templates to get this setup: https://www.jujens.eu/posts/en/2018/Feb/25/multiple-docker/
Why don't you implement portainer It has many features like, user control, gui menu and much more, you don't have to create user on server also
The docker API does not have this capability internally, treat direct access to this as a sysadmin level capability because it gives users root access to the server. Therefore to implement this, you'll need to either provide your own indirect access to the API or use another tool that provides this functionality on top of docker.
You can provide a script that is accessed by sudo and which performs all of the security checks on the commands before executing them. The easiest way to implement this would be to add a label on every object created (container, volume, network, etc), and then only return objects matching that filter in any queries and limiting commands run to only objects with those labels. It's non-trivial to write, so I've only seen people go with later options. However, if the commands and containers being run are very limited, this may be a good enough solution for you.
Kubernetes namespacing provides this functionality, and runs on top of docker. This is a lot to implement, so most people only go this direction if they need a lot more of the functionality that Kubernetes provides.
Various 3rd party tools exist, some commercial, which handle user access. Portainer and Rancher are two popular ones, but I have no personal experience with these.
Docker provides an enterprise offering with this included called UCP. You can give users docker api/cli access which goes through UCP for RBAC checking before the request is sent to the underlying docker engine.
