0

I would like to run a docker or LXC container but restrict access to the container itself. Specifically, is it possible to prevent even the root (root on the host) from accessing the container? From access, I mean SSH in to the container, tcpdump the tx/rx puts to the container, profiling the application etc.

Thanks!

NetCubist
  • 61
  • 2
  • 6

1 Answers1

1

It is not possible to effectively restrict a privileged user on the host from inspecting or accessing the container. If that were the case, it's hard to imagine how it would be possible for the root user to even start the container in the first place.

In general, it's useful to remember that containerization is used to confine processes to a restricted space: it's used to keep a process from getting out to the host, not to prevent other processes from getting in.

Tim Pierce
  • 5,514
  • 1
  • 15
  • 31
  • Agreed that containerization is essentially to contain a process from getting out. What I am wondering is if it is possible to use some sort of access control with in the container to restrict access including that from the privileged user. It is fine for the root to launch/delete the container but I would like to restrict access to the contents of the container itself and the data passing in and out of the container. – NetCubist Dec 19 '13 at 06:44
  • It's really not going to be feasible. Look at it this way: the container's entire filesystem is accessible to the root user on the host machine. No matter what protections you put in place, the root user can still insert files into the container before starting it (such as a new SSH key), and run it. All of the data that passes in or out of the container passes through the host, which means that the superuser can intercept it. I don't see any way to do what you're asking. – Tim Pierce Dec 19 '13 at 07:10