7

I was wondering if it is possible to offer Docker images, but not allow any access to the internals of the built containers. Basically, the user of the container images can use the services they provide, but can't dig into any of the code within the containers.
Call it a way to obfuscate the source code, but also offer a service (the software) to someone on the basis of the container, instead of offering the software itself. Something like "Container as a Service", but with the main advantage that the developer can use these container(s) for local development too, but with no access to the underlying code within the containers.

My first thinking is, the controller of the Docker instances controls everything down to root access. So no, it isn't possible. But, I am new to Docker and am not aware of all of its possibilities.

Is this idea in any way possible?

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
m8a
  • 682
  • 5
  • 11
  • 1
    That is no different from offering any other binary download. Maybe not easy to peak inside, but since people need to run the code on their machines, they could poke around (with disassemblers, and tracers, and debuggers) and you cannot really hide anything. – Thilo May 06 '16 at 05:39

2 Answers2

4

An obfuscation-based only solution would not be enough, as "Encrypted and secure docker containers" details.

You would need full control of the host your containers are running in order to prevent any "poking". And that is not the case in your scenario, where a developer does have access to the host (ie his/her local development machine) where said container would run.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
0

What is done sometimes is to have some piece of "core" code to run on a remote location (remote server, usb device), in a way that the external piece of code on the one hand can do some client authentication but also and more importantly run some business core code in order to guarantee that the externally located code "has" to be executed to have the things done. If it were only some check that is not actually core code, a cracker could just override it and avoid calling it on the client side. But if the code is actually required to be run and its not then the software won't be able to finish its processing. Of course there is an overhead for all of this, both in complexity and probably computation times, but that's one way you could deploy something that will unfailingly be required to contact your server/external device.

Regards, Eduardo

drakorg
  • 404
  • 4
  • 14