2

I'd have thought this has been asked before, but I've done lots of Googling and cannot find a simple answer, so sorry if this has already been answered.

Essentially, I'm planning to offer a service which allows users to run docker containers on my docker hosts. The user can choose one of my provided containers or provide their own (unaudited). They can also run bash commands of their choice within their container. I need them to be restricted to only running code within their container and be unable to access the host or any other concurrently running containers. The containers should be allowed full access to the internet and the host will need to have a shared directory with the container. I'll be providing some data files to the docker container initially and once the container has done whatever the user wants it to, I'll need to access the data files again at that point.

What do I need to be careful of from a security point of view? Thanks for your help.

Improve this question
1

1 Answer 1

Reset to default
2

The default CLI to run a container in Docker should be secure from the context of a container command restricted from doing anything outside of the container on the host.

What you need to take care with is any options passed to that command. If a user has access to the docker CLI itself, they can control the host (e.g. docker run -v /:/target debian /bin/bash will give a root shell with access to the host filesystem at /target, where they can modify /etc/passwd, or any other file on the machine).

The only thing containers don't prevent by default is a DoS attack where the container could fork bomb your server. For that, you'll want to look into memory and cpu limits that can be added as part of your run command.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.