Hacker News new | ask | show | jobs
by LinuxFreedom 3346 days ago
Meanwhile, is there a way to restrict Dockerfiles, e.g. not allowing users to be root in the container?

I had the impression that this technology was only usable for the "single user machine" use-case, as too many bad things might happen in true multi-user environments - what is quite limiting in a unix world where we are used to multi-user reality since a long time - it was disturbing to see that such a successful tec seemed to ignore that.

However, I am really happy for any updates on this issue, I did not follow Docker development too much, so punish me when I am totally wrong!
2 comments
technofiend 3346 days ago
http://www.infoworld.com/article/3030558/application-virtual...

https://docs.docker.com/engine/installation/linux/linux-post...

link
raesene9 3346 days ago
Yep you can limit docker in a number of ways, to restrict what can be run in containers.

Using user namespace support, root in a container is mapped to a non-root high UID user outside the container.

You can also use cgroup support to limit the resources used by an individual container.

There's quite a few recommendations in the Docker CIS security guide that can be helpful for locking down an installation

https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1...

link