保护Docker文件系统访问 [英] Protecting docker filesystem access

问题描述

我们在开发过程中使用了docker，并且一切正常.我们的软件是用PHP编写的，并使用MySQL，Apache和许多框架和库进行了docker化.

We use docker during development and everything works well. Our software is written in PHP and dockerized with MySQL, Apache and a lot of frameworks and libraries.

对于某些客户，我们希望运送docker映像，以便他们进行测试，评估和使用.使用docker映像，他们只需要调试容器并获得完全安装和配置的系统-非常简单！

For some of our customers we want to ship docker images in order to let them test, evaluate and use it. Using docker images they just need tun run the container and get a fully installed and configured system - very easy!

但是:我们如何仅通过附加到docker或在容器内制作一些执行程序来避免客户看到我们的代码?

But: How can we avoid customers seeing our code by simply attaching to docker or making some execs inside the containers?

是否有一些技术可以完全锁定对容器内部文件系统的各种访问?我们只是想通过ssh来访问我们的软件.

Are there techniques to completely lock down every kind of access to the filesystem inside a container? We just like to get access via ssh to our software.

推荐答案

使用 docker run 命令可以在运行时覆盖几乎所有与映像构建有关的内容.因此，他们甚至不需要执行 exec ，他们只需覆盖 cmd 或 entrypoint 即可进行bash或其他操作.只要客户有您的代码(甚至已编译/加密等)，他们就会拥有您的代码.如果这确实很重要，请考虑使用SaaS模型.

It is possible to override almost everything about the construction of an image at runtime using the docker run command. So they wouldn't even need to do exec, they could just override cmd or entrypoint to bash or whatever. Anytime a customer has your code (even compiled / encrypted / etc...) they have your code. If this is really a big deal, think about a SaaS model.

这篇关于保护Docker文件系统访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！