I am interested in using Docker to host a project I am helping develop in work. However I have a few questions about it's suitability.
Firstly, I wonder is it at all possible to keep the source code hidden from potential users/customers? Obviously part of Docker's policies is that the code is open, but would there be any way to add permissions to lock out any one other than the designated users/developers?
Secondly, in terms of the product we are developing - certain users may wish to access only one aspect of the product. Is there any way we can add permissions to the docker registry so that customers can access only what they request?
You can package it in a docker image, and it might make deployment easier to many customers, but it won't protect your code.
A Docker image is an immutable (unchangeable) file that contains the source code, libraries, dependencies, tools, and other files needed for an application to run.
Conclusions. Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container. You can add an extra layer of safety by enabling AppArmor, SELinux, GRSEC, or another appropriate hardening system.
Not sure if this is needed for the OP, but depending on the context of the questing the answer by VonC might be incomplete:
If the project has deliverables that can be shared that are separate from the sources of your project, then you can do indeed what is proposed. For instance you make an image using a Dockerfile that sets up the system, gets the source-code, compiles the project into the deliverables and removes the source (or compile it somewhere else and copy it). This is a good and save way to build this package and release it to your customer. This is what @VonC proposes in his answer.
I wanted to add, that if you are looking at, for instance, a web system where the code is somewhat hard te separate from the deliverable it is going to be tricky. This could be in the case of a web-system like HTML/PHP and the likes.
The thing is, the final image would be the same as a clients server. It is, one way or another, completely accessible and everything on it is readable. So while you do not have to keep sources and your secrets on the system at all if they are not needed, you cannot use docker as a sort of packaging method to deliver a self-contained system hiding the sources.
So you can NOT lock out anyone from the image; the only thing you can do is make sure that anything that is only needed for compilation of your project is not available on the final image. And this is only a solution if the 'secret' stuff isn't needed after compilation.
Docker does not "host a project": it provides the possibility to specify an execution environment (Dockerfile and docker build) and to run it.
The "source" (Dockerfile and the resources like your project sources) don't have to be available at all: only the built image must be there in order to docker run it.
That image can be stored in a private registry (docker distribution), and it won't includes the sources of your projects, but only the deliveries (executable) built from those sources and installed in the image by the Dockerfile directives.
certain users may wish to access only one aspect of the product.
A simple solution is to have:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With