When you run docker containers you can list running containers by using docker ps
Then you can attach them by docker attach <container id>
The trouble is that all people that can attach the running container at the same time as you, and will see what you are doing at the same time, that could be cool for online courses, but not very nice at works.
How can I prevent that?
If a user on a Docker Engine host has rights to execute docker commands (via either having sudo privileges, or membership of the docker group) there is no way (with the base Docker product) of restricting them from attaching to containers running on the host
Effectively providing docker access is the same as providing root on the host.
So to prevent it, the key is don't let other users have rights to run docker commands on that host.
Docker Sub commands using sudo
One solution is to provide them with selected docker commands using sudo and do not provide the docker attach, or docker run command.
You can restrict them to run only docker ps
Please see the documentation or man page of sudo for how to provide only the subcommands that you want to allow to users. Providing docker access using sudo is the recommended method anyway, instead of putting users in a docker group straight away.
Example:
Either run visudo or create a file under /etc/sudoers.d/<username> and create a line for each command you need to allow: ( this is kind of rough , in production I suppose you will be managing sudo config using some config management tool like puppet , chef or ansible that will do this for you once you write the config code )
<user_account> ALL=(root) NOPASSWD: /usr/bin/docker ps
More details:
Note: I had such a use case where an automated bot user needed only the docker pull command so I just restricted that account to run docker pull only through sudo. This approach makes sure:
availability ( provide what is needed )
principle of least privilege
