New to docker, is it possible to protect my source code and add permissions?

User588233 picture User588233 · Nov 27, 2015 · Viewed 9.2k times · Source

I am interested in using Docker to host a project I am helping develop in work. However I have a few questions about it's suitability.

Firstly, I wonder is it at all possible to keep the source code hidden from potential users/customers? Obviously part of Docker's policies is that the code is open, but would there be any way to add permissions to lock out any one other than the designated users/developers?

Secondly, in terms of the product we are developing - certain users may wish to access only one aspect of the product. Is there any way we can add permissions to the docker registry so that customers can access only what they request?

Answer

Nanne picture Nanne · Nov 27, 2015

Not sure if this is needed for the OP, but depending on the context of the questing the answer by VonC might be incomplete:

If the project has deliverables that can be shared that are separate from the sources of your project, then you can do indeed what is proposed. For instance you make an image using a Dockerfile that sets up the system, gets the source-code, compiles the project into the deliverables and removes the source (or compile it somewhere else and copy it). This is a good and save way to build this package and release it to your customer. This is what @VonC proposes in his answer.

I wanted to add, that if you are looking at, for instance, a web system where the code is somewhat hard te separate from the deliverable it is going to be tricky. This could be in the case of a web-system like HTML/PHP and the likes.

The thing is, the final image would be the same as a clients server. It is, one way or another, completely accessible and everything on it is readable. So while you do not have to keep sources and your secrets on the system at all if they are not needed, you cannot use docker as a sort of packaging method to deliver a self-contained system hiding the sources.

So you can NOT lock out anyone from the image; the only thing you can do is make sure that anything that is only needed for compilation of your project is not available on the final image. And this is only a solution if the 'secret' stuff isn't needed after compilation.