How to isolate docker containers from other users

Question

I was recently playing with docker containers. I have setup a docker host on which users are part of docker group so they will be able to start the containers for them-self. But in this scenario container started by user A is accessible by user B. So i was looking a way to isolate users containers from other users and tried to add -u flag to the docker run command, but got following error

FATA[0001] Error response from daemon: Cannot start container XXXXX: [8] System error: Unable to find user abc 

same command works with out -u flag

User abc do exist on the host, but not sure what I am missing here.

anyone know what's wrong here ?

I am on Ubuntu 14.04 with Docker 1.6.2

Answer 1

Users with access to run Docker containers on a host effectively have full root access on that host server. They can easily run docker run -it --rm -v /:/target debian and have a root shell with your host filesystem mapped into that shell.

Therefore, you can't isolate from other users with direct access to the Docker engine. To get the isolation you're looking for, you'll need to use a tool on top of the Docker engine that provides RBAC and careful configuration to limit what each user can submit. Docker has their own (universal control plane) and other vendors have created similar products. Or, as Mark suggests, give each user their own VM running isolated instances of Docker.

Answer 2

Docker is not a multi-tenanted service, which explains why containers are visible to users on the same server.

In theory you could startup a docker daemon for each user, but it might be simpler to just give each user a virtual machine within which they can run their containers.