Reputation: 34992
Best practice for running a non trusted .net core application inside a docker container
Let's say I want to run inside a docker container some third party .net core application I don't fully trust.
- To simplify, let's assume that application is the simple Hello World console app generated by
dotnet new. This is just the 2 files Program.cs and project.json.
Right now I have tried the following approach:
- Copy that application into some folder of my host
Create a new container using the microsoft/dotnet image, mounting that folder as a volume, running a specific command for building and running the app:
$ docker run --rm -it --name dotnet \ -v /some/temp/folder/app:/app \ microsoft/dotnet:latest \ /bin/sh -c 'cd /app && dotnet restore && dotnet run'
I was also considering the idea of having a predefined dockerfile with microsoft/dotnet as the base image. It will basically embed the application code, set it as the working dir and run the restore, build and run commands.
FROM microsoft/dotnet:latest
COPY . /app
WORKDIR /app
RUN ["dotnet", "restore"]
RUN ["dotnet", "build"]
ENTRYPOINT ["dotnet", "run"]
I could then copy the predefined dockerfile into the temp folder, build a new image just for that particular application and finally run a new container using that image.
Is the dockerfile approach overkill for simple command line apps? What would be the best practice for running those untrusted applications? (which might be one I completely ignore)
EDIT
Since I will discard the container after it runs and the docker command will be generated by some application, I will probably stay with the first option of just mounting a volume.
I have also found this blog post where they built a similar sanbox environment and ended up following the same mounted volume approach
Upvotes: 2
Views: 493
Answers (1)
Reputation: 1948
As far I know, what happens in docker, stays in docker.
When you link a volume (-v) to the image, the process can alter the files in the folder you mounted. But only there. The process cannot follow any symlinks or step out of the mounted folder since it's forbidden for obvious security reasons.
When you don't link anything and copy the application code into the image, it's definitely isolated.
The tcp/udp ports exposition is up to you as well as memory/cpu consumption and you can even isolate the process from internet e.g. like that
Therefore, I don't think that using dockerfile is an overkill and I'd summarize it like this:
When you want to run it once, try it and forget it - use command line if you are ok with typing the nasty command. If you plan to use it more - create a Dockerfile. I don't see much space for declaring "best practice" here, considering it an question of personal preferences.
Upvotes: 2
Related Questions
- .Net Core application running on a linux container
- .NET Core Windows authentication in docker container
- How to run .NET Core 2 application in Docker on Linux as non-root
- Asp.Net-Core Application in docker over https
- Asp.Net Core on Docker
- To host.net core application as Windows Service using Docker
- Deploying dotnet core app in non-cloud environment with docker
- How to run Docker container with .NET Core app at productiuon machine?
- How to dockerize an ASP.NET Core 2.0 application?
- Run ASP.NET Core App in Docker Running as Custom User