Can docker do this kind of permission control?

  docker, question

At present, the project uses a third-party software and provides many commands. What we have done is to open these commands into restful services for use by various systems.

There is a need to filter out some dangerous commands, mainly some“Write.”Commands, such asExport, is to export a data to a directory.“ClearAttribute”Clear a system attribute (not a write command).

When the user request contains such a command, 403 directly

Our current practice is black/white list, but it is too troublesome. We often need to add new orders and some have been killed by mistake.

I’m thinking about this scenario, which puts this service inside the container and then controls the permissions of the entire container. Can it be solved?

I’ve never got a docker before, and I don’t know whether it’s suitable or not.


Some people on the Internet said they could use sandbox to do it. They searched the difference between sandbox and docker, but did not find out.

In your scenario, docker is about equal to vm && about equal to physical machine. Therefore, it is obviously unreasonable for you to add several machines to meet some application requirements.
Docker is not everything.
Docker is not everything.
Docker is not everything.