Create new containers from within existing container - specific users only

I recently stumbled upon this thread. I mounted the docker socket and was indeed able to run other containers from my own. But I found out every user in that container could do the same. So, I would be curious if it is possible to limit to only some users inside the container to be able to use the docker API?

My understanding of the linked post was that only the users in specific group will be able to use the API, but it didnt work that way.

Permissions get weird when mounting a socket into a container. I think you might be able to control this with the mounts options, but it would probably be better to configure the spawner such that it only mounts the sockets for the users you want to have access, with a subclass of DockerSpawner.

1 Like