Home > Blockchain >  Share Docker Image with a collaborator
Share Docker Image with a collaborator

Time:03-15

I have to share a docker image (Spring boot application) with a collaborator which works outside my company. I need to prevent access to the source code. I was trying to share it as a .tar file that contains the jar in the docker image but as far as i know this won't prevent source code access. The second solution is to push this one to Docker Hub as a private repo and grant the access only to him, but i think the source code can be access as well.

Are there any other solutions that i can use for this situation?

Thanks.

CodePudding user response:

It doesn't matter that the image is in Docker Hub as a private image or a tar file, in both cases, if the image can be pulled, it can be exported again using docker save in the machine that pulled it.

The most you can do is use a multi stage build (if you are building the jar file using Docker as well), so that once the jar file is generated, a new image containing only the JRE and the JAR is present.

Something like this, and will heavily vary on your implementation specifics:

FROM openjdk:latest
# Build your image
FROM openjdk:11-jre
COPY --from=0 /build/app.jar ./
# runtime environment, CMD, etc

This will not prevent a third party from fetching the JAR file from the Docker image and decompile it, but it will prevent the user from reading clean code.

To further complicate it, you will have to refer to a Java obfuscator, there are plenty of products, both free and commercial, available online for that purpose.

CodePudding user response:

Only things you COPY into a Docker image are present into it. I see a lot of Java-based Dockerfiles like

FROM openjdk:17
COPY target/app.jar /app.jar
CMD java -jar /app.jar

and these only contain some base Linux distribution, the JDK, and the jar file; they do not contain any application source since it is not COPYed in.

As @MarcSances notes in their answer this is as secure as otherwise distributing the jar file; it is straightforward to decompile it and you will get relatively readable results, but this is not "distributing the source" per se. (Compare with Javascript, Python, PHP, or Ruby scripted applications, where the only way to run the application is to actually have its source code; and also compare with C , Go, or Rust, where you have a standalone runnable binary which is even harder to decompile.)

  • Related