Is it possible to restrict access to lxc containers?

Question

I would like to run a docker or LXC container but restrict access to the container itself. Specifically, is it possible to prevent even the root (root on the host) from accessing the container? From access, I mean SSH in to the container, tcpdump the tx/rx puts to the container, profiling the application etc.

Thanks!

Answer 1

It is not possible to effectively restrict a privileged user on the host from inspecting or accessing the container. If that were the case, it's hard to imagine how it would be possible for the root user to even start the container in the first place.

In general, it's useful to remember that containerization is used to confine processes to a restricted space: it's used to keep a process from getting out to the host, not to prevent other processes from getting in.