We have a application running a number of containers within the docker machine. To start it, we use the docker terminal. However anyone with access to the host machine can run docker machines, start and stop containers or load new containers
How do we lock down access to the docker terminal such that only authorised users can run commands
It's worse than that. Anyone who can run any Docker command at all can run:
And then they will have a root-level shell that has unrestricted access to the host's filesystem.
There's no (easy) way to restrict this further. You can't safely make Docker access available to untrusted users on a shared system.
A typical setup has the Docker socket owned by root and a dedicated "docker" group and isn't world-accessible. If you have a limited number of users that already have sudo access (or you don't mind if they give it to themselves) they can
sudo run docker, or you can add them to the "docker" group, and other users won't be able to run Docker commands; they can access services in already-running containers. (If you've changed the Docker daemon setup so that it listens on a TCP socket, you've given root access to the host to anyone who can reach the socket.)In the specific case of Docker Machine, it always listens on a TCP socket, and while it's not accessible off-host, the only way you can restrict access to it is by limiting distribution of its TLS certificates. I probably wouldn't use it in an environment other than a development system where I can't use a "more native" Docker.