Skip to content

Instantly share code, notes, and snippets.

@bascht

bascht/Dockerfile

Forked from moonglum/Dockerfile
Created April 12, 2018 10:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bascht/5bcbc006b0cdd03d36600c9111613300 to your computer and use it in GitHub Desktop.
Save bascht/5bcbc006b0cdd03d36600c9111613300 to your computer and use it in GitHub Desktop.
Download ZIP
A user that can't modify `/app` can modify it when it is mounted
Raw
README.md

README

If you run this with docker-compose run --rm app, you are in bash inside of your Docker container. Now run:

touch lol.txt

Exit the shell. Now you can see the lol.txt. Check who is the owner. It is your own user.

Now do the same with docker build . and then docker run -it --rm .... You will get a permission denied.

Corollary

  • We don't need to do any user mapping dance
  • In the case of a Rails app, we can just COPY the entire directory as the root user and only provide read and execute permissions to our app user. We additionally provide write permissions to the tmp folder of the app. In production, the user is then not able to modify files on the FS, increasing security.
    • In development, it will still be possible to run things like rails g
Raw
docker-compose.yml
version: "3"
services:
app:
build:
context: .
volumes:
- .:/app
stdin_open: true
tty: true
Raw
Dockerfile
FROM ruby:2.4
RUN useradd -m app && \
mkdir /app && \
chown app:app /app
WORKDIR /app
USER app
CMD ["bash"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment