Skip to content

Instantly share code, notes, and snippets.

@moonglum

moonglum/Dockerfile

Created April 12, 2018 06:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save moonglum/a6e94860ebcec39819e4af975d1afe76 to your computer and use it in GitHub Desktop.
Save moonglum/a6e94860ebcec39819e4af975d1afe76 to your computer and use it in GitHub Desktop.
Download ZIP
A user that can't modify `/app` can modify it when it is mounted
Raw
README.md

README

If you run this with docker-compose run --rm app, you are in bash inside of your Docker container. Now run:

touch lol.txt

Exit the shell. Now you can see the lol.txt. Check who is the owner. It is your own user.

Now do the same with docker build . and then docker run -it --rm .... You will get a permission denied.

Corollary

  • We don't need to do any user mapping dance
  • In the case of a Rails app, we can just COPY the entire directory as the root user and only provide read and execute permissions to our app user. We additionally provide write permissions to the tmp folder of the app. In production, the user is then not able to modify files on the FS, increasing security.
    • In development, it will still be possible to run things like rails g
Raw
docker-compose.yml
version: "3"
services:
app:
build:
context: .
volumes:
- .:/app
stdin_open: true
tty: true
Raw
Dockerfile
FROM ruby:2.4
RUN useradd -m app && \
mkdir /app
WORKDIR /app
USER app
CMD ["bash"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment