Skip to content

Instantly share code, notes, and snippets.

@pcewing

pcewing/Dockerfile

Last active February 18, 2020 18:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pcewing/cadaf22b7f6803c8f4afec9439e2719b to your computer and use it in GitHub Desktop.
Save pcewing/cadaf22b7f6803c8f4afec9439e2719b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
demo.txt
[container_demo] docker image build -t myapp .
Sending build context to Docker daemon 2.048kB
Step 1/3 : FROM centos:latest
---> 470671670cac
Step 2/3 : RUN groupadd -r -g 1001 john && groupadd -r -g 1050 myapp && useradd -rM -g john -G myapp -u 1001 john && mkdir -p /var/john && chown -R john:john /var/john
---> Using cache
---> a889fe7bf9cb
Step 3/3 : USER john:john
---> Using cache
---> 4ce8cad43e73
Successfully built 4ce8cad43e73
Successfully tagged myapp:latest
[container_demo] docker container run -it myapp /bin/bash
bash-4.4$ whoami
john
bash-4.4$ id john
uid=1001(john) gid=1001(john) groups=1001(john),1050(myapp)
bash-4.4$ ls -l /var | grep john
drwxr-xr-x 2 john john 4096 Feb 14 02:13 john
bash-4.4$ touch /var/john/test.txt
bash-4.4$ ls -l /var/john/test.txt
-rw-r--r-- 1 john john 0 Feb 14 02:33 /var/john/test.txt
bash-4.4$ chown john:myapp /var/john/test.txt
chown: changing ownership of '/var/john/test.txt': Operation not permitted
bash-4.4$ lsattr /var/john
--------------e---- /var/john/test.txt
bash-4.4$ lsattr /var/john/test.txt
--------------e---- /var/john/test.txt
bash-4.4$ ls -lna /var/john
total 12
drwxr-xr-x 1 1001 1001 4096 Feb 18 17:13 .
drwxr-xr-x 1 0 0 4096 Feb 14 02:13 ..
-rw-rw-r-- 1 1001 1001 0 Feb 18 17:13 test.txt
Raw
Dockerfile
FROM centos:latest
RUN groupadd -r -g 1001 john && \
groupadd -r -g 1050 myapp && \
useradd -rM -g john -G myapp -u 1001 john && \
mkdir -p /var/john && \
chown -R john:john /var/john
USER john:john
@adamancini
Copy link 

 ✔  moira  ~  docker run -it --rm ubuntu
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
5c939e3a4d10: Already exists
c63719cdbe7a: Already exists
19a861ea6baf: Already exists
651c9d2d6c4f: Already exists
Digest: sha256:8d31dad0c58f552e890d68bbfb735588b6b820a46e459672d96e585871acc110
Status: Downloaded newer image for ubuntu:latest
root@c5aa42db1caf:/# groupadd -r -g 1001 john
root@c5aa42db1caf:/# groupadd -r -g 1050 myapp
root@c5aa42db1caf:/# useradd -rM -g john -G myall -u 1001 john
useradd: group 'myall' does not exist
root@c5aa42db1caf:/# useradd -rM -g john -G myapp -u 1001 john
root@c5aa42db1caf:/# mkdir -p /var/john
root@c5aa42db1caf:/# chown -R john:john /var/john
root@c5aa42db1caf:/# su - john
No directory, logging in with HOME=/
$ ls
bin  boot  dev	etc  home  lib	lib64  media  mnt  opt	proc  root  run  sbin  srv  sys  tmp  usr  var
$ whoami
john
$ id
uid=1001(john) gid=1001(john) groups=1001(john),1050(myapp)
^C d /var	
$ ^C
$ cd /var
$ ls
backups  cache	john  lib  local  lock	log  mail  opt	run  spool  tmp
$ cd john
$ ls
$ ls -lha
total 12K
drwxr-xr-x 2 john john 4.0K Feb 18 17:28 .
drwxr-xr-x 1 root root 4.0K Feb 18 17:28 ..
$ ls -lna
total 12
drwxr-xr-x 2 1001 1001 4096 Feb 18 17:28 .
drwxr-xr-x 1    0    0 4096 Feb 18 17:28 ..
$ touch foo
$ ls -lha
total 12K
drwxr-xr-x 2 john john 4.0K Feb 18 17:30 .
drwxr-xr-x 1 root root 4.0K Feb 18 17:28 ..
-rw-rw-r-- 1 john john    0 Feb 18 17:30 foo
$ ls -lna
total 12
drwxr-xr-x 2 1001 1001 4096 Feb 18 17:30 .
drwxr-xr-x 1    0    0 4096 Feb 18 17:28 ..
-rw-rw-r-- 1 1001 1001    0 Feb 18 17:30 foo
$ chown john:myapp foo
$ ls -lna
total 12
drwxr-xr-x 2 1001 1001 4096 Feb 18 17:30 .
drwxr-xr-x 1    0    0 4096 Feb 18 17:28 ..
-rw-rw-r-- 1 1001 1050    0 Feb 18 17:30 foo
$

@adamancini
Copy link 

✔  moira  ~  docker run --rm -it centos
Unable to find image 'centos:latest' locally
latest: Pulling from library/centos
8a29a15cefae: Pull complete
Digest: sha256:fe8d824220415eed5477b63addf40fb06c3b049404242b31982106ac204f6700
Status: Downloaded newer image for centos:latest
[root@690b4d2de5f5 /]# groupadd -r -g 1001 john && \
>     groupadd -r -g 1050 myapp && \
>     useradd -rM -g john -G myapp -u 1001 john && \
>     mkdir -p /var/john && \
>     chown -R john:john /var/john
[root@690b4d2de5f5 /]# cd /var/john
[root@690b4d2de5f5 john]# ls
[root@690b4d2de5f5 john]# ls -lna
total 12
drwxr-xr-x 2 1001 1001 4096 Feb 18 17:32 .
drwxr-xr-x 1    0    0 4096 Feb 18 17:32 ..
[root@690b4d2de5f5 john]# su - john
su: warning: cannot change directory to /home/john: No such file or directory
[john@690b4d2de5f5 john]$ ls
[john@690b4d2de5f5 john]$ cd /
[john@690b4d2de5f5 /]$ cd /var/john
[john@690b4d2de5f5 john]$ ls
[john@690b4d2de5f5 john]$ ls -lnma
., ..
[john@690b4d2de5f5 john]$ ls -lna
total 12
drwxr-xr-x 2 1001 1001 4096 Feb 18 17:32 .
drwxr-xr-x 1    0    0 4096 Feb 18 17:32 ..
[john@690b4d2de5f5 john]$ touch foo
[john@690b4d2de5f5 john]$ ls -lna
total 12
drwxr-xr-x 2 1001 1001 4096 Feb 18 17:33 .
drwxr-xr-x 1    0    0 4096 Feb 18 17:32 ..
-rw-rw-r-- 1 1001 1001    0 Feb 18 17:33 foo
[john@690b4d2de5f5 john]$ chown john:myapp foo
[john@690b4d2de5f5 john]$ ls -lna
total 12
drwxr-xr-x 2 1001 1001 4096 Feb 18 17:33 .
drwxr-xr-x 1    0    0 4096 Feb 18 17:32 ..
-rw-rw-r-- 1 1001 1050    0 Feb 18 17:33 foo
[john@690b4d2de5f5 john]$

@adamancini
Copy link

run interactively:

[john@690b4d2de5f5 john]$ id
uid=1001(john) gid=1001(john) groups=1001(john),1050(myapp)
[john@690b4d2de5f5 john]$ whoami
john

run via "build"

bash-4.4$ id
uid=1001(john) gid=1001(john) groups=1001(john)
bash-4.4$ newgrp myapp
bash-4.4$ groups
myapp
bash-4.4$ id
uid=1001(john) gid=1050(myapp) groups=1050(myapp)
bash-4.4$

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment