moonglum/Dockerfile

Created April 12, 2018 06:19

Star (0) You must be signed in to star a gist
Fork (1) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/moonglum/a6e94860ebcec39819e4af975d1afe76.js"></script>
Save moonglum/a6e94860ebcec39819e4af975d1afe76 to your computer and use it in GitHub Desktop.

Download ZIP

A user that can't modify `/app` can modify it when it is mounted

Raw

README

If you run this with docker-compose run --rm app, you are in bash inside of your Docker container. Now run:

touch lol.txt

Exit the shell. Now you can see the lol.txt. Check who is the owner. It is your own user.

Now do the same with docker build . and then docker run -it --rm .... You will get a permission denied.

Corollary

We don't need to do any user mapping dance
In the case of a Rails app, we can just COPY the entire directory as the root user and only provide read and execute permissions to our app user. We additionally provide write permissions to the tmp folder of the app. In production, the user is then not able to modify files on the FS, increasing security.
- In development, it will still be possible to run things like rails g

Raw

docker-compose.yml

	version: "3"
	services:
	app:
	build:
	context: .
	volumes:
	- .:/app
	stdin_open: true
	tty: true

Raw

	FROM ruby:2.4

	RUN useradd -m app && \
	mkdir /app

	WORKDIR /app
	USER app

	CMD ["bash"]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment