0
1
00:00:00,270 --> 00:00:02,000
Brandon's in with the first.
1

2
00:00:02,010 --> 00:00:04,800
Next question here go sue versus user.
2

3
00:00:04,800 --> 00:00:12,740
How do you prefer to go about using non root users in containers and keep file permissions on the or
3

4
00:00:12,740 --> 00:00:13,770
Hossain.
4

5
00:00:13,860 --> 00:00:18,740
What's the current best practice so permissions in Docker.
5

6
00:00:19,020 --> 00:00:24,180
Not fair to say that Docker itself with the files you're running in a container can be very frustrating
6

7
00:00:24,540 --> 00:00:32,010
especially if you're using bind mounts so bind mounts combine the permissions of the host files with
7

8
00:00:32,310 --> 00:00:38,730
those things running in the container and that can often lead to you pulling your hair out and going
8

9
00:00:38,730 --> 00:00:45,900
a little insane and some of my hardest projects have been when we needed multi server shared files storage
9

10
00:00:46,350 --> 00:00:52,020
for can multiple containers on different host all accessing the same files with the right permissions
10

11
00:00:52,920 --> 00:00:57,080
and also using least privilege with non admin users non root users right.
11

12
00:00:57,210 --> 00:00:59,130
So those can be really tricky.
12

13
00:00:59,280 --> 00:01:02,090
I would say user versus go.
13

14
00:01:02,100 --> 00:01:07,680
So when you ask me about user Brandon I'm assuming you're talking about in the DR image building because
14

15
00:01:07,680 --> 00:01:10,050
that's where users applied right.
15

16
00:01:11,330 --> 00:01:18,800
And it goes to tends to work better than Sue do inside of building a dog or image.
16

17
00:01:18,830 --> 00:01:24,530
So that's my understanding at least of why go Sue is often used inside of Docker images for building
17

18
00:01:25,070 --> 00:01:30,530
and I don't actually know the reason why I probably learned it at some point years ago and then quickly
18

19
00:01:30,530 --> 00:01:31,400
forgot it.
19

20
00:01:31,460 --> 00:01:35,750
So my I'm assuming what your question is really talking about is when you're building images and I would
20

21
00:01:35,750 --> 00:01:45,020
say the user is the best practice there for using Docker file lines if you're inside a run command and
21

22
00:01:45,020 --> 00:01:49,100
you need to change permissions on a specific part of that run command and that's where it goes through
22

23
00:01:49,100 --> 00:01:55,130
to me makes sense because you maybe need to do things as root user but not always inside that run command.
23

24
00:01:55,220 --> 00:01:59,740
So maybe that's when you're choosing to go go through and other things right.
24

25
00:01:59,780 --> 00:02:06,380
So I think that largely what ends up happening with people that with permissions is not the files in
25

26
00:02:06,380 --> 00:02:10,030
the image it's the files during runtime right.
26

27
00:02:10,040 --> 00:02:15,320
So once your container starts up let's say you've got a node app and that node app is running is user
27

28
00:02:15,320 --> 00:02:22,010
node and it has a user upload directory and then those files are stored on the host and so they're gonna
28

29
00:02:22,010 --> 00:02:29,770
be stored as the user node and because that's what's nodes running is running it and then you have some
29

30
00:02:29,770 --> 00:02:34,910
other process maybe a different container and using a shared volume or something or a buying amount
30

31
00:02:35,290 --> 00:02:40,660
and that that is not running as the same user and needs to access those files read right and you get
31

32
00:02:40,660 --> 00:02:43,000
into these problems around permissions.
32

33
00:02:43,030 --> 00:02:52,650
So I would say that at the end of the day if you can't solve these problems with shown in mod then it
33

34
00:02:52,700 --> 00:02:53,010
doesn't.
34

35
00:02:53,020 --> 00:02:57,970
In other words inside the docker file if you're doing for example a copy command instead of a doctor
35

36
00:02:57,970 --> 00:03:05,140
file you can now do a shown on that so that when you're copying files and they copy with the right users
36

37
00:03:05,500 --> 00:03:10,270
that are given permissions to those files you can't do a command.
37

38
00:03:10,270 --> 00:03:17,530
I don't think yet although that may be a feature that's actually something and look up much of that
38

39
00:03:17,530 --> 00:03:18,910
has been added.
39

40
00:03:19,020 --> 00:03:20,150
The Ducker.
40

41
00:03:21,130 --> 00:03:31,370
So we go to the official documentation on that right zoom in and if I go to yeah.
41

42
00:03:31,400 --> 00:03:34,560
So if I search shimmered I don't see anything.
42

43
00:03:35,280 --> 00:03:39,900
But if I go to shown you can see where if you use the ad or the copy you can copy those in with the
43

44
00:03:39,900 --> 00:03:40,680
right permissions.
44

45
00:03:40,680 --> 00:03:45,060
That's a huge thing that happened a year or two ago that saves us a lot of space because we then don't
45

46
00:03:45,060 --> 00:03:50,850
have to change the permissions on the files that step one step two is if you need to change permissions
46

47
00:03:50,850 --> 00:03:56,990
of directories at runtime like you need to have a volume set to certain permissions.
47

48
00:03:57,030 --> 00:03:59,130
That's what an entry point script is for.
48

49
00:03:59,160 --> 00:04:07,770
So if you were to look at an example like if we just go back over here to Docker Hub and I were to go
49

50
00:04:07,770 --> 00:04:15,400
into my sequel and if you went to one of them my sequel Docker files you would probably find that there
50

51
00:04:15,400 --> 00:04:20,800
is an entry point script especially with things like databases and an entry point script something that
51

52
00:04:20,800 --> 00:04:27,400
can will start every time a container is started and often in these entry points scripts you will see
52

53
00:04:27,550 --> 00:04:34,630
things like I need you to shown everything in this directory and mod it or you know do a plus right
53

54
00:04:34,690 --> 00:04:41,080
global or something which is not always the most secure thing to do but if you need to change permissions
54

55
00:04:41,080 --> 00:04:44,380
on the fly then you would do that inside the script.
55

56
00:04:44,380 --> 00:04:51,160
Now of course the problem in this script is that it's running as the user I believe so as it's running
56

57
00:04:51,160 --> 00:04:56,830
as the user that you set in a docker file so that becomes another problem because if you need to change
57

58
00:04:56,830 --> 00:05:02,770
permissions on files to make them readable and readable by the node user but the script is running as
58

59
00:05:02,770 --> 00:05:07,250
a node user then you have problems because you can't you can't go to route.
59

60
00:05:07,330 --> 00:05:08,410
Essentially at that point.
60

61
00:05:08,590 --> 00:05:13,660
So I would say that there is no easy or best fix for that but permissions is something you could probably
61

62
00:05:13,660 --> 00:05:20,710
write a whole course section on write a whole multi hour training session on the various ways the permissions
62

63
00:05:21,040 --> 00:05:22,570
are dealt with.
63

64
00:05:23,320 --> 00:05:24,420
One little tidbit there.
64

65
00:05:24,420 --> 00:05:27,940
The last thing I'll say is I know that I'm kind of going on on your question but it is something that
65

66
00:05:28,180 --> 00:05:33,630
I think comes up a lot is that file permissions in Linux are just numbers.
66

67
00:05:33,630 --> 00:05:38,640
In fact this is actually a tip that was given to me I think by Phil Estes who is someone who implemented
67

68
00:05:38,670 --> 00:05:42,600
the the namespace the user namespace issues.
68

69
00:05:42,720 --> 00:05:48,590
I'm sorry the user namespace feature inside of Docker which has not enabled by default.
69

70
00:05:48,600 --> 00:05:53,580
But if you wanted to have all your containers run as non root you would enable that.
70

71
00:05:53,790 --> 00:05:58,290
And he was one of the ones that helped add that feature and we were talking one day and he pointed out
71

72
00:05:58,290 --> 00:06:03,810
that you know the user I.D. and the group I.D. are just ideas you can set that number to whatever you
72

73
00:06:03,810 --> 00:06:04,320
want.
73

74
00:06:04,500 --> 00:06:05,640
They're just numbers.
74

75
00:06:05,640 --> 00:06:12,330
And so if you need files on the host for example to match those in the container if you just set everything
75

76
00:06:12,330 --> 00:06:17,530
by I.D. number then user names are at that point really irrelevant.
76

77
00:06:17,560 --> 00:06:22,080
They it's really the I.D. that it's going to look at for matching those permissions.
77

78
00:06:22,080 --> 00:06:27,960
So in a case where I was working on a project and we needed to share files across multiple containers
78

79
00:06:27,990 --> 00:06:32,610
but they were all running as different users and we needed to make sure that the permissions matched
79

80
00:06:32,610 --> 00:06:32,760
up.
80

81
00:06:32,760 --> 00:06:39,450
We really just manually made sure those files were using the right numbers or I.D. for the owner and
81

82
00:06:39,450 --> 00:06:45,030
the group and then everything started to work because that didn't really matter that we didn't have
82

83
00:06:45,030 --> 00:06:49,830
the user created on the host for example that was matching that I.D. inside the container.
83

84
00:06:49,920 --> 00:06:52,500
We just made sure the I.D. numbers matched up so that's a little tip.
84

85
00:06:52,500 --> 00:06:57,300
It took me a while to figure that out and to understand how those worked but really just at the end
85

86
00:06:57,300 --> 00:07:03,240
of the day it's doing no comparison to make sure that the numbers of the the reads and rights and permissions
86

87
00:07:03,300 --> 00:07:07,140
match what the user that's executing the command is doing.
87

88
00:07:07,590 --> 00:07:08,680
Good question.
88

89
00:07:08,770 --> 00:07:12,120
I'm glad that you brought that up because that's not something that we've had discussed here recently
89

90
00:07:12,120 --> 00:07:14,010
and we should talk about it more.