1
00:00:00,270 --> 00:00:02,000
‫Brandon's in with the first.

2
00:00:02,010 --> 00:00:04,800
‫Next question here go sue versus user.

3
00:00:04,800 --> 00:00:12,740
‫How do you prefer to go about using non root users in containers and keep file permissions on the or

4
00:00:12,740 --> 00:00:13,770
‫Hossain.

5
00:00:13,860 --> 00:00:18,740
‫What's the current best practice so permissions in Docker.

6
00:00:19,020 --> 00:00:24,180
‫Not fair to say that Docker itself with the files you're running in a container can be very frustrating

7
00:00:24,540 --> 00:00:32,010
‫especially if you're using bind mounts so bind mounts combine the permissions of the host files with

8
00:00:32,310 --> 00:00:38,730
‫those things running in the container and that can often lead to you pulling your hair out and going

9
00:00:38,730 --> 00:00:45,900
‫a little insane and some of my hardest projects have been when we needed multi server shared files storage

10
00:00:46,350 --> 00:00:52,020
‫for can multiple containers on different host all accessing the same files with the right permissions

11
00:00:52,920 --> 00:00:57,080
‫and also using least privilege with non admin users non root users right.

12
00:00:57,210 --> 00:00:59,130
‫So those can be really tricky.

13
00:00:59,280 --> 00:01:02,090
‫I would say user versus go.

14
00:01:02,100 --> 00:01:07,680
‫So when you ask me about user Brandon I'm assuming you're talking about in the DR image building because

15
00:01:07,680 --> 00:01:10,050
‫that's where users applied right.

16
00:01:11,330 --> 00:01:18,800
‫And it goes to tends to work better than Sue do inside of building a dog or image.

17
00:01:18,830 --> 00:01:24,530
‫So that's my understanding at least of why go Sue is often used inside of Docker images for building

18
00:01:25,070 --> 00:01:30,530
‫and I don't actually know the reason why I probably learned it at some point years ago and then quickly

19
00:01:30,530 --> 00:01:31,400
‫forgot it.

20
00:01:31,460 --> 00:01:35,750
‫So my I'm assuming what your question is really talking about is when you're building images and I would

21
00:01:35,750 --> 00:01:45,020
‫say the user is the best practice there for using Docker file lines if you're inside a run command and

22
00:01:45,020 --> 00:01:49,100
‫you need to change permissions on a specific part of that run command and that's where it goes through

23
00:01:49,100 --> 00:01:55,130
‫to me makes sense because you maybe need to do things as root user but not always inside that run command.

24
00:01:55,220 --> 00:01:59,740
‫So maybe that's when you're choosing to go go through and other things right.

25
00:01:59,780 --> 00:02:06,380
‫So I think that largely what ends up happening with people that with permissions is not the files in

26
00:02:06,380 --> 00:02:10,030
‫the image it's the files during runtime right.

27
00:02:10,040 --> 00:02:15,320
‫So once your container starts up let's say you've got a node app and that node app is running is user

28
00:02:15,320 --> 00:02:22,010
‫node and it has a user upload directory and then those files are stored on the host and so they're gonna

29
00:02:22,010 --> 00:02:29,770
‫be stored as the user node and because that's what's nodes running is running it and then you have some

30
00:02:29,770 --> 00:02:34,910
‫other process maybe a different container and using a shared volume or something or a buying amount

31
00:02:35,290 --> 00:02:40,660
‫and that that is not running as the same user and needs to access those files read right and you get

32
00:02:40,660 --> 00:02:43,000
‫into these problems around permissions.

33
00:02:43,030 --> 00:02:52,650
‫So I would say that at the end of the day if you can't solve these problems with shown in mod then it

34
00:02:52,700 --> 00:02:53,010
‫doesn't.

35
00:02:53,020 --> 00:02:57,970
‫In other words inside the docker file if you're doing for example a copy command instead of a doctor

36
00:02:57,970 --> 00:03:05,140
‫file you can now do a shown on that so that when you're copying files and they copy with the right users

37
00:03:05,500 --> 00:03:10,270
‫that are given permissions to those files you can't do a command.

38
00:03:10,270 --> 00:03:17,530
‫I don't think yet although that may be a feature that's actually something and look up much of that

39
00:03:17,530 --> 00:03:18,910
‫has been added.

40
00:03:19,020 --> 00:03:20,150
‫The Ducker.

41
00:03:21,130 --> 00:03:31,370
‫So we go to the official documentation on that right zoom in and if I go to yeah.

42
00:03:31,400 --> 00:03:34,560
‫So if I search shimmered I don't see anything.

43
00:03:35,280 --> 00:03:39,900
‫But if I go to shown you can see where if you use the ad or the copy you can copy those in with the

44
00:03:39,900 --> 00:03:40,680
‫right permissions.

45
00:03:40,680 --> 00:03:45,060
‫That's a huge thing that happened a year or two ago that saves us a lot of space because we then don't

46
00:03:45,060 --> 00:03:50,850
‫have to change the permissions on the files that step one step two is if you need to change permissions

47
00:03:50,850 --> 00:03:56,990
‫of directories at runtime like you need to have a volume set to certain permissions.

48
00:03:57,030 --> 00:03:59,130
‫That's what an entry point script is for.

49
00:03:59,160 --> 00:04:07,770
‫So if you were to look at an example like if we just go back over here to Docker Hub and I were to go

50
00:04:07,770 --> 00:04:15,400
‫into my sequel and if you went to one of them my sequel Docker files you would probably find that there

51
00:04:15,400 --> 00:04:20,800
‫is an entry point script especially with things like databases and an entry point script something that

52
00:04:20,800 --> 00:04:27,400
‫can will start every time a container is started and often in these entry points scripts you will see

53
00:04:27,550 --> 00:04:34,630
‫things like I need you to shown everything in this directory and mod it or you know do a plus right

54
00:04:34,690 --> 00:04:41,080
‫global or something which is not always the most secure thing to do but if you need to change permissions

55
00:04:41,080 --> 00:04:44,380
‫on the fly then you would do that inside the script.

56
00:04:44,380 --> 00:04:51,160
‫Now of course the problem in this script is that it's running as the user I believe so as it's running

57
00:04:51,160 --> 00:04:56,830
‫as the user that you set in a docker file so that becomes another problem because if you need to change

58
00:04:56,830 --> 00:05:02,770
‫permissions on files to make them readable and readable by the node user but the script is running as

59
00:05:02,770 --> 00:05:07,250
‫a node user then you have problems because you can't you can't go to route.

60
00:05:07,330 --> 00:05:08,410
‫Essentially at that point.

61
00:05:08,590 --> 00:05:13,660
‫So I would say that there is no easy or best fix for that but permissions is something you could probably

62
00:05:13,660 --> 00:05:20,710
‫write a whole course section on write a whole multi hour training session on the various ways the permissions

63
00:05:21,040 --> 00:05:22,570
‫are dealt with.

64
00:05:23,320 --> 00:05:24,420
‫One little tidbit there.

65
00:05:24,420 --> 00:05:27,940
‫The last thing I'll say is I know that I'm kind of going on on your question but it is something that

66
00:05:28,180 --> 00:05:33,630
‫I think comes up a lot is that file permissions in Linux are just numbers.

67
00:05:33,630 --> 00:05:38,640
‫In fact this is actually a tip that was given to me I think by Phil Estes who is someone who implemented

68
00:05:38,670 --> 00:05:42,600
‫the the namespace the user namespace issues.

69
00:05:42,720 --> 00:05:48,590
‫I'm sorry the user namespace feature inside of Docker which has not enabled by default.

70
00:05:48,600 --> 00:05:53,580
‫But if you wanted to have all your containers run as non root you would enable that.

71
00:05:53,790 --> 00:05:58,290
‫And he was one of the ones that helped add that feature and we were talking one day and he pointed out

72
00:05:58,290 --> 00:06:03,810
‫that you know the user I.D. and the group I.D. are just ideas you can set that number to whatever you

73
00:06:03,810 --> 00:06:04,320
‫want.

74
00:06:04,500 --> 00:06:05,640
‫They're just numbers.

75
00:06:05,640 --> 00:06:12,330
‫And so if you need files on the host for example to match those in the container if you just set everything

76
00:06:12,330 --> 00:06:17,530
‫by I.D. number then user names are at that point really irrelevant.

77
00:06:17,560 --> 00:06:22,080
‫They it's really the I.D. that it's going to look at for matching those permissions.

78
00:06:22,080 --> 00:06:27,960
‫So in a case where I was working on a project and we needed to share files across multiple containers

79
00:06:27,990 --> 00:06:32,610
‫but they were all running as different users and we needed to make sure that the permissions matched

80
00:06:32,610 --> 00:06:32,760
‫up.

81
00:06:32,760 --> 00:06:39,450
‫We really just manually made sure those files were using the right numbers or I.D. for the owner and

82
00:06:39,450 --> 00:06:45,030
‫the group and then everything started to work because that didn't really matter that we didn't have

83
00:06:45,030 --> 00:06:49,830
‫the user created on the host for example that was matching that I.D. inside the container.

84
00:06:49,920 --> 00:06:52,500
‫We just made sure the I.D. numbers matched up so that's a little tip.

85
00:06:52,500 --> 00:06:57,300
‫It took me a while to figure that out and to understand how those worked but really just at the end

86
00:06:57,300 --> 00:07:03,240
‫of the day it's doing no comparison to make sure that the numbers of the the reads and rights and permissions

87
00:07:03,300 --> 00:07:07,140
‫match what the user that's executing the command is doing.

88
00:07:07,590 --> 00:07:08,680
‫Good question.

89
00:07:08,770 --> 00:07:12,120
‫I'm glad that you brought that up because that's not something that we've had discussed here recently

90
00:07:12,120 --> 00:07:14,010
‫and we should talk about it more.