Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
You may want to run your app as a different user with fewer privileges. The USER instruction makes this easy.
Related Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign upRelated Discussions
Have questions about this video? Start a discussion with the community and Treehouse staff.
Sign up
By default, all docker commands run
as the root user on the container,
0:00
meaning they have full administrative
privileges over the container.
0:04
This simple docker file allows us to check
this by running a default command of
0:08
whoami, which prints the current user.
0:12
We can build an image from this
with docker build -t temp for
0:15
the current directory.
0:20
And if we then run it
with docker run temp,
0:22
the default command will run and
print root.
0:26
You may want to run your app as
a different user with fewer privileges.
0:31
The user instruction makes this easy.
0:35
Just insert a line with USER at the start,
0:37
followed by the username you want to use.
0:41
We'll use treehouse.
0:45
The user instruction won't
create the user for you, so
0:49
you need to ensure that username
already exists on the system.
0:53
One way to do that is to
run the useradd command,
0:57
which we'll just do here in the docker
file, before the user instruction.
1:00
RUN useradd treehouse.
1:04
Let's build the image again with docker
build -t temp for the current directory.
1:10
If we run it with docker run temp,
1:17
this time,
the whoami command will print treehouse.
1:24
User instructions change the active
user for entry point, command, and
1:28
run instructions that come
later in the docker file.
1:33
We can add a run instruction
following the user instruction
1:36
that redirects the output of
the whoami command to a text file,
1:41
whoami.txt.
1:47
If we try to build that with docker
build -t temp current directory,
1:50
it'll fail, because the treehouse user
doesn't have permission to create files.
1:55
The whole file system is
owned by the root user.
2:02
So let's create a directory
that treehouse owns.
2:06
We'll add a WORKDIR instruction
after the RUN useradd command.
2:09
And we'll set it to /app.
2:16
Then we'll add another RUN instruction
that changes ownership of the /app
2:19
directory to the treehouse user.
2:24
So we'll RUN chown, as in change owner.
2:27
We'll change it to the treehouse user, and
2:32
the file we're going to work
on is the /app directory.
2:35
So this will change the owner of the /app
directory to the treehouse user.
2:40
We need to add this above
the USER instruction, so
2:46
that it still runs as the root user.
2:49
If we try to build the image again,
it should work this time.
2:53
If we list the root directory in the long
2:58
format with docker run temp image ls -l /,
3:03
we'll see the app directory at the top.
3:07
And we'll see its owner
is the treehouse user,
3:12
which is why we're now able
to write a file to it.
3:14
Docker run temp ls -l
/app will show us that
3:18
the whoami.text file is also
owned by the treehouse user.
3:23
And docker run temp cat whoiam.txt,
3:30
Shows us that the current user was
treehouse when the text file was written.
3:39
That's it for our tour of the major
docker file instructions.
3:44
If you wanna learn more,
check the teacher's notes for
3:48
links to the official documentation.
3:51
In the next stage, we'll show you some
commands that will help you manage all
3:53
these images and containers we've created.
3:56
See you there.
3:59
You need to sign up for Treehouse in order to download course files.
Sign upYou need to sign up for Treehouse in order to set up Workspace
Sign up