USER Instructions4:00 with Jay McGavren
You may want to run your app as a different user with fewer privileges. The USER instruction makes this easy.
By default, all docker commands run as the root user on the container, 0:00 meaning they have full administrative privileges over the container. 0:04 This simple docker file allows us to check this by running a default command of 0:08 whoami, which prints the current user. 0:12 We can build an image from this with docker build -t temp for 0:15 the current directory. 0:20 And if we then run it with docker run temp, 0:22 the default command will run and print root. 0:26 You may want to run your app as a different user with fewer privileges. 0:31 The user instruction makes this easy. 0:35 Just insert a line with USER at the start, 0:37 followed by the username you want to use. 0:41 We'll use treehouse. 0:45 The user instruction won't create the user for you, so 0:49 you need to ensure that username already exists on the system. 0:53 One way to do that is to run the useradd command, 0:57 which we'll just do here in the docker file, before the user instruction. 1:00 RUN useradd treehouse. 1:04 Let's build the image again with docker build -t temp for the current directory. 1:10 If we run it with docker run temp, 1:17 this time, the whoami command will print treehouse. 1:24 User instructions change the active user for entry point, command, and 1:28 run instructions that come later in the docker file. 1:33 We can add a run instruction following the user instruction 1:36 that redirects the output of the whoami command to a text file, 1:41 whoami.txt. 1:47 If we try to build that with docker build -t temp current directory, 1:50 it'll fail, because the treehouse user doesn't have permission to create files. 1:55 The whole file system is owned by the root user. 2:02 So let's create a directory that treehouse owns. 2:06 We'll add a WORKDIR instruction after the RUN useradd command. 2:09 And we'll set it to /app. 2:16 Then we'll add another RUN instruction that changes ownership of the /app 2:19 directory to the treehouse user. 2:24 So we'll RUN chown, as in change owner. 2:27 We'll change it to the treehouse user, and 2:32 the file we're going to work on is the /app directory. 2:35 So this will change the owner of the /app directory to the treehouse user. 2:40 We need to add this above the USER instruction, so 2:46 that it still runs as the root user. 2:49 If we try to build the image again, it should work this time. 2:53 If we list the root directory in the long 2:58 format with docker run temp image ls -l /, 3:03 we'll see the app directory at the top. 3:07 And we'll see its owner is the treehouse user, 3:12 which is why we're now able to write a file to it. 3:14 Docker run temp ls -l /app will show us that 3:18 the whoami.text file is also owned by the treehouse user. 3:23 And docker run temp cat whoiam.txt, 3:30 Shows us that the current user was treehouse when the text file was written. 3:39 That's it for our tour of the major docker file instructions. 3:44 If you wanna learn more, check the teacher's notes for 3:48 links to the official documentation. 3:51 In the next stage, we'll show you some commands that will help you manage all 3:53 these images and containers we've created. 3:56 See you there. 3:59
You need to sign up for Treehouse in order to download course files.Sign up