Hi everyone, I’ll get straight to the point.
I created the files root and normal-user
Here is the root file content
FROM ubuntu:latest
CMD ["touch", "/data/root-file"]
Here is the normal-user file content
FROM ubuntu:latest
RUN groupadd \
-g 1234 \
devel \
&& useradd \
-m \
-s /bin/bash \
-u 1234 \
-g devel \
devel
USER devel
CMD ["touch", "/data/normal-user-file"]
Note that, in the normal-user file, devel was created and set as default user.
I so created data directory
+ mkdir /tmp/data-0020241206
+ ls -ld /tmp/data-0020241206
drwxrwxr-x 2 abc abc 4096 dic 6 09:54 /tmp/data-0020241206
I don’t know if this is relevant, but as you may have noticed, that directory has “abc” (as user and as group).
Everything is OK, so let’s do some tests
+ docker build -t test -f root .
+ docker run -v /tmp/data-0020241206:/data --rm test
+ ls -l /tmp/data-0020241206/root-file
-rw-r--r-- 1 root root 0 dic 6 10:03 /tmp/data-0020241206/root-file
mmmhhh…
Apparently everything is ok, but as you may have noticed, the “root-file” has “root” (as user and as group).
For many people, this is not a good thing, because it can undermine, above all, security (I won’t go into detail).
So I tried this other approach (instead of the “root” dockerfile, the “normal-user” dockerfile will be used)
+ docker build -t test -f normal-user .
+ docker run -v /tmp/data-0020241206:/data --rm test
touch: cannot touch '/data/normal-user-file': Permission denied
As you can see there is some problem.
Surely this is due to the fact that user and group (abc and devel) are different.
How can this be solved?
Maybe you need to map permissions… map volumes… or?
In practice, how can you give two or more users access to the same directory?
In practice, I would like the devel user (from inside docker) to be able to create /data/normal-user-file without any problems, and the abc user (from outside docker) to be able to access the file /tmp/data-0020241206/normal-user-file (even read-only).
Yes, read-only: that’s exactly what I want (for personal security reasons).
In a corporate environment, what is the most conventional practice?
RECAP
*/data*/: read and write for both users
*/data*/normal-user-file: write (reading permission is not mandatory, I don't care...) for devel, read for abc