Using a non-root user

Let's go back to our youtube-dl application. The application could, in theory, escape the container due to a bug in docker/kernel. To mitigate this security issue we will add a non-root user to our container and run our process with that user. Another option would be to map the root user to a high, non-existing user id on the host with https://docs.docker.com/engine/security/userns-remap/, and can be used in case you must use root within the container.

Our status from the previous part was this:

FROM ubuntu:22.04
ENV LC_ALL=C.UTF-8

RUN apt-get update && apt-get install -y \
  curl python2 \
  && update-alternatives --install /usr/bin/python python /usr/bin/python2 1

RUN curl -L https://github.com/ytdl-org/youtube-dl/releases/download/2021.12.17/youtube-dl -o /usr/local/bin/youtube-dl \
  && chmod a+rx /usr/local/bin/youtube-dl

WORKDIR /app
ENTRYPOINT ["/usr/local/bin/youtube-dl"]

We will add an user "app" with

RUN useradd -m app

And then we change user with the directive USER - so all commands after this line will be executed as our new user, including the WORKDIR and ENTRYPOINT.

FROM ubuntu:22.04
ENV LC_ALL=C.UTF-8

RUN apt-get update && apt-get install -y \
  curl python2 \
  && update-alternatives --install /usr/bin/python python /usr/bin/python2 1

RUN curl -L https://github.com/ytdl-org/youtube-dl/releases/download/2021.12.17/youtube-dl -o /usr/local/bin/youtube-dl \
  && chmod a+rx /usr/local/bin/youtube-dl

RUN useradd -m app

USER app
WORKDIR /app

ENTRYPOINT ["/usr/local/bin/youtube-dl"]

$ docker compose build
$ docker compose run youtube-dl-ubuntu https://imgur.com/JY5tHqr
  [Imgur] JY5tHqr: Downloading webpage
  ERROR: unable to open for writing: [Errno 13] Permission denied: 'Imgur-JY5tHqr.mp4.part'

You have reached the end of this section! Continue to the next section:

2. Development with Docker