How to set umask for Docker container

Problem

Once you run a Docker container using docker run and get a shell inside it, you can set the file creation mode mask there with the umask command of the shell. This is usually 0022 and you can set it to whatever you want. All consecutive operations at the shell and child processes forked from the shell will have with umask.

What if you don’t want to manually type this umask command, but want it set automatically in the container?

Solution

There is no way to do this directly in the Dockerfile. You can have a RUN umask 0002 in the Dockerfile, but that does not have any effect for when you run the container.

One solution is to create a shell script that sets this umask:

$ cat set_umask.sh
#!/bin/bash
umask 0002
/bin/bash

To be able to run this script when the container is run, we first need to make this executable:

$ chmod +x set_umask.sh

Next we add commands to the Dockerfile to copy this into the image and make the script as the entry point:

COPY set_umask.sh set_umask.sh
ENTRYPOINT ["./set_umask.sh"]

Build the container and run it and see your umask already enabled at the shell! 🙂

Advertisements

How to set user of Docker container

Problem

When you run a Docker container using docker run, everything inside the container is executed by the root user and root group. Its UID is 0 and GID is 0. This can sometimes be a problem.

For example, I had mounted a directory from the host filesystem into the Docker container using the --volume option. When root creates a new file or directory in this mounted directory, it appears as owned by the user nobody and group nogroup. This was a problem since I wanted these new files and directories to be created with my username or at least my group.

Solution

You can set what username or group you want to run as inside a container by using the --user option.

  • To run as user joe: --user joe. It is highly unlikely that the username joe exists in the Docker container. So this will likely fail unless you have added Dockerfile commands to make this so.

  • Instead, set the UID: --user 1005. Docker will warn that the UID does not have a corresponding username inside the container, but it will work. Files created on the mounted directory will have the UID 1005. There is a problem: many programs inside the container may not run if root is not running it. For example, you may find that you cannot create files or directories inside the container without being root.

  • Another option is to set the group or GID: --user :1005. Notice the colon. Files created on mounted volumes will have the group GID you set. This solution worked to solve my problem.

  • You can set both UID and GID too: --user 1005:9999

Tried with: Ubuntu 16.04