User Level Permissions by Default?

[erwin]

I've been using dip for a few weeks in my pursuit of doing Rails development inside of Docker (so that I don't have to install nodejs directly on my host). Mostly it works pretty good - usually a little bit smoother than running docker directly.

I've found that consistently generating files that where the UID and GID is my local UID / GID isn't actually very easy though.

On the dip readme, you do point out that:

if you want to use non-root user you can specify UID like so:

dip ssh up -u 1000

This especially helpful if you have something like this in your docker-compose.yml:

services:
  web:
    user: "1000:1000"

I am curious if you would consider a global configuration option to pass the current User ID and Group ID from the logged in user to the Docker environment though, ie: Process.uid and Process.gid?

For me, ideally each command would be passed the current UID / GID, rather than explicitly setting run_options: ["user=1000"] on every command in dip.yml

Also, if we could grab UID / GID from Process.uid and Process.gid, we wouldn't need to write the uid directly into the YAML file... In the case where you really do want it to run as root maybe pass sudo or doas or similar to the run_options. To me, that would seem much more consistent with *nix in general - user level by default, only as root when explicitly set.

Perhaps I'm just doing this all wrong and if do any insight that you can share will be much appreciated.

Ultimately the dip experience is very good. I just wish I could reduce the number of times I run sudo chown... :-)

[bibendi]

Hi @erwin I'm so sorry for the long response. It looks like I missed your issue.

I like your proposal. It seems we can pass a --user option https://docs.docker.com/engine/reference/commandline/compose_run/

So we can try to implement something like the following:

# dip.yml

interaction:
  cmd:
    service: backend
    command: foo
    run_as_me: true

where run_as_me will be converted into docker compose run --user $(id -u):$(id -g)

We should be careful because I don't have the problem with permissions on Docker for Mac, so maybe we should skip this option.

Update: after writing the text above, I realized that it won't work with dip compose up some-service. I found an interesting post https://medium.com/redbubble/running-a-docker-container-as-a-non-root-user-7d2e00f8ee15

So, we can add a separate docker-compose.linux.yml https://github.com/bibendi/dip#dip_os with:

services:
  app:
    user: ${DIP_CURRENT_USER}

add it to a dip.yml

compose:
  files:
    - docker-compose.yml
    - docker-compose.${DIP_OS}.yml

and implement DIP_CURRENT_USER here https://github.com/bibendi/dip/blob/f13cd6f0a4fd4828dd3b7d36b74989a09337be96/lib/dip/environment.rb#L53-L57

or you can add it to your ~/.zshrc

DIP_CURRENT_USER=$(id -u):$(id -g)