feat(permissions): ✨ Start a simple file system permissions …

05_root_user/README.md

@@ -7,7 +7,8 @@ TODO:
 * try and nsenter into the host
 * try and list all the host processes from inside the container.
 
-Refer to [../13_users_and_permissions/README.md](../13_users_and_permissions/README.md) for more examples.  
+REF: [13_users_and_permissions/README.md](../13_users_and_permissions/README.md)  
+REF: [chrisguest75/sysadmin_examples/10_file_permissions/README.md](https://github.com/chrisguest75/sysadmin_examples/blob/master/10_file_permissions/README.md)
 
 ## 📋 Script to follow
 

13_users_and_permissions/README.md

@@ -2,7 +2,8 @@
 
 Demonstrates how users work within a container.  
 
-Refer to [../05_root_user/README.md](../05_root_user/README.md) for more examples.  
+REF: [05_root_user/README.md](../05_root_user/README.md)  
+REF: [chrisguest75/sysadmin_examples/10_file_permissions/README.md](https://github.com/chrisguest75/sysadmin_examples/blob/master/10_file_permissions/README.md)
 
 ## 🏠 Script to follow
 

A6_filesystem_permissions/.gitignore

@@ -0,0 +1 @@
+mount

A6_filesystem_permissions/Dockerfile.bindmount

@@ -0,0 +1,46 @@
+# syntax=docker/dockerfile:1.11.0
+FROM ubuntu:24.10 AS base
+
+#### ROOT
+USER root
+
+ARG USERID=10000
+ARG GROUPID=10000
+ARG APPUSER=appuser
+RUN groupadd --system --gid $GROUPID appuser
+RUN useradd --system --uid $USERID --gid $GROUPID $APPUSER
+
+WORKDIR /scratch/root
+
+COPY --chmod=750 <<EOF /scratch/root/test.sh
+#!/usr/bin/env bash
+echo "Hello bindmount from test.sh"
+EOF
+
+WORKDIR /scratch/appuser
+
+COPY --chmod=750 <<EOF /scratch/appuser/testroot.sh
+#!/usr/bin/env bash
+echo "Hello bindmount from testroot.sh"
+EOF
+
+COPY --chmod=755 <<EOF /bin/copy.sh
+#!/usr/bin/env bash
+echo $(whoami)
+id 
+cat /etc/group
+cp /scratch/root/test.sh /mnt/writable/root_test.sh
+cp /scratch/appuser/test.sh /mnt/writable/appuser_test.sh
+
+ls -l /mnt/writable/
+EOF
+
+USER appuser
+
+# copy with ownership
+COPY --chmod=755 --chown=appuser:appuser <<EOF /scratch/appuser/testuser.sh
+#!/usr/bin/env bash
+echo "Hello bindmount from testuser.sh"
+EOF
+
+CMD ["bash"]

A6_filesystem_permissions/Dockerfile.volumemount

@@ -0,0 +1,46 @@
+# syntax=docker/dockerfile:1.11.0
+FROM ubuntu:24.10 AS base
+
+#### ROOT
+USER root
+
+ARG USERID=10000
+ARG GROUPID=10000
+ARG APPUSER=appuser
+RUN groupadd --system --gid $GROUPID appuser
+RUN useradd --system --uid $USERID --gid $GROUPID $APPUSER
+
+WORKDIR /scratch/root
+
+COPY --chmod=750 <<EOF /scratch/root/test.sh
+#!/usr/bin/env bash
+echo "Hello volumemount from test.sh"
+EOF
+
+WORKDIR /scratch/appuser
+
+COPY --chmod=750 <<EOF /scratch/appuser/testroot.sh
+#!/usr/bin/env bash
+echo "Hello volumemount from testroot.sh"
+EOF
+
+# COPY --chmod=755 <<EOF /bin/copy.sh
+# #!/usr/bin/env bash
+# echo $(whoami)
+# id 
+# cat /etc/group
+# cp /scratch/root/test.sh /mnt/writable/root_test.sh
+# cp /scratch/appuser/test.sh /mnt/writable/appuser_test.sh
+
+# ls -l /mnt/writable/
+# EOF
+
+# USER appuser
+
+# # copy with ownership
+# COPY --chmod=755 --chown=appuser:appuser <<EOF /scratch/appuser/testuser.sh
+# #!/usr/bin/env bash
+# echo "Hello from testuser.sh"
+# EOF
+
+CMD ["bash"]

A6_filesystem_permissions/README.md

@@ -0,0 +1,88 @@
+# FILESYSTEM PERMISSIONS
+
+Work with filepermissions.  
+
+REF: [05_root_user/README.md](../05_root_user/README.md)  
+REF: [13_users_and_permissions/README.md](../13_users_and_permissions/README.md)  
+REF: [chrisguest75/sysadmin_examples/10_file_permissions/README.md](https://github.com/chrisguest75/sysadmin_examples/blob/master/10_file_permissions/README.md)
+
+## Contents
+
+- [FILESYSTEM PERMISSIONS](#filesystem-permissions)
+  - [Contents](#contents)
+  - [Test](#test)
+  - [Volume](#volume)
+  - [Resources](#resources)
+
+TODO:
+
+* Installing and copying as root then accessing as normal user
+* Copying files to bindmounts and how it impacts owners etc
+* New volumes as a non root user seem to prevent writing.
+
+NOTES:
+
+* Docker recommends using the `--mount` syntax instead of `-v`
+* When docker creates a file or folder inside a container for mounts it creates them with root ownership. You can use `--chown user:group`  
+
+## Test
+
+Test readable and writeable file mounts.  Also test different types of file permissions for file created in the docker build.  
+
+```sh
+# start with bindmounts
+just start bindmount
+
+# CONTAINER TERMINAL
+ll -l
+
+whoami
+id
+
+./testuser.sh 
+./testroot.sh 
+
+ls /mnt/readonly/
+
+echo "test" > /mnt/readonly/test.txt
+echo "test" > /mnt/writable/test.txt
+
+ls -l /mnt/readonly
+ls -l /mnt/writable
+
+/bin/copy.sh
+
+ls -l /mnt/writable/
+```
+
+## Volume
+
+Create and attach volumes to containers.  
+
+```sh
+# start with volume
+just start_volume 
+
+# CONTAINER TERMINAL
+whoami
+
+# permissions don't work
+echo "test" > /mnt/readonly_volume/test.txt
+echo "test" > /mnt/writable_volume/test.txt
+
+ls -l /mnt
+ls -l /mnt/readonly_volume
+ls -l /mnt/writable_volume
+```
+
+Cleanup the volumes.  
+
+```sh
+just clean_volume 
+```
+
+## Resources
+
+* Sharing local files with containers [here](https://docs.docker.com/get-started/docker-concepts/running-containers/sharing-local-files)
+* Docker Volumes [here](https://docs.docker.com/engine/storage/volumes/)
+* Really good breakdown of meaning of permissions [here](https://mason.gmu.edu/~montecin/UNIXpermiss.htm)  

A6_filesystem_permissions/justfile

@@ -0,0 +1,40 @@
+#!/usr/bin/env just --justfile
+# ^ A shebang isn't required, but allows a justfile to be executed
+#   like a script, with `./justfile test`, for example.
+
+set dotenv-load := true
+
+# default lists actions
+default:
+  @just -f justfile --list
+
+
+build dockerfile="bindmount":
+  #!/usr/bin/env bash
+  set -eufo pipefail
+  docker build -f Dockerfile.{{ dockerfile }} -t filesystempermissions . 
+
+start dockerfile="bindmount": (build dockerfile)
+  #!/usr/bin/env bash
+  set -eufo pipefail  
+  mkdir -p ./mount/readonly
+  mkdir -p ./mount/writable
+  docker run -it --rm --mount type=bind,source=./mount/readonly,target=/mnt/readonly,readonly --mount type=bind,source=./mount/writable,target=/mnt/writable --name filesystempermissions filesystempermissions
+
+start_volume dockerfile="volumemount": (build dockerfile)
+  #!/usr/bin/env bash
+  set -eufo pipefail  
+  # Create a volume (can be called twice)
+  docker volume create filesystempermissions_readonly_volume
+  docker volume create filesystempermissions_writeable_volume
+  docker run -it --rm --mount type=volume,source=filesystempermissions_readonly_volume,target=/mnt/readonly_volume,readonly --mount type=volume,source=filesystempermissions_writeable_volume,target=/mnt/writable_volume filesystempermissions
+
+clean_volume:
+  #!/usr/bin/env bash
+  set -eufo pipefail
+  docker volume rm filesystempermissions_readonly_volume
+  docker volume rm filesystempermissions_writeable_volume
+
+
+dive:
+  dive filesystempermissions