VS Code log into container as specific user - docker

I built a Debian 10 sandbox container where I could play with my code bases. I added a user to maintain a permission wall between sudo commands typed too quickly with
USER ELDUDE
in the Dockerfile. However, when I build the container with that user as default login option VS Code fails to connect to the container with
Error: stream ended with:124 but wanted 1128865906
This is the initial error that brought me down this path.
If I do not specify the default user in the Dockerfile I can connect fine but VSCode server in the container runs as root. Now, that becomes a mess with file permissions etc if I start working on stuff.
Any idea what is going on? Can I set user names when I log into a container?
I also thought of enabling SSH on the container and connect through VS SSH but that failed thus far...

Related

Meteor build refresh after file change saving drops an EACCES error in a docker container

SUMMARY
First of all I run my Meteor web app using docker-compose with docker-compose -f docker-file.dev.yml up -d --build. Everything works fine for the first build. The app is reachable on my browser via localhost.
Then I have an EACESS error while I use my code editor (vscode) to edit some .jsx files, this runs the build refresh, then, the application, running in a docker container crashes. It means I have a permission error.
But, when I save an updated file, this is done with my current (windows) user into VSCode, anyway, the app is run by "meteoruser" user defined in the docker-compose.dev.yml file below.
So what is the problem with this configuration, it worked well on a previous computer running ubuntu 16.04. Is windows the problem?
If I check docker logs I have this output :
If I rerun docker-compose build command, then everything is fine, the files are updated and the app is running. But I can't work like that and rerun this command every time I make a file change.
What I expect is a build refresh working without dropping an EACCESS error.
Additionnal informations about my project
This is a React project within Meteor framework in a container, using mongodb container within an nginx proxy in a container as well.
Project scaffold:
docker-compose file
docker file (.dev)
nb: as you can see, I create an user in the container, then I run the app into the container with this user. This is needed to ensure not running locally the app as root user.
WHAT I HAVE TRIED
Delete the .meteor folder and rebuild locally with meteor run to ensure my current windows user has the rights for the meteor app build folder. It do not work.
Remove the usage of meteoruser in the dockerfile, this does not work and instead drop an error, because meteor do not allow running app in a dev environment with root user, because it could lead to permission errors later in production..
Thanks in advance for your help!

Can I change the date and time in a Windows Docker Container?

I am trying to test a software that exports a file in certain periods of time.
I thought of using a docker container to give the desired time and not use system time.
The thing is that I am lacking permissions to change the containers time with the following error message.
PS C:\usr\src\app> Set-Date -Date (Get-Date).AddDays(3)
Set-Date : A required privilege is not held by the client
At line:1 char:1
Is it possible to do on a windows docker container?
My base image is mcr.microsoft.com/dotnet/framework/sdk:4.8-windowsservercore-ltsc2019
Thank you in advance!
What I suspect you are running into here, is that recent windows container versions now set the user as a normal user, not an admin, so when the container is running your user context does not have permission to modify the system date.
You should be able to get around this, by modifying your Dockerfile, to tell it to use the admin user instead like so:
USER ContainerAdministrator
Keep in mind of course, that this does increase the security risks, as now all processes are run as admin, but if you are only using the container locally (not running a web server or anything) you should be fine.

Docker - Cannot start or stop container groups through Docker Dashboard

I am new to Docker and have been running the Example Voting App (suggested by the getting-started guide).
I have encountered an issue where i can start and stop each individual container within the desktop dashboard, but no start or stop command is passed when i start or stop the containers as a group. I get no logs and no other helpful information as to why this is happening.
I can start and stop the containers as a group from command line by simply navigating to the repository folder and calling docker-compose start/stop, but i'd like the functionality to be able to do it from the desktop dashboard.
Some other things that I have encountered that may* relate to the issue:
I encountered issues with the dashboard GUI not properly displaying when containers were deleted.
I had to enable file sharing on my C Drive to even be able 'import' half of the repository files. This was not listed as something that
you needed to do on the getting-started guide so im assuming it
shouldnt actually be a necessary thing to do.
= Windows 10 =

How to see the logs of an application inside a docker?

If I am creating a docker image for one of my applications and publishing it in docker hub.
This image was downloaded by many users and ran that application in their containers and that generated application logs in a folder.
Now as a developer how can I see those application logs from my machine when that container is in remote computer for which I dont have access?
If it is a virtual machine, I can do ssh to that same machine and go to that folder anse see the logs for that particular application, so how it is possible with docker?
I am not talking about docker event logs, the logs generated by my python application with the logging module. Could you please help me on how to handle this case in dockers.
I don't have any experience with working on dockers.
docker exec can be used to run bash commands in a docker container. But in your case the containers are running in a remote machine and not in your local machine. So, in that case, you have 2 options.
1. ssh into the remote machine and then use docker exec command to check the logs.
2. Directly ssh to the docker container.
But, in both scenarios, you will need SSH access to the remote machines from the end users.
I hope this helps.
If your application writes log files to the container filesystem, this is one of a couple of good uses for Docker bind mounts. If the operator (the person running the container; not you, the original software author) starts the container with
docker run -v $PWD/logs:/app/logs ... you/yourimage
then they will be able to read the log files directly on their host system.
As the original application developer, you have no access to these logs. This is the same as every other (non-SaaS) application: the end user installs software on their system and runs it, but it's on a system you can't log into, so you can't directly see things like log files. The techniques for dealing with this are the same as anything else: when a user files a bug report make sure they provide a sufficient reproduction, log files, and relevant configuration, and reproduce the issue yourself locally.

How to prevent root of the host OS from accessing content inside a container?

We are new to container technology and are currently evaluating whether it can be used in our new project. One of our key requirements is data security of multi-tenants. i.e. each container contains data that is owned by a particular tenant only. Even we, the server admin of the host servers, should NOT be able to access the content inside a container.
By some googling, we know that root of the host OS can execute command inside a container, for example, by the "docker execute" command. I suppose the command is executed with root privileges?
How to get into a docker container?
We wonder if such kinds of access (not just "docker execute", but also any method to access a container's content by server admin of the host servers) can be blocked/disabled by some security configurations?
For the bash command specifically,
Add the exit command in the end of the .bashrc file. So the user logs in and finally gets kicked out.
You can go through this link for the better understanding of why it is not implemented by default
https://github.com/moby/moby/issues/8664

Resources