# WORKDIR and USER

Most Dockerfile instructions affect the file system. However, the WORKDIR and USER change the behavior of subsequent Dockerfile instructions. Let's see if you have a grasp on how these new instructions change the behavior of other instructions.

### Possible Answers

    After using `WORKDIR` in our Dockerfile, no instructions after `WORKDIR` can use any other path than the one we set with `WORKDIR`, until the workdir is changed again.


    `WORKDIR` allows us to change the path in which the command of the `CMD` instruction is run.{Answer}


    After using `USER` in our Dockerfile, no instructions after `USER` can use any other user than the one we set with `USER`, until the user is changed again.{Answer}


    `USER` allows us to change the user with which the command of the `CMD` instruction is run.{Answer}

In [None]:
# exercise 01

"""
Setting the user

You've finished the python code for the pipeline you were building and have gotten all the feedback you need from colleagues. To make your pipeline Docker image more foolproof, you want to set the user to repl before the project files are copied into the image. We've already added the RUN instruction to create a repl user for you.
"""

# Instructions

"""

    Using the terminal, open the Dockerfile in your current working directory and edit the third line to set the user to repl.

"""

# solution

nano Dockerfile

"""
FROM ununtu:22.04
RUN useradd -m repl
USER repl
RUN mkdir /home/repl/projects/pipeline_final
COPY /home/repl/project /home/repl/projects/pipeline_final
"""

#----------------------------------#

# Conclusion

"""
Good job! Changing users makes sure applications don't have more access than they should.
"""

'/home/nero/Documents/Estudos/DataCamp'

In [1]:
# exercise 02

"""
Setting the working directory

Putting the finishing touches to your pipeline Docker image, you want to make it clear that all pipeline project files in your images will be in the repl users' home directory by setting the working directory to /home/repl.
"""

# Instructions

"""

    Using the terminal, open the Dockerfile in your current working directory and edit the fourth line to make all next instructions run in /home/repl.

"""

# solution

"WORKDIR /home/repl"

#----------------------------------#

# Conclusion

"""
Well done! In small Dockerfiles like this, it might seem overly complicated to set the working directory. However, in real-world scenarios, Dockerfiles quickly become tens of lines long, making the WORKDIR instruction much more useful.
"""

'\n\n'

# Understanding ARG and ENV

Let's make sure you understand the difference between the ENV and ARG Dockerfile instructions before we start using them in our Dockerfiles. Select all the correct statements below.

### Possible Answers

    Variables set in a Dockerfile using the ARG instruction are not accessible after the image is built. This means it is safe to use ARG to store secrets in a Dockerfile.


    Variables set using ENV can be used in containers starting from your image, making it a good way to set configuration using a runtime.{Answer}


    It is possible to override variables set with ARG during the build, allowing us to configure images at build-time.{Answer}


    Every user starting a container from our image can select a different value for any ENV variables we set in our image.{Answer}

In [2]:
# exercise 03

"""
Overriding ARG in a build

The ARG Dockerfile instruction allows us to set a variable in a Dockerfile and then optionally override it when building an image. We've added a Dockerfile to your current working directory with the following instructions:

FROM ubuntu
ARG WELCOME_TEXT=Hello!
RUN echo $WELCOME_TEXT
CMD echo $WELCOME_TEXT

The Dockerfile adds an ARG named WELCOME_TEXT, which is then printed during the build. The same text is printed when a container is started from the image.
"""

# Instructions

"""

    Using the terminal, enter the command to build the Dockerfile and set the WELCOME_TEXT variable to Welcome!.

"""

# solution

docker build --build-arg WELCOME_TEXT=Welcome! .

#----------------------------------#

# Conclusion

"""
Nice build! Surprinsingly if you now run the image you just created, nothing will be printed! Even though the CMD instruction is set to echo the welcome_text, ARG variables are not available when an image is run.
"""

'\n\n'

In [3]:
# exercise 04

"""
Changing behavior when starting a container

Let's see how the ENV Dockerfile instruction works in practice. We've added a Dockerfile to your current working directory with the following instructions:

FROM ubuntu:22.04
ENV NAME=Tim
CMD echo "Hello, my name is $NAME"

The Dockerfile will print a personalized message, Hello, my name is Tim, on startup. Let's see how we can change this personalized message even after building an image from the Dockerfile.
"""

# Instructions

"""

    Before we can start a container, we need to build the image from the Dockerfile. Build the Dockerfile in your local working directory giving it the name hello_image.
---
    Now that we've built the image, we can start a container from it. Start a container from the hello_image image you just made, but use a flag on the command to set the NAME ENV variable to your name.

"""

# solution

docker build -t hello_image .

#----------------------------------#

docker run --env NAME=GG hello_image

#----------------------------------#

# Conclusion

"""
Well done! The ENV Dockerfile instruction allows you to set default values which can then be overridden by whoever starts a container, allowing you to build a lot of flexibility into your images!
"""

'\n\n'

# Security best practices

We went over several best practices for using and creating Docker images more securely. Applying these best practices from the start when creating images and working with Docker in general is the best way to make sure your work is secure. Let's see if you were able to internalize everything.

### Possible Answers

    Using a container is a good way to run an executable or open an archive from an untrusted source because you greatly decrease the chance of a malicious actor accessing your computer.{Answer}


    If I don't follow all security precautions, I might as well not follow any.


    Because of isolation between a container and the host OS, nothing in the container can ever affect the host environment.


    There is no safer application than one we haven't installed.{Answer}


    When creating an image ourselves, we can increase the security by changing the Linux user to something other than the root user.{Answer}

In [4]:
# exercise 05

"""
Keeping packages up-to-date

Keeping Docker images up-to-date makes them more secure because applications might have released security updates since the image was released. This means even when using an image from a trusted source, we should update all the software on the image before using it in a production environment.

Exactly how you can update all software on an image depends on the image and its operating system. Let's learn how to update all packages on Ubuntu using the apt-get package.

    First, start a container from the ubuntu image while setting the correct flag to get an interactive session in the container.
    In the Ubuntu container, run apt-get update to make the apt-get package manager check if any updates are available for any packages.
    Run apt-get upgrade to upgrade all installed packages.

Before confirming the upgrade, you'll be able to see the various reasons the package will be changed. What are the reasons?
"""

# Instructions

"""
Possible answers:
    
    update, new install, remove, and no update.
    
    upgraded, newly installed, and to remove.
    
    upgraded, newly installed, to remove, and not upgraded.{Answer}
    
    updated, new installed, and no update.
"""

# solution



#----------------------------------#

# Conclusion

"""
That's correct! After upgrading your images it's always a good idea to make sure all your code or applications are still working as expected.
"""

'\n\n'

In [5]:
# exercise 06

"""
Be safe, don't use root

Not giving access to the root user in your images makes images more foolproof, as users only have access to what's relevant to the use case you intended for the image. Additionally, it is one of the best options to increase their security. We've built an image for you from the following Dockerfile, which tries to install python3 as soon as you start it.

FROM ubuntu
RUN useradd -m repl
USER repl
CMD apt-get install python3

Let's see what happens if we try to install python3 at startup as the repl user.
"""

# Instructions

"""

    Use docker to run the repl_try_install image.

"""

# solution



#----------------------------------#

# Conclusion

"""
As you can see from the output of the run command, the repl user isn't allowed to install new software! All it took was changing the user to make our image considerably more secure.
"""

'\n\n'