hazza/docker-stacks
1
0
Fork 0
mirror of https://github.com/jupyter/docker-stacks.git synced 2025-10-17 15:02:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Move notes below the command

Browse Source
This commit is contained in:
Ayaz Salikhov
2022-05-01 16:38:57 +03:00
committed by GitHub
parent 34382068dd
commit 4bce594ca7
1 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
docs/using/running.md
View File

@@ -109,20 +109,6 @@ docker rm notebook
## Using the Podman CLI
```{note}
The `podman run` options `--uidmap` and `--gidmap` can be used to map the container user _jovyan_ to the regular user on the host when running rootless Podman.
The same Podman command should not be run with sudo (i.e. running rootful Podman)
because then the mapping would map the container user _jovyan_ to the root user on the host.
It's good security practice to run programs with as few privileges as possible.
```
```{note}
The `podman run` command in the example below, maps all subuids and subgids of the user into the container.
That works fine but is actually more than needed.
The `podman run` option `--userns=auto` will, for instance, not be possible to use as long as there are no unused subuids and subgids available.
The example could be improved by investigating more in detail which UIDs and GIDs need to be available in the container and then only map them.
```
An alternative to using the Docker CLI is to use the Podman CLI. Podman is mostly compatible with Docker.
**Example 4:**
@@ -156,6 +142,20 @@ podman run -it --rm -p 10000:8888 \
docker.io/jupyter/r-notebook:6b49f3337709
```
```{warning}
The `podman run` options `--uidmap` and `--gidmap` can be used to map the container user _jovyan_ to the regular user on the host when running rootless Podman.
The same Podman command should not be run with sudo (i.e. running rootful Podman),
because then the mapping would map the container user _jovyan_ to the root user on the host.
It's a good security practice to run programs with as few privileges as possible.
```
```{note}
The `podman run` command in the example above maps all subuids and subgids of the user into the container.
That works fine but is actually more than needed.
The `podman run` option `--userns=auto` will, for instance, not be possible to use as long as there are no unused subuids and subgids available.
The example could be improved by investigating more in detail which UIDs and GIDs need to be available in the container and then only map them.
```
Pressing `Ctrl-C` twice shuts down the notebook server and immediately destroys the Docker container.
New files and changes in `~/work` in the container will be preserved.
Any other changes made in the container will be lost.