Hi all, I've just been experimenting a bit further with the docker containers, and come across something that I've found in the past, which can cause problems on *NIX systems. By default, when you run a docker container, you end up as the root user in the container. That means that when you run a build process, if you save the output to a directory that's actually on your host filesystem, those files and folders may be owned by root, and you'll then have to use sudo to remove them. What I've done in the past is to use a run command like this: docker run --user $(id -u) --name tei -v /home/mholmes/WorkData/tei:/tei -it -e TZ=America/Vancouver teic/teidev-docker which runs the docker container and logs you in with the same user id that you have on your host system (in my case 1001); that means that when files are saved from a build process, they belong to you. In some cases, you'll end up logged in with a prompt like this: I have no name!@e08387ca074c:/tei/ which means that there is no user in the container with the same uuid as your user on the host system, but that doesn't matter; files will be saved under the correct user id, so on your host system they'll belong to you, not to root. (They may have group root, but that doesn't matter if you own them.) This just makes it easier to examine and clean up any products from the build process that remain on your host filesystem. You can actually create a parallel user with the same name and uid as your own in the docker container if you like, but that will get blown away every time you remove the container, of course. Incidentally, on the issue of vulnerable docker containers, I'm not alone in being worried: https://www.techrepublic.com/article/docker-containers-are-filled-with-vulne... The assumption that nothing malignant can get into your docker container, and that nothing can escape from it into your host system, is I think flawed: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14271 and in particular, if actions in the container are running as root, I believe you are running a risk. I think it's important that docker containers are regularly updated by their maintainers, but I also do run apt update and apt dist-upgrade or the equivalent as root in the container if it's one I'm keeping around. That does of course risk breaking the container's ability to do the build processes if some software the build is dependent on is updated in an unexpected way, but we want to know that anyway so we can fix it. And updating your container is no different from updating one of the live Jenkins servers, which is something I do with my server religiously every day. Cheers, Martin -- ------------------------------------------ Martin Holmes UVic Humanities Computing and Media Centre