So I am trying to make my container run as a regular user named “dev”, because I do not like it to run as root by default. I created a group called “devgroup” and a user called “dev”, which has been assigned to that group.
But when I want to create the image from my Dockerfile, I get an error from npm while using docker build (docker build . -t ‘name’), telling me that user “dev” doesn’t have the permission to use “npm install” and the other necessary commands.
As root, everything works, and I can also switch to the user “dev” after running the container.
Does anybody know why?
FROM node
WORKDIR /app
RUN groupadd -r devgroup && useradd -r -g devgroup -m dev
RUN chown -R dev:devgroup /app
USER dev
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 5173
CMD npm run dev
1 Like
It seemsnpm requires more rights to install some of your dependencies.
Have you tried setting the user after npm use? Then the final container process would still run under the restricted user.
1 Like
Hey man, yeah, this approach actually worked, and this is what I turned my Dockerfile into:
FROM node
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN groupadd -r devgroup && useradd -r -g devgroup -m dev
RUN chown -R dev:devgroup /app
EXPOSE 5173
USER dev
CMD npm run dev
Do you think that this is actually a good security practice though? Now the whole /app directory and everything inside of it is owned by “devgroup” and user “dev”. Would it better to leave the owner to be root and just switch to the “dev” user on container start, and eventually disable root access completely?
I think it’s okay, with user in Dockerfile you don’t forget to set user during runtime 