Docker-node: Shouldn't be running node as root?

Created on 3 Feb 2015 · 4Comments · Source: nodejs/docker-node

Apologies if this is a FAQ, my Google-fu didn't turn up any answers.

Isn't it a bad idea that we're running node as the root user by default? I'm currently crafting Dockerfiles for my company's products and am curious about what the best practice is for this issue.

duplicate

Source

NodeGuy

Most helpful comment

Not really, but thank you for linking to it.

Docker's Best practices for writing Dockerfiles reads, "If a service can run without privileges, use USER to change to a non-root user." I think we should do that it.

I opted to create my own version of the -onbuild Dockerfile:

FROM node:0.10

# Copy steps from -onbuild because we don't want to run as root.

ENV user node
RUN groupadd --system $user && useradd --system --create-home --gid $user $user

COPY . /home/$user/
WORKDIR /home/$user
RUN chown $user --recursive .
USER $user
RUN npm install

CMD [ "npm", "start" ]

NodeGuy on 3 Feb 2015

👍3

All 4 comments

Does https://github.com/joyent/docker-node/issues/1 answer your question?

rmustacc on 3 Feb 2015

Not really, but thank you for linking to it.

Docker's Best practices for writing Dockerfiles reads, "If a service can run without privileges, use USER to change to a non-root user." I think we should do that it.

I opted to create my own version of the -onbuild Dockerfile:

FROM node:0.10

# Copy steps from -onbuild because we don't want to run as root.

ENV user node
RUN groupadd --system $user && useradd --system --create-home --gid $user $user

COPY . /home/$user/
WORKDIR /home/$user
RUN chown $user --recursive .
USER $user
RUN npm install

CMD [ "npm", "start" ]

NodeGuy on 3 Feb 2015

👍3

There's an ongoing discussion about this in #1

For now, creating your own Dockerfile is the way to role if you're concerned about running things as root.