Create a Node.js Non-root Image

Joel Lord
InstructorJoel Lord
Share this video with your friends

Social Share Links

Send Tweet
Published 4 years ago
Updated 4 years ago

The containers you built in the previous lessons are running as root for a few reasons. First of all, we read and write files from the file system in order to install tools like jq or to change some configuration files. And second, we are running servers on ports that are restricted to the root user (such as port 80).

While the risks are very limited in your own environment, you will need to have security in mind when you are deploying those containers to a production server. Some hosts will prevent any container where the user is root to be running at all.

From the Dockerfile, we will specify the use that builds the container will be the node user that the node image gives us. To do this we will need to set permissions for the node user to add and modify specific files.

Instructor: [0:00] So far, you've managed to get all your containers running on your local machine. That is great for your development environment. You're almost ready to start sharing those images with your team and to deploy them on a server.

[0:12] While the risks are very limited in your own environment, you will need to have security in mind when you are deploying those containers to a production server. Some hosts will prevent any containers where the user is root to be running at all.

[0:27] The containers you built in the previous lessons are running as root for a few reasons. First of all, we read and write files from the file system in order to install tools like jq or to change some configuration files. Second, we are running servers on ports that are restricted to the root user, such as port 80.

[0:47] You can start by modifying the Dockerfile for the backend service. Because we are using a Node-based image, there is a non-root user available for us to use. This user is called node and it's part of the node group.

[1:04] In the current iteration of your Dockerfile, you start with the node-based image and then switch to a working directory named /app. Docker will create this directory if it doesn't exist and the owner for that directory will be root. In order to give the necessary permissions to user node, you can add a command to manually create this folder and then change the ownership to node.

[1:30] Once the directory is created and the working directory has been changed, you can tell Docker to switch to the node user for the rest of the commands that are executed in the Dockerfile. All the subsequent commands will be running as non-root user called node.

[1:46] The last change that you will need to do is to the copy commands. You will need to ensure that the ownership of the files that you copy from your file system into the container is the node user. You can do so by adding a --chown=node to the copy commands.

[2:09] The image for your backend is now completed. It now has everything necessary to run in any environment and is now more secure as it runs as a non-root user. The code in it will also rely on environment variables to specify things such as API keys or the database host, username, and password.