Build An Image To Run As A Specific User

DONT RUN CONTAINERS LIKE THIS AS THE ROOT USER OF THE CONTAINER: principle of least-power.

dockerfile

FROM node:18
# THIS!
USER node
WORKDIR /home/node/code
COPY --chown=node:node index.js index.js
CMD ["node", "index.js"]

NOTE:

• on line 3, the Dockerfile tells docker to CREATE a user called node, in a usergroup called node
  • with the user as node, the container is run as that user
  • The order matters: if the USER row was BELOW the COPY command, the copy command would fail
• --chown=node:node changes who OWNS the index file to be the node user
• workdir: a path to the 'working' directory in the container, which gets created if not existing already

index.js

Perhaps a review of the node server:

const http = require('http');
http.createServer((req, res) => {
  console.log('request received!');
  res.end('omg...');
}),
  listen(3000);
console.log('...server started');

build the container

docker build -t node-box-with-user

run the container, see whoIam

docker run --init --rm --publish 3000:3000 node-box-with-user whoami

... should print node as the node user is the user being used

run the container, see new directory path

docker run --init --rm --publish 3000:3000 node-box-with-user pwd

... should output /home/node/code