docker-node
docker-node copied to clipboard
nodejs
node user has no write permissions on host bind-mount volume
Environment
- Platform: Ubuntu LTS (5.15.0-87-generic)
- Docker Version: Community 24.0.6
- Node.js Version: node:lts-slim
- Image Tag: latest
Expected Behavior
My docker nodeJs app has is started, inside a Dockerfile, with node user that should write Winston logs to file on host bind-mount volume
Current Behavior
The logs folder stays empty without no log file inside, same on host or inside the container
Possible Solution
I have looked all possible issues solutions and the official docker Doc. but in vain : creating special user with same uid:gid as host's one, giving folder permissions other than root one in Dockerfile... Only the data volume container remains to be investigated, but never experienced such way.
Steps to Reproduce
Run the docker app with integration Compose file (integ target) : docker compose -f compose.integ.yml up --build --force-recreate
Then, send a Postman POST request on http://0.0.0.0:8000/log URL to trigger the node app logger => logs only written if Dockerfile USER is root :-/
Screenshot when in root user :
Dockerfile :
FROM node:lts-slim as base
ENV NODE_ENV=production
ENV HOST 0.0.0.0
WORKDIR /app
COPY package*.json .
RUN npm config list
RUN npm ci --force \
&& npm cache clean --force
FROM base as dev
ENV NODE_ENV=development
ENV PORT 3000
EXPOSE 3000
COPY . .
RUN npm config list
RUN npm install --force \
&& npm cache clean --force
FROM dev as scanner
RUN npm audit
COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
RUN trivy fs --severity "HIGH,CRITICAL" --no-progress --scanners vuln .
FROM scanner as builder
RUN npm run build
FROM base as integ
ENV PORT 8000
EXPOSE 8000
COPY --from=builder /app/dist .
USER node
CMD [ "node", "main.js" ]
HEALTHCHECK CMD curl http://127.0.0.1/ || exit 1
Compose file :
services:
server:
platform: 'linux/amd64'
restart: always
init: true
build:
context: .
target: integ
env_file: ./.env
ports:
- 8000:8000
volumes:
- ./logs:/app/logs:rw
Additional Information
- The logs folder is only created once the nodejs app is started (Winston code is then loaded) !
- You can purge docker builder dangling images with :
docker builder purge
My guess it's that it's a mismatch in user id. The Node user id is 1000. You could make the folder writable to all cmod a+r to address this.
My guess it's that it's a mismatch in user id. The Node user id is 1000. You could make the folder writable to all
cmod a+rto address this.
I have tried that, to mod the node user to meet my host uid/gid, according to good practices for non root user, but the logs directory seems to remain under "root:root" permissions...
RUN groupmod -g 1001 node && usermod -u 1001 -g 1001 node
Also tried to chmod/chown the directory itsefl, but in vain.
RUN mkdir logs \
&& touch logs/unifaccess_log.jsonl \
&& touch logs/error_log.jsonl \
&& chmod -R 777 logs/ \
&& chown -R node:node logs/
Below, file permissions inside container VS host project :
That run command would not be useful if you override it with a volume mount in you compose though no?