why use root as the default user?

[oupala]

I can see in the Dockerfile that a node user and group are created.

But the USER is never used, hence the root user is the default user at startup.

Why creating a node user and not using it by default? Is there an explanation for this?

[nschonni]

https://github.com/nodejs/docker-node/blob/master/docs/BestPractices.md#non-root-user talks about this

[oupala]

Unfortunately, when using a docker image with GitLab CI, it is not possible to use the -u "node" paremeter. It becomes mandatory to build another node image, which shows that the default image is not suitable.

In fact, I don't understand the choice to create another user, but to stick to the root user by default, event after reading the best practice page.

[lirantal]

@nschonni what is the rational behind not running the app with the node user by default? the best practice you referenced only mentions how to run with the node user, not why.

@oupala what is your use-case of using this image as-is instead of building on top of it as a parent image?

[LaurentGoderre]

NodeJs is a base image and it is not uncommon for child images to have to install OS level dependencies. We provide the user needed to not run as root but leave the flexibility to implementer to choose how to implement it. This gives the best flexibility to our users.

[oupala]

Is there some usecases where running as root is mandatory?

If not, why not set the default node user as the default one?

[tianon]

Any (meaningful) apt-get command requires root, as does adjusting filesystem permissions, which are two very common examples.

[LaurentGoderre]

If we set the node user as default then every image that install anything will need to do

FROM node

USER root

RUN apt-get install [some-dep]

USER node

The current setup still allows running the image with the node user while giving flexibility for building child images.

docker run -u node

[oupala]

I am convinced by the explanation of @LaurentGoderre. Thanks.

[oupala]

In fact, this is image is more considered as a base image from building other images than an image that you can directly use in a container.

Would it be possible to propose a "node-user" version of each image using a proper tag?

There is already a lot of tags, why not add a "user" tag to offer a nodejs image that include the best practices? There would be some added tags such as:

13.3.0-stretch, 13.3-stretch, 13-stretch, stretch, 13.3.0, 13.3, 13, latest
13.3.0-stretch-user, 13.3-stretch-user, 13-stretch-user, stretch-user, 13.3.0-user, 13.3-user, 13-user

This way, you also offer a ready-to-user nodejs image for those who only need a good image ready to use in order to launch npx while prefer a secured image without being root.

[lirantal]

That IMO doesn't contribute to accessibility of security, but rather just complicates things and is also an opt-in security which is not something I like (personal opinion).

[oupala]

That IMO doesn't contribute to accessibility of security, but rather just complicates things and is also an opt-in security which is not something I like (personal opinion).

@lirantal What are you talking about when you say that?

[LaurentGoderre]

We are following the same pattern as other base image (such as postgres) that require users to be explicit about users.

[lirantal]

@oupala apologies for not being clearer. I meant that creating many image tags could be confusing and not helpful for devs to choose the correct one. If we're trying to make security by default and easy "to consume" I'd expect that we don't add to the confusion.

[oupala]

I agree with the principle that you set out. But basically, I do not think that offering an image where everything runs under root is the best way to promote accessibility of security.