node user has no write permissions on host bind-mount volume

[mhabsaoui]

Environment

• Platform: Ubuntu LTS (5.15.0-87-generic)
• Docker Version: Community 24.0.6
• Node.js Version: node:lts-slim
• Image Tag: latest

Expected Behavior

My docker nodeJs app has is started, inside a Dockerfile, with node user that should write Winston logs to file on host bind-mount volume

Current Behavior

The logs folder stays empty without no log file inside, same on host or inside the container

Possible Solution

I have looked all possible issues solutions and the official docker Doc. but in vain : creating special user with same uid:gid as host's one, giving folder permissions other than root one in Dockerfile... Only the data volume container remains to be investigated, but never experienced such way.

Steps to Reproduce

Run the docker app with integration Compose file (integ target) : docker compose -f compose.integ.yml up --build --force-recreate Then, send a Postman POST request on http://0.0.0.0:8000/log URL to trigger the node app logger => logs only written if Dockerfile USER is root :-/

Screenshot when in root user :

Dockerfile :

FROM node:lts-slim as base
ENV NODE_ENV=production
ENV HOST 0.0.0.0
WORKDIR /app
COPY package*.json .
RUN npm config list
RUN npm ci --force \
    && npm cache clean --force

FROM base as dev
ENV NODE_ENV=development
ENV PORT 3000
EXPOSE 3000
COPY . .
RUN npm config list
RUN npm install --force \
    && npm cache clean --force

FROM dev as scanner
RUN npm audit
COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy
RUN trivy fs --severity "HIGH,CRITICAL" --no-progress --scanners vuln .

FROM scanner as builder
RUN npm run build

FROM base as integ
ENV PORT 8000
EXPOSE 8000
COPY --from=builder /app/dist .
USER node
CMD [ "node", "main.js" ]
HEALTHCHECK CMD curl http://127.0.0.1/ || exit 1

Compose file :

services:
  server:
    platform: 'linux/amd64'
    restart: always
    init: true
    build:
      context: .
      target: integ
    env_file: ./.env
    ports:
      - 8000:8000
    volumes:
      - ./logs:/app/logs:rw

Additional Information

• The logs folder is only created once the nodejs app is started (Winston code is then loaded) !
• You can purge docker builder dangling images with : docker builder purge

[LaurentGoderre]

My guess it's that it's a mismatch in user id. The Node user id is 1000. You could make the folder writable to all cmod a+r to address this.

[mhabsaoui]

My guess it's that it's a mismatch in user id. The Node user id is 1000. You could make the folder writable to all cmod a+r to address this.

I have tried that, to mod the node user to meet my host uid/gid, according to good practices for non root user, but the logs directory seems to remain under "root:root" permissions...

RUN groupmod -g 1001 node && usermod -u 1001 -g 1001 node

Also tried to chmod/chown the directory itsefl, but in vain.

RUN mkdir logs \
    && touch logs/unifaccess_log.jsonl \
    && touch logs/error_log.jsonl \
    && chmod -R 777 logs/ \
    && chown -R node:node logs/

Below, file permissions inside container VS host project :

[LaurentGoderre]

That run command would not be useful if you override it with a volume mount in you compose though no?