using docker without root

Dockerfile

@@ -12,7 +12,7 @@ ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true \
     PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium
 
 # Copy lockfiles first to leverage cache for dependencies
-COPY package.json yarn.lock .
+COPY --chown=node:node package.json yarn.lock ./
 
 # Set Yarn timeout, install dependencies and PM2 globally
 RUN yarn config set network-timeout 600000 \
@@ -20,13 +20,13 @@ RUN yarn config set network-timeout 600000 \
   && yarn global add pm2
 
 # Copy application source and build production assets
-COPY . .
+COPY --chown=node:node . .
 RUN yarn build:frontend
 
-# Prepare runtime directories and symlinks for data and config
+# Prepare runtime directories and symlinks for data and config (as root)
 RUN mkdir -p /db /conf \
-  && chown 1000:1000 /db /conf \
-  && chmod 777 /db /conf \
+  && chown node:node /fredy /db /conf \
+  && chmod 770 /db /conf \
   && ln -s /db /fredy/db \
   && ln -s /conf /fredy/conf
 
@@ -34,5 +34,8 @@ EXPOSE 9998
 VOLUME /db
 VOLUME /conf
 
+# Change to non-root user
+USER node
+
 # Start application using PM2 runtime
-CMD ["pm2-runtime", "index.js"]
+CMD ["pm2-runtime", "index.js"]

docker-test.sh

@@ -7,12 +7,12 @@ if [ "$(docker ps -aq -f name=fredy)" ]; then
   docker rm fredy || true
 fi
 
-# Build image from local Dockerfile
-docker build -t fredy:local .
+# Build image from local Dockerfile, forcing a fresh build without cache
+docker build --no-cache -t fredy:local .
 
 # Run container with volumes and port mapping
 docker run -d --name fredy \
   -v fredy_conf:/conf \
   -v fredy_db:/db \
   -p 9998:9998 \
-  fredy:local
+  fredy:local