我正在Windows的Docker 2.4.0上运行一个非常简单的Node.js Koa“ hello world”应用程序。如果基本图片为node:10-alpine,则效果很好:
FROM node:10-alpine
RUN mkdir -p /home/node/app/node_modules && chown -R node:node /home/node/app
WORKDIR /home/node/app
COPY package*.json ./
USER node
RUN npm install
COPY --chown=node:node . .
EXPOSE 8080
CMD [ "node", "index.js" ]
但是如果我将版本更改为FROM node:15.0.1-alpine3.10
Step 6/9 : RUN npm install
Removing intermediate container 6ff212db1484
---> bfde467f103d
Step 6/9 : RUN npm install
---> Running in 37ef90ef4039
npm ERR! code EACCES
npm ERR! syscall open
npm ERR! path /home/node/app/package-lock.json
npm ERR! errno -13
npm ERR! Error: EACCES: permission denied, open '/home/node/app/package-lock.json'
npm ERR! [Error: EACCES: permission denied, open '/home/node/app/package-lock.json'] {
npm ERR! errno: -13,
npm ERR! code: 'EACCES',
npm ERR! syscall: 'open',
npm ERR! path: '/home/node/app/package-lock.json'
npm ERR! }
........
答案 0 :(得分:1)
npm install将尝试使用安装的软件包的当前实际版本更新package-lock.json文件。对于在Docker映像中进行安装,您并不是真的想要这个。请使用npm ci来避免这种情况。
您遇到的另一个问题是,默认情况下,COPY使文件由root用户拥有,但是您已切换到备用“ node”用户。您可能希望映像中的应用程序代码由root拥有,然后以替代用户身份运行:如果存在某种安全性问题,这将为您提供额外的保护层,以防止容器中的代码被修改。
如果您同时执行上述两项操作,则更正后的Dockerfile大致如下所示:
FROM node:15.0.1-alpine3.10
# WORKDIR also creates the directory. It will be owned by root,
# which is probably what you want. (So no `RUN mkdir ...`.)
WORKDIR /home/node/app
# Stay as the root user for now.
# Install packages:
COPY package*.json ./
RUN npm ci # not `npm install`
# Copy in the rest of the application (still owned by root):
COPY . .
# Declare runtime metadata. Only now switch to the "node" user.
# This will not be able to modify the source code (good).
USER node
EXPOSE 8080
CMD ["node", "index.js"]