Docker Compose Tip #14: Running containers as non-root users

services:
  app:
    image: nginx
    # Runs as root user (uid 0) - security risk!

services:
  app:
    image: node:20
    user: "1000:1000"  # Run as uid:gid 1000
    working_dir: /app
    volumes:
      - ./app:/app

services:
  nginx:
    image: nginx:alpine
    user: "nginx"  # Use nginx user from image

FROM node:20-alpine

# Create app user and group
RUN addgroup -g 1001 -S appuser && \
    adduser -u 1001 -S appuser -G appuser

# Create app directory with correct ownership
RUN mkdir -p /app && chown -R appuser:appuser /app

# Switch to non-root user
USER appuser

WORKDIR /app
COPY --chown=appuser:appuser package*.json ./
RUN npm ci --only=production
COPY --chown=appuser:appuser . .

CMD ["node", "server.js"]

services:
  api:
    build: .
    # Already runs as appuser from Dockerfile
    ports:
      - "3000:3000"

services:
  app:
    image: node:20
    user: "1000:1000"
    volumes:
      - ./data:/data  # Must be writable by uid 1000
    # Fix permissions on startup
    entrypoint: |
      sh -c 'chown -R 1000:1000 /data 2>/dev/null || true && npm start'

services:
  # Fix permissions before app starts
  init-permissions:
    image: busybox
    user: root
    volumes:
      - ./data:/data
    command: chown -R 1000:1000 /data

  app:
    image: node:20
    user: "1000:1000"
    volumes:
      - ./data:/data
    depends_on:
      init-permissions:
        condition: service_completed_successfully

services:
  web:
    image: nginx
    user: "nginx"
    ports:
      - "8080:8080"  # Use high ports for non-root
    # Configure nginx to listen on 8080 instead of 80

services:
  app:
    image: myapp
    user: "1000:1000"
    secrets:
      - source: db_password
        uid: "1000"  # Make secret readable by user
        mode: 0400

secrets:
  db_password:
    file: ./secrets/db_password.txt

docker compose exec app whoami
# Should output: appuser (not root)

docker compose exec app id
# uid=1000(appuser) gid=1000(appuser)