npm won't run install after USER switch but works with RUN su instead

[aaronazlant]

getting errors running npm install after switching users within the Dockerfile:

# Install dependencies and nodejs
RUN apt-get update
RUN apt-get install -y python-software-properties python g++ make
RUN add-apt-repository ppa:chris-lea/node.js
RUN apt-get update
RUN apt-get install -y nodejs

# Install git
RUN apt-get install -y git

# Bundle app source
ADD . /src

# Create a nonroot user, and switch to it
RUN /usr/sbin/useradd --create-home --home-dir /usr/local/nonroot --shell /bin/bash nonroot
RUN /usr/sbin/adduser nonroot sudo
RUN chown -R nonroot /usr/local/
RUN chown -R nonroot /usr/lib/
RUN chown -R nonroot /usr/bin/
RUN chown -R nonroot /src

USER nonroot

# Install app source
RUN cd /src; npm install

gives me the following error for every node module:

 Error: Attempt to unlock javascript-brunch@1.7.1, which hasn't been locked
     at unlock (/usr/lib/node_modules/npm/lib/cache.js:1304:11)
     at cb (/usr/lib/node_modules/npm/lib/cache.js:646:5)
     at /usr/lib/node_modules/npm/lib/cache.js:655:20
     at /usr/lib/node_modules/npm/lib/cache.js:1282:20
     at afterMkdir (/usr/lib/node_modules/npm/lib/cache.js:1013:14)
     at /usr/lib/node_modules/npm/node_modules/mkdirp/index.js:37:53
     at Object.oncomplete (fs.js:107:15)
 If you need help, you may report this *entire* log,
 including the npm and node versions, at:
     <http://github.com/npm/npm/issues>

 ...

However, if I replace the 'USER nonroot' line with 'RUN /bin/su nonroot' everything is copacetic.

[gregwebs]

I think something changed with respect to permissions of mounted volumes in 0.9. I worked around this by using chown on all the directories npm tries to install to

[unclejack]

This isn't a bug. "USER someuser" is only used wen running the image, not when building or running anything during a build.

http://docs.docker.io/en/latest/reference/builder/#user clearly states that:

The USER instruction sets the username or UID to use when running the image.

This means RUN instructions won't be run as the user you've specified via USER.

[gregwebs]

For what its worth, I think I have been seeing different behavior with the docker build using the USER immediately. This is probably because RUN is in fact running an image in an intermediate container.

It would make sense for docker to use USER immediately because it can just be placed at the end of the Dockerfile, but the problem to be worked out is then the proper behavior when building on top of an image that specifies a USER.

I find it very convenient to install as a user other than root sometimes. Some documentation on techniques for this would be helpful.

[dklotz]

@unclejack this is not true, the docs state that "The USER instruction sets the user name or UID to use when running the image and for any following RUN directives." So what this ticket describes should work, according to the docs!