✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.2.1.2 Runtime Permission Alignment

A focused guide to Runtime Permission Alignment, connecting core concepts with practical Docker and container operations.

Runtime permission alignment ensures that a container's filesystem permissions are correctly set up for the specific non-root user it actually runs as, avoiding the common pitfall where switching to a non-root user breaks the application because it can no longer access files it needs.

The Common Pitfall This Addresses

Switching to a non-root user without also ensuring that user can actually access the application's files results in permission errors at runtime.

FROM node:20-alpine
COPY . /app
USER node
CMD ["node", "/app/server.js"]

Error: EACCES: permission denied, open '/app/server.js'

If /app's files were copied while still running as root, and the node user doesn't have appropriate read access, this kind of permission error results once the container actually attempts to run as that non-root user.

Aligning Ownership With the Runtime User

Using --chown during the copy step ensures the application's files are owned appropriately for the user that will actually need to access them.

FROM node:20-alpine
COPY --chown=node:node . /app
USER node
CMD ["node", "/app/server.js"]

This resolves the permission issue, since the application's files are now owned by the same user that will actually be running the application.

Verifying Permission Alignment Before Relying on It

Testing that the container actually runs correctly as the intended non-root user catches a permission misalignment before it becomes a production issue.

docker run --rm myapp:1.0 node /app/server.js
Addressing Permissions for Volumes Mounted at Runtime

A volume mounted into the container also needs appropriate permissions for the non-root user, a separate consideration from the image's own baked-in file ownership.

docker run -d -v app-data:/app/data --user node myapp:1.0

Ensuring app-data's permissions allow the node user appropriate access avoids a similar permission issue specifically affecting this mounted volume.

Why Runtime Permission Alignment Matters

Properly aligning file and volume permissions with the actual non-root runtime user is an essential, easily overlooked step when adopting non-root containers, without which the security benefit of running as non-root would otherwise come at the cost of a broken, non-functional application.

Related content