update the Dockerfile to run as a non-privileged user

apdavison · apdavison · commit de5806557e93 · 2026-03-28T22:51:59.000+01:00
diff --git a/apps/nar-v3/deployment/Dockerfile b/apps/nar-v3/deployment/Dockerfile
@@ -13,7 +13,16 @@ RUN npm run build
 
 # production environment
 FROM docker-registry.ebrains.eu/neuralactivity/nginx:stable-alpine
+
+# Make nginx dirs writable for non-root user (UID 1001)
+RUN chown -R 1001:0 /var/cache/nginx /var/log/nginx /etc/nginx/conf.d && \
+    chmod -R g+w /var/cache/nginx /var/log/nginx /etc/nginx/conf.d && \
+    sed -i 's/^user  nginx;/#user  nginx;/' /etc/nginx/nginx.conf && \
+    sed -i 's|/var/run/nginx.pid|/tmp/nginx.pid|' /etc/nginx/nginx.conf
+
 COPY deployment/nginx_default /etc/nginx/conf.d/default.conf
 COPY --from=build /app/dist /usr/share/nginx/html
-EXPOSE 80
+
+EXPOSE 8080
+USER 1001
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/apps/nar-v3/deployment/nginx_default b/apps/nar-v3/deployment/nginx_default
@@ -29,10 +29,10 @@ server {
     root /usr/share/nginx/html;
     index index.html;
 
-    listen 80;
+    listen 8080;
 
-    access_log /var/log/nginx/access.log anonymized;
-    error_log /var/log/nginx/error.log crit;
+    access_log /dev/stdout anonymized;
+    error_log /dev/stderr crit;
 
     location / {
         try_files $uri /index.html;
