Self Hosting on Kubernetes with runAsNonRoot: true option
I would like to host Novu on a Kubernetes environment using the Novu Docker images.
I am using the following Novu images:
- ghcr.io/novuhq/novu/api
- ghcr.io/novuhq/novu/web
- ghcr.io/novuhq/novu/embed
- ghcr.io/novuhq/novu/widget
- ghcr.io/novuhq/novu/worker
- ghcr.io/novuhq/novu/w
as well as the Docker images for mongo and redis:alpine.
For security reasons, the
For mongo and redis:alpine image, the service user with ID 999 can be selected for this purpose.
For the Novu images, I have tried using the node user with ID 1000, which however, leads to problems with some images. For example, in the Dockerfile for the web image, some COPY operations are performed as the root user because there is no user switch to the node user.
When starting the Novu web container in Kubernetes, this results in the inability to access, e.g. the
Is it possible to modify the Dockerfiles so that there is a switch to the node user before the commands or to transfer permissions for these files to the node user afterwards? Alternatively, is it possible to introduce a custom Novu service user with the necessary permissions?
If it is not possible to make these changes in the Novu Dockerfiles, I will need to create my own Dockerfiles that build on the Docker images and transfer the permissions to the node user. The images created from these Dockerfiles should then work for Kubernetes with the
I am using the following Novu images:
- ghcr.io/novuhq/novu/api
- ghcr.io/novuhq/novu/web
- ghcr.io/novuhq/novu/embed
- ghcr.io/novuhq/novu/widget
- ghcr.io/novuhq/novu/worker
- ghcr.io/novuhq/novu/w
as well as the Docker images for mongo and redis:alpine.
For security reasons, the
runAsNonRoot: trueFor mongo and redis:alpine image, the service user with ID 999 can be selected for this purpose.
For the Novu images, I have tried using the node user with ID 1000, which however, leads to problems with some images. For example, in the Dockerfile for the web image, some COPY operations are performed as the root user because there is no user switch to the node user.
When starting the Novu web container in Kubernetes, this results in the inability to access, e.g. the
/app/env.sh@novu/web@0.19.0 envsetup:docker /app
chmod +x ./env.sh && ./env.sh && mv ./env-config.js ./build/env-config.js
chmod: ./env.sh: Operation not permitted
ELIFECYCLE Command failed with exit code 1.
Is it possible to modify the Dockerfiles so that there is a switch to the node user before the commands or to transfer permissions for these files to the node user afterwards? Alternatively, is it possible to introduce a custom Novu service user with the necessary permissions?
If it is not possible to make these changes in the Novu Dockerfiles, I will need to create my own Dockerfiles that build on the Docker images and transfer the permissions to the node user. The images created from these Dockerfiles should then work for Kubernetes with the
runAsNonRoot: true