I'm extending the node-red docker image which (currently) bases itself on the node:6docker image.
I would like to add a custom SSL-Certificate into the docker-image's certificate store. Up to now I did this as follow:
FROM nodered/node-red-docker
ADD DigiCertCA.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
ADD settings.js /data/settings.js
RUN npm install node-red-contrib-ttn
RUN npm install node-red-contrib-influxdb
RUN npm install node-red-admin
RUN npm install node-red-node-geohash
CMD ["npm", "start", "--", "--userDir", "/data"]
Building this image fails, because the RUN is executed as non-root user node.
Updating certificates in /etc/ssl/certs... ln: failed to create symbolic link '/etc/ssl/certs/DigiCertCA.pem': Permission denied
The command '/bin/sh -c update-ca-certificates' returned a non-zero code: 1
I'm aware that as non-root such an operation is not possible. But what's the valid concept to extend existing images with custom CA-Certificates?
Why not just switch user to root to run the command to add the cert then switch back?
FROM nodered/node-red-docker
ADD DigiCertCA.crt /usr/local/share/ca-certificates/
USER root
RUN update-ca-certificates
USER node-red
ADD settings.js /data/settings.js
RUN npm install node-red-contrib-ttn
RUN npm install node-red-contrib-influxdb
RUN npm install node-red-admin
RUN npm install node-red-node-geohash
CMD ["npm", "start", "--", "--userDir", "/data"]