Dockerfile that attempts to run the app as non-root user. This creates a `node` user & sets permissions on app files. Note you cannot `chown` files in a docker 'volume' during the build process, but you can at runtime (as part of your `CMD`) but in that case you can't use the `USER` command to change the UID before `CMD` runs.

Dockerfile

###
# Node.js app Docker file
#
# Some basic build instructions:
# ```
# # you should delete node_modules b/c you don't want that copied during 'ADD'
# docker build -t thom-nic/node-bootstrap .
# # run a shell in the container to inspect the environment (as root):
# docker run --rm -itu root thom-nic/node-bootstrap /bin/bash
# ```
###
FROM dockerfile/nodejs
MAINTAINER Thom Nichols "thom@thomnichols.org"

RUN useradd -ms /bin/bash node
# copy the nice dotfiles that dockerfile/ubuntu gives us:
RUN cd && cp -R .bash_profile .bashrc .gitconfig .profile scripts /home/node

ADD . /home/node/app
RUN chown -R node:node /home/node

USER node
ENV HOME /home/node

WORKDIR /home/node/app

#ENV NODE_ENV production
RUN npm install

EXPOSE 8888

CMD ["npm", "start"]

original comment about postinstall stuff:

Note that lines 22 and 23 mean the npm install call is run as the node user. I have bower installed as a local dependency (not -g) and use npm's postinstall hook to install bower assets:

relevant bits of my package.json

{
"devDependencies": {
    "bower": "~1.3",
    "grunt": "~0.4",
    "grunt-cli": "~0.1",
    "grunt-contrib-less": "~0.11",
    "grunt-contrib-uglify": "~0.5"
// others...
  },
  "scripts": {
    "postinstall": "bower install && grunt assets"
  }
}

This means I don't need extra npm install -g lines in the dockerfile.