I’m looking into the nextflow/nextflow Docker image(docker.io/nextflow/nextflow:24.10.0) and noticed that the Nextflow home directory has root ownership.
yash:~/chainguard/images-private$ docker run -it --rm docker.io/nextflow/nextflow:24.10.0 bash
bash-5.2# ls -la
total 60
drwxr-xr-x 19 root root 4096 Jan 17 12:12 .
-rwxr-xr-x 1 root root 0 Jan 17 12:12 .dockerenv
drwxr-xr-x 4 root root 4096 Oct 27 20:23 .nextflow
lrwxrwxrwx 1 root root 7 Jan 30 2023 bin -> usr/bin
dr-xr-xr-x 2 root root 4096 Jan 30 2023 boot
drwxr-xr-x 5 root root 360 Jan 17 12:12 dev
drwxr-xr-x 43 root root 4096 Jan 17 12:12 etc
drwxr-xr-x 2 root root 4096 Jan 30 2023 home
lrwxrwxrwx 1 root root 7 Jan 30 2023 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Jan 30 2023 lib64 -> usr/lib64
drwxr-xr-x 2 root root 4096 Oct 10 21:19 local
drwxr-xr-x 2 root root 4096 Jan 30 2023 media
drwxr-xr-x 2 root root 4096 Jan 30 2023 mnt
drwxr-xr-x 2 root root 4096 Jan 30 2023 opt
dr-xr-xr-x 635 root root 0 Jan 17 12:12 proc
dr-xr-x--- 3 root root 4096 Oct 27 20:22 root
drwxr-xr-x 5 root root 4096 Oct 10 21:19 run
lrwxrwxrwx 1 root root 8 Jan 30 2023 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 Jan 30 2023 srv
dr-xr-xr-x 13 root root 0 Jan 17 11:13 sys
drwxrwxrwt 3 root root 4096 Oct 27 20:23 tmp
drwxr-xr-x 12 root root 4096 Oct 10 21:19 usr
drwxr-xr-x 18 root root 4096 Oct 10 21:19 var
While I understand running containers as non-root is best practice for security reasons, I’m curious why the home directory tend to use root permissions in the official image. Also I have notice that if the home directory tend to have non-root permissions then if any nextflow pipelines fails it doesn’t create an .nextflow.log file. Could someone provide some insight into the reasoning behind this choice?