I'm looking for a way to achieve these goals at the same time:

using a non-root user inside the container

inside the container keeping node_modules inside container (to not to "pollute" the working directory on the host)

inside container (to not to "pollute" the working directory on the host) not using a Dockerfile

I'm not sure if these goals are considered "best practice". For example, keeping node_modules inside the container has its disadvantages.

Currently my compose file is like this:

services: # ... node: image: "node:9" user: "node" working_dir: /home/node/app environment: # - NODE_ENV=production - NPM_CONFIG_PREFIX=/home/node/.npm-global - PATH=$PATH:/home/node/.npm-global/bin volumes: - ./proj/:/home/node/app - /home/node/app/node_modules # mark1 ports: - "3001:3001" command: > bash -c "echo hello && ls -lh /home/node/app/ && npm install && npm i -g babel-cli && npm i -g flow-bin && npm start" depends_on: - redis

but there's

"Error: EACCES: permission denied, access '/home/node/app/node_modules'".

If I comment out the #mark1 line, the container runs, however node_modules will be written onto the host (since ./proj is mounted)

I have read these two articles on the topic:

but neither meets my goal.

Update: