如何在扩展(node.js)泊坞窗图像上添加自定义CA证书

我正在扩展节点 – 红色docker图像,它(当前)基于node:6泊坞窗图像。

我想将自定义的SSL证书添加到docker-image的证书存储中。 到目前为止,我做了如下:

 FROM nodered/node-red-docker ADD DigiCertCA.crt /usr/local/share/ca-certificates/ RUN update-ca-certificates ADD settings.js /data/settings.js RUN npm install node-red-contrib-ttn RUN npm install node-red-contrib-influxdb RUN npm install node-red-admin RUN npm install node-red-node-geohash CMD ["npm", "start", "--", "--userDir", "/data"] 

构build此映像失败,因为RUN作为非root用户node

 Updating certificates in /etc/ssl/certs... ln: failed to create symbolic link '/etc/ssl/certs/DigiCertCA.pem': Permission denied The command '/bin/sh -c update-ca-certificates' returned a non-zero code: 1 

我知道,作为非root这样的操作是不可能的。 但是,使用自定义CA证书来扩展现有图像的有效概念是什么?

为什么不把用户切换到root来运行命令来添加证书,然后切换回来?

 FROM nodered/node-red-docker ADD DigiCertCA.crt /usr/local/share/ca-certificates/ USER root RUN update-ca-certificates USER node-red ADD settings.js /data/settings.js RUN npm install node-red-contrib-ttn RUN npm install node-red-contrib-influxdb RUN npm install node-red-admin RUN npm install node-red-node-geohash CMD ["npm", "start", "--", "--userDir", "/data"]