From 3f1d3b783357d16a331624552e212bbbcc601a54 Mon Sep 17 00:00:00 2001 From: adriadam10 <57327458+adriadam10@users.noreply.github.com> Date: Mon, 11 Sep 2023 16:14:42 +0200 Subject: [PATCH] Run docker container as non root user (#242) * Run docker container as non root user * Pass UID and GID as a variable + alpine-based image * change apt-get to apk * chore: remove unnecessary packages from Dockerfile * chore: remove unnecessary `chown` --------- Co-authored-by: Elias Schneider --- Dockerfile | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index d030ddf7..62310c8a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,27 +1,24 @@ -# Using node slim because prisma ORM needs libc for ARM builds - # Stage 1: on frontend dependency change -FROM node:19-slim AS frontend-dependencies +FROM node:19-alpine AS frontend-dependencies WORKDIR /opt/app COPY frontend/package.json frontend/package-lock.json ./ RUN npm ci # Stage 2: on frontend change -FROM node:19-slim AS frontend-builder +FROM node:19-alpine AS frontend-builder WORKDIR /opt/app COPY ./frontend . COPY --from=frontend-dependencies /opt/app/node_modules ./node_modules RUN npm run build # Stage 3: on backend dependency change -FROM node:19-slim AS backend-dependencies +FROM node:19-alpine AS backend-dependencies WORKDIR /opt/app COPY backend/package.json backend/package-lock.json ./ RUN npm ci # Stage 4:on backend change -FROM node:19-slim AS backend-builder -RUN apt-get update && apt-get install -y openssl +FROM node:19-alpine AS backend-builder WORKDIR /opt/app COPY ./backend . COPY --from=backend-dependencies /opt/app/node_modules ./node_modules @@ -29,9 +26,14 @@ RUN npx prisma generate RUN npm run build && npm prune --production # Stage 5: Final image -FROM node:19-slim AS runner +FROM node:19-alpine AS runner ENV NODE_ENV=docker -RUN apt-get update && apt-get install -y curl openssl + +ARG UID=1000 +ARG GID=1000 +RUN deluser node +RUN adduser -u $UID -g $GID node -D +USER node WORKDIR /opt/app/frontend COPY --from=frontend-builder /opt/app/public ./public @@ -46,8 +48,9 @@ COPY --from=backend-builder /opt/app/prisma ./prisma COPY --from=backend-builder /opt/app/package.json ./ WORKDIR /opt/app + EXPOSE 3000 HEALTHCHECK --interval=10s --timeout=3s CMD curl -f http://localhost:3000/api/health || exit 1 # HOSTNAME=0.0.0.0 fixes https://github.com/vercel/next.js/issues/51684. It can be removed as soon as the issue is fixed -CMD cp -rn /tmp/img /opt/app/frontend/public && HOSTNAME=0.0.0.0 node frontend/server.js & cd backend && npm run prod \ No newline at end of file +CMD cp -rn /tmp/img /opt/app/frontend/public && HOSTNAME=0.0.0.0 node frontend/server.js & cd backend && npm run prod