Dockerfile non-root user #36
Conversation
Dockerfile
Outdated
| RUN yarn install --production=true --frozen-lockfile | ||
|
|
||
| FROM node:18.14-alpine as prod-build | ||
|
|
||
| WORKDIR /usr/src/app | ||
|
|
||
| # Create a non-root user and switch to it | ||
| # Note: You might need to adjust permissions more restrictively depending on your app's specific needs | ||
| RUN adduser -D indexer && chown -R indexer:indexer /usr/src/app |
There was a problem hiding this comment.
| RUN adduser -D indexer && chown -R indexer:indexer /usr/src/app | |
| RUN adduser -D node && chown -R node:node /usr/src/app |
Dockerfile
Outdated
| # Create a non-root user and switch to it | ||
| # Note: You might need to adjust permissions more restrictively depending on your app's specific needs | ||
| RUN adduser -D indexer && chown -R indexer:indexer /usr/src/app | ||
| USER indexer |
There was a problem hiding this comment.
| USER indexer | |
| USER node |
Dockerfile
Outdated
| RUN adduser -D indexer && chown -R indexer:indexer /usr/src/app | ||
| USER indexer | ||
|
|
||
| # Copy necessary files | ||
| COPY package*.json ./ |
There was a problem hiding this comment.
| COPY package*.json ./ | |
| COPY --chown=node:node package*.json ./ |
There was a problem hiding this comment.
redundant, as we have already selected USER before hand and therefore everything below it will inherit this user's permissions
Dockerfile
Outdated
| RUN adduser -D indexer && chown -R indexer:indexer /usr/src/app | ||
| USER indexer | ||
|
|
||
| # Copy necessary files | ||
| COPY package*.json ./ | ||
| COPY yarn*.lock ./ |
There was a problem hiding this comment.
| COPY yarn*.lock ./ | |
| COPY --chown=node:node yarn*.lock ./ |
There was a problem hiding this comment.
redundant, as we have already selected USER before hand and therefore everything below it will inherit this user's permissions
Dockerfile
Outdated
| RUN adduser -D indexer && chown -R indexer:indexer /usr/src/app | ||
| USER indexer | ||
|
|
||
| # Copy necessary files | ||
| COPY package*.json ./ | ||
| COPY yarn*.lock ./ | ||
| COPY --from=build /usr/src/app/dist ./dist |
There was a problem hiding this comment.
| COPY --from=build /usr/src/app/dist ./dist | |
| COPY --from=build --chown=node:node /usr/src/app/dist ./dist |
There was a problem hiding this comment.
redundant, as we have already selected USER before hand and therefore everything below it will inherit this user's permissions
Dockerfile
Outdated
| RUN adduser -D indexer && chown -R indexer:indexer /usr/src/app | ||
| USER indexer | ||
|
|
||
| # Copy necessary files | ||
| COPY package*.json ./ | ||
| COPY yarn*.lock ./ | ||
| COPY --from=build /usr/src/app/dist ./dist | ||
| COPY --from=prod-install /usr/src/app/node_modules ./node_modules |
There was a problem hiding this comment.
| COPY --from=prod-install /usr/src/app/node_modules ./node_modules | |
| COPY --from=prod-install --chown=node:node /usr/src/app/node_modules ./node_modules |
There was a problem hiding this comment.
redundant, as we have already selected USER before hand and therefore everything below it will inherit this user's permissions
Dockerfile
Outdated
| @@ -1,37 +1,55 @@ | |||
| FROM node:18.14-alpine as install | |||
| # --platform=linux/amd64 is necessary when building on M1/M3 Macintosh locally | |||
| FROM --platform=linux/amd64 node:18.14-alpine as install | |||
There was a problem hiding this comment.
| FROM --platform=linux/amd64 node:18.14-alpine as install | |
| FROM --platform=linux/amd64 node:18-alpine as install |
There was a problem hiding this comment.
Lets pack in also some better upgrading of node
There was a problem hiding this comment.
Also I do not know if specifying the platform is a good idea...because this could break development on AppleSilicon
There was a problem hiding this comment.
quite the opposite, AppleSilicon can run Linux based arch containers as the engine is fully virtualized (a Linux VM running on your mac) even though sometimes this might not work.
This way, if you build a container and push from your laptop, it will not be Mac specific which is a better outcome than pushing a docker container with the wrong arch instead
Dockerfile
Outdated
| RUN yarn build | ||
|
|
||
| FROM node:18.14-alpine as prod-install | ||
| FROM --platform=linux/amd64 node:18.14-alpine as prod-install |
There was a problem hiding this comment.
| FROM --platform=linux/amd64 node:18.14-alpine as prod-install | |
| FROM --platform=linux/amd64 node:18-alpine as prod-install |
Dockerfile
Outdated
| COPY package*.json ./ | ||
| COPY yarn*.lock ./ | ||
|
|
||
| # Install only production dependencies | ||
| RUN yarn install --production=true --frozen-lockfile | ||
|
|
||
| FROM node:18.14-alpine as prod-build |
There was a problem hiding this comment.
| FROM node:18.14-alpine as prod-build | |
| FROM node:18-alpine as prod-build |
Dockerfile
Outdated
| COPY package*.json ./ | ||
| COPY yarn*.lock ./ | ||
|
|
||
| # Install dependencies | ||
| RUN yarn install --production=false | ||
|
|
||
| FROM node:18.14-alpine as build |
There was a problem hiding this comment.
| FROM node:18.14-alpine as build | |
| FROM node:18-alpine as build |
Change the Dockefile to run as non-root by default.