-
-
Notifications
You must be signed in to change notification settings - Fork 73
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(docker): Apply OWASP recommendations (#455)
Reference: [Node.js Docker Cheatsheet 路 OWASP](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/NodeJS_Docker_Cheat_Sheet.md) Changes: * add sha256 to node docker image cf https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/NodeJS_Docker_Cheat_Sheet.md * ensure that we only install production dependencies in a deterministic way * set NODE_ENV * Don鈥檛 run containers as root * troubleshooting: display openwhyd logs after tests fail * try to allow "node" user to create files in workdir * Properly handle events to safely terminate a Node.js Docker web application * terminate gracefully on SIGINT and SIGTERM * multi-stage build * fix separation of parameters in CMD * ignore more files * fix `chown: changing ownership of '/usr/src/app': Operation not permitted` cf https://github.com/openwhyd/openwhyd/runs/2589782153#step:3:655 * remove volume defs
- Loading branch information
1 parent
de6b808
commit 5507606
Showing
7 changed files
with
57 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,27 +1,42 @@ | ||
FROM node:14.16.1-slim | ||
# note: keep nodejs version above in sync with the one in .nvmrc | ||
FROM node:14.16.1-slim@sha256:58dbfbdf664f703072bd8263b787301614579c8e345029cdc3d9acf682e853a9 AS build | ||
|
||
# Install dependencies | ||
# Install build dependencies | ||
RUN apt-get update && apt-get install -y --no-install-recommends \ | ||
g++ \ | ||
gcc \ | ||
libc6-dev \ | ||
make \ | ||
python \ | ||
graphicsmagick \ | ||
&& rm -rf /var/lib/apt/lists/* | ||
python | ||
|
||
# Install and build app dependencies | ||
WORKDIR /usr/src/app | ||
COPY ./package*.json /usr/src/app/ | ||
RUN npm install --no-audit --production | ||
COPY --chown=node:node ./package*.json /usr/src/app/ | ||
RUN npm ci --only=production --no-audit | ||
|
||
# Fix Error: Cannot find module '../build/Release/bson' on newer node / MongoDB versions | ||
# RUN sed -i.backup 's/..\/build\/Release\/bson/bson/g' /usr/src/app/node_modules/bson/ext/index.js | ||
|
||
FROM node:14.16.1-slim@sha256:58dbfbdf664f703072bd8263b787301614579c8e345029cdc3d9acf682e853a9 | ||
# note: keep nodejs version above in sync with the one in .nvmrc + don't forget to append the corresponding sha256 hash | ||
|
||
# Install runtime dependencies | ||
RUN apt-get update && apt-get install -y --no-install-recommends \ | ||
dumb-init \ | ||
graphicsmagick \ | ||
&& rm -rf /var/lib/apt/lists/* | ||
|
||
ENV NODE_ENV production | ||
|
||
# Bundle app source | ||
COPY ./ /usr/src/app | ||
WORKDIR /usr/src/app | ||
COPY --chown=node:node --from=build /usr/src/app/node_modules /usr/src/app/node_modules | ||
COPY --chown=node:node ./ /usr/src/app | ||
|
||
# Allow openwhyd server (running as "node" user) to create files (e.g. playlog.json.log) in /usr/src/app | ||
RUN chown node:node /usr/src/app | ||
USER node | ||
|
||
EXPOSE 8080 | ||
|
||
CMD [ "npm", "start" ] | ||
# dumb-init is invoked with PID 1, then spawns node as another process whilst ensuring that all signals are proxied to it | ||
CMD [ "dumb-init", "node", "app.js", "--fakeEmail", "--digestInterval", "-1" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters