feat(deploy): polish ngxapi Dockerfile.

make it run with unprivileged user
xmlking · Mar 14, 2019 · 0ced24a · 0ced24a
1 parent c68a363
commit 0ced24a
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 22 deletions.
diff --git a/.deploy/api/Dockerfile b/.deploy/api/Dockerfile
@@ -1,26 +1,63 @@
+# First stage: cache the dev dependencies.
 FROM node:alpine as dev-dependencies
 WORKDIR /app
 COPY package.json package-lock.json ./
 RUN npm ci
+# Create the user and group files that will be used in the running container to
+# run the process as an unprivileged user.
+RUN mkdir /user && \
+    echo 'nobody:x:65534:65534:nobody:/:' > /user/passwd && \
+    echo 'nobody:x:65534:' > /user/group
 
+# Second stage: cache the prod dependencies.
 FROM node:alpine as prod-dependencies
 WORKDIR /app
 COPY package.api.json package.json
 RUN npm i --production
 
+# Third stage: build the executable.
 FROM node:alpine as builder
 WORKDIR /app
 COPY --from=dev-dependencies /app /app
 COPY apps/api apps/api
+COPY libs/models libs/models
+COPY libs/utils libs/utils
 COPY angular.json nx.json tsconfig.json ./
 ENV NODE_ENV production
-RUN $(npm bin)/rimraf dist && $(npm bin)/ng build api --prod
+RUN $(npm bin)/ng build api --prod
 
+# Final stage: the running container.
 FROM astefanutti/scratch-node:11
+# Import the user and group files from the first stage.
+COPY --from=dev-dependencies /user/group /user/passwd /etc/
 COPY --from=prod-dependencies /app  .
 COPY --from=builder /app/dist/apps/api .
 EXPOSE 3000
+
+# Perform any further action as an unprivileged user.
+USER nobody:nobody
+
+# Metadata params
+ARG VERSION=0.0.1
+ARG BUILD_DATE
+ARG VCS_URL=ngx-starter-kit
+ARG VCS_REF=1
+ARG NAME=ngxapi
+ARG VENDOR=sumo
+
+# Metadata
+LABEL org.label-schema.build-date=$BUILD_DATE \
+      org.label-schema.name=$NAME \
+      org.label-schema.description="NGX Api" \
+      org.label-schema.url="https://example.com" \
+      org.label-schema.vcs-url=https://github.com/xmlking/$VCS_URL \
+      org.label-schema.vcs-ref=$VCS_REF \
+      org.label-schema.vendor=$VENDOR \
+      org.label-schema.version=$VERSION \
+      org.label-schema.docker.schema-version="1.0" \
+      org.label-schema.docker.cmd="docker run -it -p 3000:3000  xmlking/ngxapi"
+
 ENTRYPOINT ["./node", "main.js"]
 
-# TODO: Add non-root User
+# TODO:
 # https://github.com/alextanhongpin/go-docker-multi-stage-build/blob/master/Dockerfile
diff --git a/.deploy/api/README.md b/.deploy/api/README.md
@@ -4,14 +4,29 @@ Deploying NGX API
 
 ### Build
 ```bash
-# build app docker image
-docker build --tag=ngxapi -f .deploy/api/Dockerfile . 
+# build
+VERSION=1.5.0-SNAPSHOT
+docker build \
+--build-arg VERSION=$VERSION \
+--build-arg BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ') \
+-t xmlking/ngxapi -f .deploy/api/Dockerfile .
+
+# tag
+docker tag  xmlking/ngxapi  xmlking/ngxapi:$VERSION
+
+# push
+docker push xmlking/ngxapi:$VERSION
+docker push xmlking/ngxapi:latest
+
+# check
+docker inspect  xmlking/ngxapi:$VERSION
+docker image prune -f
 ```
 
 ### Run
 ```bash
 docker-compose up api
-# docker run -it --env TYPEORM_HOST=postgres -p 3000:3000  ngxapi
+# docker run -it --env TYPEORM_HOST=postgres -p 3000:3000  xmlking/ngxapi
 # to see ditectory content:
 docker-compose exec api ./node
 docker-compose exec api ./node -e 'console.log(__dirname);'
@@ -29,23 +44,6 @@ curl -v -X GET \
 | jq .
 ```
 
-
-### Deploy
-
-#### Docker Push
-```bash
-# login to hub.docker.com to push docker image
-docker login
-
-# tag
-docker tag ngxapi xmlking/ngxapi:1.2.0-SNAPSHOT
-docker tag xmlking/ngxapi:1.2.0-SNAPSHOT  xmlking/ngxapi:latest
-
-# push
-docker push xmlking/ngxapi:1.2.0-SNAPSHOT
-docker push xmlking/ngxapi:latest
-```
-
 #### OpenShift Deployment
 > Deploy ngxapi to OpenShift