From 652e665726ef7263b6689db07f3d90e2e97cfb73 Mon Sep 17 00:00:00 2001 From: Damien Laureaux Date: Thu, 24 Oct 2024 16:22:27 +0200 Subject: [PATCH] fix(docker): reduce Docker size + improve security --- app.dockerfile | 39 ++++++++++++++++++++++++++++--------- backend.dockerfile | 47 ++++++++++++++++++++++++++++++++++++--------- docker-compose.yaml | 4 ++-- 3 files changed, 70 insertions(+), 20 deletions(-) diff --git a/app.dockerfile b/app.dockerfile index ff1824d..f19ec4a 100644 --- a/app.dockerfile +++ b/app.dockerfile @@ -1,15 +1,36 @@ -FROM node:alpine +############################# +# Build stage +############################# -ARG NEXT_PUBLIC_WS_URL=ws://127.0.0.1:3001 -ARG NEXT_PUBLIC_API_URL=http://127.0.0.1:3001/api -ENV NEXT_PUBLIC_WS_URL=${NEXT_PUBLIC_WS_URL} -ENV NEXT_PUBLIC_API_URL=${NEXT_PUBLIC_API_URL} +FROM node:22-alpine AS builder -WORKDIR /home/perplexica +WORKDIR /app -COPY ui /home/perplexica/ +# Copy package.json and yarn.lock +COPY ui/package.json ui/yarn.lock ./ -RUN yarn install --frozen-lockfile -RUN yarn build +# Copy the rest of the application code +COPY ui . +# Install dependencies & build the application +RUN yarn install --frozen-lockfile && yarn build + +############################# +# Production stage +############################# + +FROM node:22-alpine + +WORKDIR /app + +# Copy built assets from the builder stage +COPY --from=builder /app/.next ./.next +COPY --from=builder /app/node_modules ./node_modules +COPY --from=builder /app/package.json ./package.json +COPY --from=builder /app/public ./public + +# Run the Docker image as node instead of root +USER node + +# Start the application CMD ["yarn", "start"] \ No newline at end of file diff --git a/backend.dockerfile b/backend.dockerfile index 87cd21c..36b23b7 100644 --- a/backend.dockerfile +++ b/backend.dockerfile @@ -1,16 +1,45 @@ +############################# +# Build stage +############################# + +FROM node:18-slim AS builder + +WORKDIR /app + +# Copy package.json and yarn.lock +COPY package.json yarn.lock ./ + +# Copy the rest of the application code +COPY tsconfig.json drizzle.config.ts ./ +COPY src ./src + +# Install dependencies & build the application +RUN yarn install --frozen-lockfile --network-timeout 600000 && yarn build + +############################# +# Production stage +############################# + FROM node:18-slim -WORKDIR /home/perplexica +WORKDIR /app -COPY src /home/perplexica/src -COPY tsconfig.json /home/perplexica/ -COPY drizzle.config.ts /home/perplexica/ -COPY package.json /home/perplexica/ -COPY yarn.lock /home/perplexica/ +# Copy built assets and necessary files from the builder stage +COPY --chown=node:node --from=builder /app/dist ./dist +COPY --chown=node:node --from=builder /app/node_modules ./node_modules -RUN mkdir /home/perplexica/data +# Copy the rest of the application code +COPY --chown=node:node ./drizzle.config.ts ./ +COPY --chown=node:node ./tsconfig.json ./ +COPY --chown=node:node ./src/db/schema.ts ./src/db/schema.ts +COPY --chown=node:node ./package.json ./package.json -RUN yarn install --frozen-lockfile --network-timeout 600000 -RUN yarn build +# Create data directory & set permissions to node user +RUN mkdir /app/data && \ + chown -R node:node /app/data +# Run the Docker image as node instead of root +USER node + +# Start the application CMD ["yarn", "start"] \ No newline at end of file diff --git a/docker-compose.yaml b/docker-compose.yaml index 46d82c6..25d6ec2 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -21,8 +21,8 @@ services: ports: - 3001:3001 volumes: - - backend-dbstore:/home/perplexica/data - - ./config.toml:/home/perplexica/config.toml + - backend-dbstore:/app/data:rw + - ./config.toml:/app/config.toml:rw extra_hosts: - 'host.docker.internal:host-gateway' networks: