-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile.distroless
166 lines (140 loc) · 6.65 KB
/
Dockerfile.distroless
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# syntax=docker/dockerfile:1.7.1
# Copyright (C) 2023 - Juergen Zimmermann, Hochschule Karlsruhe
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# Aufruf: docker build --tag juergenzimmermann/buch:2024.04.0-distroless --file Dockerfile.distroless .
# ggf. --progress=plain
# ggf. --no-cache
# Get-Content Dockerfile | docker run --rm --interactive hadolint/hadolint:2.12.1-beta-debian
# Linux: cat Dockerfile | docker run --rm --interactive hadolint/hadolint:2.12.1-beta-debian
# docker network ls
# https://docs.docker.com/engine/reference/builder/#syntax
# https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/syntax.md
# https://hub.docker.com/r/docker/dockerfile
# https://docs.docker.com/build/building/multi-stage
# https://github.com/textbook/starter-kit/blob/main/Dockerfile
# https://snyk.io/blog/10-best-practices-to-containerize-nodejs-web-applications-with-docker
# Distroless-Image
# - auf Basis von Debian 12 (bookworm)
# - ohne Shell, Package Manager, GUI, grep, sed, awk, ...
# - nur 2% der Größe von Debian und 50 % von Alpine
# - mit Node 22 ca. 170 MB:
# - von Google
# - https://console.cloud.google.com/gcr/images/distroless/global/nodejs22-debian12
# ---------------------------------------------------------------------------------------
# S t a g e d i s t
# ---------------------------------------------------------------------------------------
ARG NODE_VERSION=22.2.0
FROM node:${NODE_VERSION}-bookworm AS dist
# https://packages.debian.org/bookworm/python3.11-minimal
# https://packages.debian.org/trixie/python3.12-minimal
# "python3-dev" enthaelt "multiprocessing"
# "build-essential" enthaelt "make"
# apt-get install --no-install-recommends --yes python3.11-minimal=3.11.2-6 python3.11-dev=3.11.2-6 build-essential=12.9
RUN <<EOF
# https://explainshell.com/explain?cmd=set+-eux
set -eux
npm i -g --no-audit --no-fund npm
EOF
USER node
WORKDIR /home/node
COPY src ./src
# https://docs.docker.com/engine/reference/builder/#run---mounttypebind
RUN --mount=type=bind,source=package.json,target=package.json \
--mount=type=bind,source=package-lock.json,target=package-lock.json \
--mount=type=bind,source=nest-cli.json,target=nest-cli.json \
--mount=type=bind,source=tsconfig.json,target=tsconfig.json \
--mount=type=bind,source=tsconfig.build.json,target=tsconfig.build.json \
--mount=type=cache,target=/root/.npm <<EOF
set -eux
# ci (= clean install) mit package-lock.json
npm ci --no-audit --no-fund
npm run build
EOF
# ------------------------------------------------------------------------------
# S t a g e d e p e n d e n c i e s
# ------------------------------------------------------------------------------
FROM node:${NODE_VERSION}-bookworm-slim AS dependencies
RUN <<EOF
set -eux
apt-get update
apt-get upgrade --yes
# Debian Bookworm bietet nur Packages fuer Python 3.11; Ubuntu Jammy LTS nur fuer Python 3.10
# Python 3.12: Uebersetzung des Python-Quellcodes erforderlich
# https://itnixpro.com/how-to-install-python-3-12-on-debian-12debian-11
apt-get install --no-install-recommends --yes python3.11=3.11.2-6 python3.11-dev=3.11.2-6 build-essential=12.9
ln -s /usr/bin/python3.11 /usr/bin/python3
ln -s /usr/bin/python3.11 /usr/bin/python
npm i -g --no-audit --no-fund npm
EOF
USER node
WORKDIR /home/node
RUN --mount=type=bind,source=package.json,target=package.json \
--mount=type=bind,source=package-lock.json,target=package-lock.json \
--mount=type=cache,target=/root/.npm <<EOF
set -eux
# ci (= clean install) mit package-lock.json
# --omit=dev: ohne devDependencies
npm ci --no-audit --no-fund --omit=dev --omit=peer
EOF
# ------------------------------------------------------------------------------
# S t a g e d u m b - i n i t
# ------------------------------------------------------------------------------
# gcr.io/distroless/nodejs22-debian12:nonroot basiert auf Debian Bookworm
FROM debian:bookworm-slim AS dumb-init
# dumb-init installieren, um im finalen Image "node" aufrufen zu koennen
RUN <<EOF
set -eux
# Katalog der verfuegbaren Debian-Packages aktualisieren
apt-get update
# Das eigentliche "Update" der installierten Debian-Packages
apt-get upgrade --yes
# https://github.com/Yelp/dumb-init
# https://packages.debian.org/bookworm/dumb-init
apt-get install --no-install-recommends --yes dumb-init=1.2.5-2
apt-get autoremove --yes
apt-get clean --yes
rm -rf /var/lib/apt/lists/*
rm -rf /tmp/*
EOF
# ------------------------------------------------------------------------------
# S t a g e f i n a l
# ------------------------------------------------------------------------------
# https://github.com/GoogleContainerTools/distroless
# https://console.cloud.google.com/gcr/images/distroless/global/nodejs2-debian12
FROM gcr.io/distroless/nodejs22-debian12:nonroot AS final
# FROM gcr.io/distroless/nodejs22-debian12:debug-nonroot AS final
# Anzeige bei "docker inspect ..."
# https://specs.opencontainers.org/image-spec/annotations
# https://spdx.org/licenses
# MAINTAINER ist deprecated https://docs.docker.com/engine/reference/builder/#maintainer-deprecated
LABEL org.opencontainers.image.title="buch" \
org.opencontainers.image.description="Appserver buch mit distroless-Image" \
org.opencontainers.image.version="2024.04.0-distroless" \
org.opencontainers.image.licenses="GPL-3.0-or-later" \
org.opencontainers.image.authors="Juergen.Zimmermann@h-ka.de"
WORKDIR /opt/app
COPY --chown=nonroot:nonroot package.json .env ./
COPY --from=dependencies --chown=nonroot:nonroot /home/node/node_modules ./node_modules
COPY --from=dist --chown=nonroot:nonroot /home/node/dist ./dist
COPY --chown=nonroot:nonroot src/config/resources ./dist/config/resources
COPY --from=dumb-init /usr/bin/dumb-init /usr/bin/dumb-init
USER nonroot
EXPOSE 3000
# Bei CMD statt ENTRYPOINT kann das Kommando bei "docker run ..." ueberschrieben werden
# "Array Syntax" damit auch <Strg>C funktioniert
# https://github.com/Yelp/dumb-init:
# "a simple process supervisor and init system designed to run as PID 1 inside
# minimal container environments (such as Docker)""
ENTRYPOINT ["dumb-init", "/nodejs/bin/node", "dist/main.js"]