fix(docker): remediate all DockerSpec violations for field trial
- Replace docker-compose.yml → compose.yaml (modern Compose Spec, no version header) - Replace docker-compose.monitoring.yml → compose.monitoring.yaml - Remove deprecated version: '3.x' headers from both compose files - Add dedicated app-tier bridge network (no default bridge) - Add restart: unless-stopped to all services - Add deploy.resources.limits (memory + cpu) to all services - Add healthcheck to app service (curl /health) - Add healthchecks to prometheus and grafana in monitoring overlay - Externalize postgres credentials to env vars (POSTGRES_USER/PASSWORD/DB) - Externalize grafana admin password to GF_ADMIN_PASSWORD env var - Make env_file optional (required: false) for CI/field-trial environments - Update Dockerfile: node:18-alpine → node:20.11-bookworm-slim (pinned version) - Add explicit non-root system user/group (nodejs:1001/nodeapp:1001) - Add curl install to final stage for healthcheck probe - Copy src/db/migrations from build stage (not host bind) - Expand .dockerignore: tmp/, temp/, *.env.*, compose files, Dockerfiles - Add .env.example to git (was ignored by .env.* rule — add !.env.example exception) - Add POSTGRES_USER/PASSWORD/DB and GF_ADMIN_PASSWORD to .env.example All compose files pass: docker compose config --quiet ✅ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SentryAgent.ai Developer
31
Dockerfile
31
Dockerfile
@@ -1,7 +1,7 @@
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
# Stage 1: builder — compile TypeScript to dist/
|
||||
# Stage 1: build — compile TypeScript to dist/
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
FROM node:18-alpine AS builder
|
||||
FROM node:20.11-bookworm-slim AS build
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
@@ -16,25 +16,32 @@ COPY scripts/ ./scripts/
|
||||
RUN npm run build
|
||||
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
# Stage 2: production — minimal runtime image
|
||||
# Stage 2: final — minimal, non-root runtime image
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
FROM node:18-alpine AS production
|
||||
FROM node:20.11-bookworm-slim AS final
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
# Install curl for healthcheck probe — then clean up apt cache in same layer
|
||||
RUN apt-get update && \
|
||||
apt-get install -y --no-install-recommends curl && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Create dedicated non-root system user/group — containers must never run as root
|
||||
RUN groupadd --system --gid 1001 nodejs && \
|
||||
useradd --system --uid 1001 --gid nodejs nodeapp
|
||||
|
||||
# Copy package files and install production dependencies only
|
||||
COPY package.json package-lock.json ./
|
||||
RUN npm ci --omit=dev
|
||||
|
||||
# Copy compiled output from builder stage
|
||||
COPY --from=builder /app/dist ./dist
|
||||
# Copy compiled artifacts and runtime-required files from build stage only
|
||||
COPY --from=build /app/dist ./dist
|
||||
COPY --from=build /app/scripts ./scripts
|
||||
COPY --from=build /app/src/db/migrations ./src/db/migrations
|
||||
|
||||
# Copy migration scripts (needed for db:migrate at deploy time)
|
||||
COPY --from=builder /app/scripts ./scripts
|
||||
COPY src/db/migrations ./src/db/migrations
|
||||
|
||||
# Run as non-root user (built into node:alpine)
|
||||
USER node
|
||||
# Drop root — all subsequent instructions and the running container use nodeapp
|
||||
USER nodeapp
|
||||
|
||||
EXPOSE 3000
|
||||
|
||||
|
||||
Reference in New Issue
Block a user