From 961ff38eb5627a1705c3e3016b69f4d4e3300b53 Mon Sep 17 00:00:00 2001 From: James Blair Date: Tue, 16 Jun 2020 18:21:17 +1200 Subject: [PATCH 1/5] Switched to non root user and alpine. --- Dockerfile | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0930dd39..a4177aba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:12 as builder +FROM node:12-alpine as builder WORKDIR /usr/src/app @@ -7,9 +7,12 @@ COPY ui/ . RUN yarn install --frozen-lockfile RUN yarn export -FROM node:12 +FROM node:12-alpine LABEL maintainer="OhMyForm " +# Create a group and a user with name "ohmyform". +RUN addgroup --gid 9999 ohmyform && adduser -D --uid 9999 -G ohmyform ohmyform + WORKDIR /usr/src/app COPY api/ . @@ -27,4 +30,7 @@ ENV PORT=3000 \ EXPOSE 3000 +# Change to non-root privilege +USER ohmyform + CMD [ "yarn", "start:prod" ] From 97af16862a86340a243ea8c8d342a004932da960 Mon Sep 17 00:00:00 2001 From: James Blair Date: Tue, 16 Jun 2020 18:52:24 +1200 Subject: [PATCH 2/5] Applied #97 suggested dockerfile. --- Dockerfile | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index a4177aba..601c9709 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,5 @@ -FROM node:12-alpine as builder +## Build API +FROM node:12 as api WORKDIR /usr/src/app @@ -7,20 +8,24 @@ COPY ui/ . RUN yarn install --frozen-lockfile RUN yarn export -FROM node:12-alpine +## Build APP +FROM node:12 as app LABEL maintainer="OhMyForm " -# Create a group and a user with name "ohmyform". -RUN addgroup --gid 9999 ohmyform && adduser -D --uid 9999 -G ohmyform ohmyform - WORKDIR /usr/src/app COPY api/ . -COPY --from=builder /usr/src/app/out /usr/src/app/public +COPY --from=api /usr/src/app/out /usr/src/app/public RUN yarn install --frozen-lockfile RUN yarn build +## Production Image. +FROM node:12 + +WORKDIR /usr/src/app +COPY --from=app /usr/src/app /usr/src/app +RUN addgroup --gid 9999 ohmyform && adduser --disabled-login --uid 9999 --gid 9999 ohmyform ENV PORT=3000 \ SECRET_KEY=ChangeMe \ CREATE_ADMIN=FALSE \ @@ -29,8 +34,5 @@ ENV PORT=3000 \ ADMIN_PASSWORD=root EXPOSE 3000 - -# Change to non-root privilege USER ohmyform - CMD [ "yarn", "start:prod" ] From b36a73afdb8ced00c7f1764de541ebf8f8868806 Mon Sep 17 00:00:00 2001 From: James Blair Date: Tue, 16 Jun 2020 19:12:18 +1200 Subject: [PATCH 3/5] Corrected ownership of schema file. --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 601c9709..e3c3f132 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,6 +20,9 @@ COPY --from=api /usr/src/app/out /usr/src/app/public RUN yarn install --frozen-lockfile RUN yarn build +## Glue +RUN touch /usr/src/app/src/schema.gql && chown ohmyform:ohmyform /usr/src/app/src/schema.gql + ## Production Image. FROM node:12 From d67a780185b1e832e598d018bf9dcb1e3a467652 Mon Sep 17 00:00:00 2001 From: James Blair Date: Tue, 16 Jun 2020 19:15:58 +1200 Subject: [PATCH 4/5] Reverted "Corrected ownership of schema file." This reverts commit b36a73afdb8ced00c7f1764de541ebf8f8868806. --- Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index e3c3f132..601c9709 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,9 +20,6 @@ COPY --from=api /usr/src/app/out /usr/src/app/public RUN yarn install --frozen-lockfile RUN yarn build -## Glue -RUN touch /usr/src/app/src/schema.gql && chown ohmyform:ohmyform /usr/src/app/src/schema.gql - ## Production Image. FROM node:12 From c6360ce3bef9c59fead74584765cf5ac984b37db Mon Sep 17 00:00:00 2001 From: James Blair Date: Tue, 16 Jun 2020 19:18:21 +1200 Subject: [PATCH 5/5] Corrected ownership of schema file. --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 601c9709..619225a0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,6 +19,9 @@ COPY --from=api /usr/src/app/out /usr/src/app/public RUN yarn install --frozen-lockfile RUN yarn build +## Glue +RUN addgroup --gid 9999 ohmyform && adduser --disabled-login --uid 9999 --gid 9999 ohmyform && \ + touch /usr/src/app/src/schema.gql && chown ohmyform:ohmyform /usr/src/app/src/schema.gql ## Production Image. FROM node:12