feat: server Dockerfile - added USER instruction not to run under the root user

dd9bc287 · Lukáš Kratochvíl · 13463909 · dd9bc287
Commit dd9bc287 authored 2 years ago by Lukáš Kratochvíl
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
 #---------- DEVELOPMENT ----------
 FROM node:16-alpine AS development

+# we do not want to run under the root user
+USER node
+
 # install node_modules outside app root in container so local development won't run into a problem of bind-mounting over it with local source code
 WORKDIR /usr/src

-COPY ["package.json", "package-lock.json", "./"]
+COPY --chown=node:node ["package.json", "package-lock.json", "./"]
 RUN npm install
 # ensures that exactly these executables (from the node_modules folder) are used instead of any other executables which might also be installed on the system inside the Docker image
 ENV PATH=/usr/src/node_modules/.bin:$PATH

 WORKDIR /usr/src/app

-COPY prisma/schema.prisma ./prisma/
+COPY --chown=node:node prisma/schema.prisma ./prisma/
 RUN npx prisma generate

-COPY . .
+COPY --chown=node:node . .

 CMD ["npm", "run", "start:dev"]

@@ -22,13 +25,16 @@ CMD ["npm", "run", "start:dev"]
 #---------- PRODUCTION ----------
 FROM node:16-alpine AS production

+# we do not want to run under the root user
+USER node
+
 ARG NODE_ENV=production
 ENV NODE_ENV=${NODE_ENV}

 WORKDIR /usr/src

-COPY --from=development /usr/src/package.json ./
-COPY --from=development /usr/src/package-lock.json ./
+COPY --chown=node:node --from=development /usr/src/package.json ./
+COPY --chown=node:node --from=development /usr/src/package-lock.json ./
 # install only 'dependencies' and not 'devDependencies'
 RUN npm install --omit=dev
 # ensures that exactly these executables (from the node_modules folder) are used instead of any other executables which might also be installed on the system inside the Docker image
@@ -36,9 +42,9 @@ ENV PATH=/usr/src/node_modules/.bin:$PATH

 WORKDIR /usr/src/app

-COPY prisma/schema.prisma ./prisma/
+COPY --chown=node:node prisma/schema.prisma ./prisma/
 RUN npx prisma generate

-COPY --from=development /usr/src/app/dist ./dist
+COPY --chown=node:node --from=development /usr/src/app/dist ./dist

 CMD ["npm", "run", "start:prod"]