Patrick/medassist-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(docker): update Dockerfile for improved security and add entrypoint script for permission handling

Browse Source
This commit is contained in:
Daniel Volz
2025-12-27 08:54:54 +01:00
parent dd943f7fb2
commit d39ab010a0
3 changed files with 74 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/Dockerfile
+21 -11
View File
@@ -4,7 +4,6 @@
# Security measures applied:
# - Non-root user execution
# - Multi-stage build (minimal runtime image)
# - No shell in final image (distroless)
# - Read-only filesystem compatible
# - No unnecessary packages
# - Specific image versions pinned
@@ -31,16 +30,27 @@ RUN npm ci --omit=dev --ignore-scripts && \
npm cache clean --force
# -----------------------------------------------------------------------------
# Stage 2: Production Runtime (Distroless - no shell, minimal attack surface)
# Stage 2: Production Runtime
# -----------------------------------------------------------------------------
FROM gcr.io/distroless/nodejs22-debian12 AS runner
FROM node:22-slim AS runner
WORKDIR /app
# Copy built application with correct ownership (nonroot = uid 65532)
COPY --from=builder --chown=65532:65532 /app/node_modules ./node_modules
COPY --from=builder --chown=65532:65532 /app/dist ./dist
COPY --from=builder --chown=65532:65532 /app/package.json ./
# Create non-root user with specific UID for consistent bind mount permissions
RUN groupadd --gid 1000 appgroup && \
useradd --uid 1000 --gid appgroup --shell /bin/sh --create-home appuser
# Copy built application
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/package.json ./
# Create data directory and set ownership
RUN mkdir -p /app/data && chown -R appuser:appgroup /app
# Copy entrypoint script
COPY docker-entrypoint.sh /docker-entrypoint.sh
RUN chmod +x /docker-entrypoint.sh
# Environment configuration
ENV NODE_ENV=production
@@ -49,8 +59,8 @@ ENV PORT=3000
# Expose application port
EXPOSE 3000
# Run as non-root user (distroless default user)
USER nonroot
# Entrypoint runs as root to fix permissions, then drops to appuser
ENTRYPOINT ["/docker-entrypoint.sh"]
# Start application - migrations handled in index.ts
CMD ["dist/index.js"]
# Start application
CMD ["node", "dist/index.js"]