Revert "Attempt to use distroless image at runtime (#409)" (#411)

synnestokkevaag · web-flow · commit 1aefd389f2d8 · 2025-10-07T14:48:57.000+02:00
This reverts commit de3f520.
diff --git a/packages/backend/Dockerfile b/packages/backend/Dockerfile
@@ -9,41 +9,38 @@
 #
 # Once the commands have been run, you can build the image using `yarn build-image`
 
-# --- Builder: install prod deps and unpack the bundle
-FROM node:22-bookworm-slim AS build
+# From mise.toml
+FROM node:22-bookworm-slim
 
 # Set Python interpreter for `node-gyp` to use
 ENV PYTHON=/usr/bin/python3
 
-# enable Corepack + activate yarn@4.9.1 before dropping privileges
-RUN corepack enable && corepack prepare yarn@4.9.1 --activate
+RUN groupmod -g 150 node && usermod -u 150 -g 150 node
+RUN corepack enable
+# Set the owner of the cache directory to node so we can use corepack
+RUN mkdir -p /home/node/.cache && chown -R node:node /home/node/.cache
 
 # Install isolate-vm dependencies, these are needed by the @backstage/plugin-scaffolder-backend.
+# If sqlite3 is not needed anymore, remove libsqlite3-dev and better-sqlite3.
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && \
-    apt-get install -y --no-install-recommends python3 g++ build-essential && \
+    apt-get install -y --no-install-recommends python3 g++ build-essential libsqlite3-dev && \
     rm -rf /var/lib/apt/lists/*
 
-# Install sqlite3 dependencies. You can skip this if you don't use sqlite3 in the image,
-# in which case you should also move better-sqlite3 to "devDependencies" in package.json.
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \
-    apt-get update && \
-    apt-get install -y --no-install-recommends libsqlite3-dev && \
-    rm -rf /var/lib/apt/lists/*
 
-RUN mkdir -p /home/node/.cache
+# From here on we use the least-privileged `node` user to run the backend.
+USER node
 
 # This should create the app dir as `node`.
 # If it is instead created as `root` then the `tar` command below will fail: `can't create directory 'packages/': Permission denied`.
 # If this occurs, then ensure BuildKit is enabled (`DOCKER_BUILDKIT=1`) so the app dir is correctly created as `node`.
 WORKDIR /app
 
 # Copy files needed by Yarn
-COPY .yarn ./.yarn
-COPY .yarnrc.yml ./
-COPY backstage.json ./
+COPY --chown=node:node .yarn ./.yarn
+COPY --chown=node:node .yarnrc.yml ./
+COPY --chown=node:node backstage.json ./
 
 # This switches many Node.js dependencies to production mode.
 ENV NODE_ENV=production
@@ -55,23 +52,17 @@ ENV NODE_OPTIONS="--no-node-snapshot"
 # Copy repo skeleton first, to avoid unnecessary docker cache invalidation.
 # The skeleton contains the package.json of each package in the monorepo,
 # and along with yarn.lock and the root package.json, that's enough to run yarn install.
-COPY yarn.lock package.json packages/backend/dist/skeleton.tar.gz ./
+COPY --chown=node:node yarn.lock package.json packages/backend/dist/skeleton.tar.gz ./
 RUN tar xzf skeleton.tar.gz && rm skeleton.tar.gz
 
-RUN --mount=type=cache,target=/home/node/.cache,sharing=locked,uid=1000,gid=1000 \
-    yarn workspaces focus -A --production && yarn cache clean
+RUN --mount=type=cache,target=/home/node/.cache/yarn,sharing=locked,uid=1000,gid=1000 \
+    yarn workspaces focus --all --production && rm -rf "$(yarn cache clean)"
 
 # Then copy the rest of the backend bundle, along with any other files we might want.
-COPY packages/backend/dist/bundle.tar.gz app-config*.yaml ./
+COPY --chown=node:node packages/backend/dist/bundle.tar.gz app-config*.yaml ./
 RUN tar xzf bundle.tar.gz && rm bundle.tar.gz
 
-# --- Runtime: distroless NodeJS
-FROM gcr.io/distroless/nodejs22-debian12
-ENV NODE_ENV=production
-ENV NODE_OPTIONS="--no-node-snapshot"
-WORKDIR /app
-
-COPY package.json app-config*.yaml  ./
-COPY --from=build /app /app
+RUN mv packages packages_tmp
+RUN mkdir packages
 
-CMD ["packages/backend","--config","app-config.yaml","--config","app-config.production.yaml", "--config","app-config.runtime.yaml"]
+CMD ["sh", "-c", "cp -r packages_tmp/* packages/ && node packages/backend --config app-config.yaml --config app-config.production.yaml --config app-config.runtime.yaml"]
