Skip to content

Commit 008cfbb

Browse files
takuya-otakuya-o
committed
🔧 chore(Dockerfile, compose.yaml): use distroless, update Node.js version and enhance security
Updated Node.js version from 20 to 22 in the Dockerfile and switched to using a distroless image to improve container security by removing unnecessary packages and reducing the attack surface. Changed the user to nonroot and specified ownership in the COPY command to avoid running with root privileges. In compose.yaml, added the cap_drop option to remove container capabilities, further enhancing security.
1 parent 029231c commit 008cfbb

File tree

2 files changed

+15
-9
lines changed

2 files changed

+15
-9
lines changed

Dockerfile

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,8 @@
11
# NPM builder image
2-
FROM node:20-slim as npm_builder
3-
#20.3.0-bookworm-slim (Debian 12)
2+
FROM node:22-bookworm-slim AS npm_builder
3+
#22.12.0-bookworm-slim (Debian 12)
4+
#22-bookworm-slim, 22-slim, 22.12-bookworm-slim, 22.12-slim, 22.12.0-bookworm-slim, 22.12.0-slim, jod-bookworm-slim, jod-slim, lts-bookworm-slim, lts-slim
5+
# bookworm = Debian12
46

57
WORKDIR /app
68
COPY [ "package.json", "package-lock.json", ".npmrc", \
@@ -18,19 +20,21 @@ RUN rm -rf node_modules/ && npm ci --omit dev
1820

1921

2022
# NPM runtime image
21-
FROM node:20-slim as npm_runtime
23+
# See: https://github.com/GoogleContainerTools/distroless/tree/main/examples/nodejs
24+
# For DEBUG: docker run -it --entrypoint=sh gcr.io/distroless/nodejs22-debian12:debug-nonroot
25+
FROM gcr.io/distroless/nodejs22-debian12:nonroot AS npm_runtime
2226

2327
WORKDIR /app
2428

2529
ARG NODE_ENV=production
2630
ENV NODE_ENV $NODE_ENV
2731
ENV PLUGINS=image-plugin,graph-plugin
2832

29-
# Avoid running as root:
30-
USER node
31-
32-
COPY --from=npm_builder [ "/app/node_modules/", "./node_modules/" ]
33-
COPY --from=npm_builder [ "/app/dist/", "./src/" ]
33+
COPY --chown=nonroot:nonroot --from=npm_builder [ "/app/node_modules/", "./node_modules/" ]
34+
COPY --chown=nonroot:nonroot --from=npm_builder [ "/app/dist/", "./src/" ]
3435
COPY [ "./license.md", "./" ]
3536

36-
ENTRYPOINT [ "node", "src/botservice.mjs" ]
37+
# Avoid running as root:
38+
USER nonroot
39+
40+
CMD [ "src/botservice.mjs" ]

compose.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ services:
77
args:
88
NODE_ENV: ${NODE_ENV:-production}
99
restart: always
10+
cap_drop:
11+
- ALL
1012
env_file: .env # Dockerfileでも有効にするために必須
1113
# .envファイルより環境変数を有効にする場合
1214
# environment:

0 commit comments

Comments
 (0)