39 lines
1.5 KiB
Docker
39 lines
1.5 KiB
Docker
# ── Stage 1: install production dependencies ──────────────────────────────────
|
|
# node:20-alpine is used only for npm ci; it never ships to production.
|
|
FROM node:20-alpine AS deps
|
|
|
|
WORKDIR /app
|
|
|
|
# package-lock.json* — the wildcard makes the COPY succeed even if the lock
|
|
# file is absent, so the image can be built from a clean checkout without any
|
|
# local Node installation.
|
|
COPY package.json package-lock.json* ./
|
|
RUN if [ -f package-lock.json ]; then npm ci --omit=dev; else npm install --omit=dev; fi
|
|
|
|
# ── Stage 2: hardened, minimal runtime ────────────────────────────────────────
|
|
# gcr.io/distroless/nodejs20-debian12:nonroot contains only the Node runtime.
|
|
# No shell, no package manager, no OS utilities → drastically reduced attack
|
|
# surface and near-zero CVEs from OS packages. Runs as uid 65532 (nonroot).
|
|
FROM gcr.io/distroless/nodejs20-debian12:nonroot
|
|
|
|
WORKDIR /app
|
|
|
|
COPY --from=deps /app/node_modules ./node_modules
|
|
|
|
# Copy application source
|
|
COPY server ./server
|
|
COPY public ./public
|
|
COPY config ./config
|
|
|
|
ENV NODE_ENV=production
|
|
ENV PORT=8080
|
|
|
|
EXPOSE 8080
|
|
|
|
# Health-check: no wget/curl in distroless — use the bundled Node binary
|
|
# directly via exec form (no shell needed).
|
|
HEALTHCHECK --interval=15s --timeout=5s --start-period=30s --retries=3 \
|
|
CMD ["/nodejs/bin/node", "server/healthcheck.js"]
|
|
|
|
# The distroless ENTRYPOINT is already /nodejs/bin/node; CMD is the argument.
|
|
CMD ["server/index.js"] |