ehsan-minadd/peikarband
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix(docker): improve Dockerfile best practices
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
CD - Build & Deploy / build-and-push (push) Has been cancelled
Details
CD - Build & Deploy / package-helm (push) Has been cancelled
Details
CD - Build & Deploy / deploy-staging (push) Has been cancelled
Details
CD - Build & Deploy / deploy-production (push) Has been cancelled
Details
CD - Build & Deploy / release (push) Has been cancelled
Details
CI / test (3.11) (push) Has been cancelled
Details
CI / test (3.12) (push) Has been cancelled
Details
CI / security (push) Has been cancelled
Details

Browse Source 
Changes:
- Parameterize NODE_VERSION in runtime stage (was hardcoded to 20.x)
- Move RUN commands before USER switch (RUN can't execute as non-root)
- Fix .version file creation before switching to peikarband user
- Reorder security hardening to run before USER switch

This ensures all file system operations complete before dropping privileges.
This commit is contained in:
Ehsan.Asadi
2025-12-30 16:30:06 +03:30
parent e34b2e6d96
commit 0480400078
1 changed files with 9 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
Dockerfile
View File

@@ -86,7 +86,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
&& apt-get clean && apt-get clean
# Install Node.js runtime # Install Node.js runtime
RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \ ARG NODE_VERSION=20
RUN curl -fsSL https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - \
&& apt-get install -y --no-install-recommends nodejs \ && apt-get install -y --no-install-recommends nodejs \
&& rm -rf /var/lib/apt/lists/* \ && rm -rf /var/lib/apt/lists/* \
&& apt-get clean && apt-get clean
@@ -105,6 +106,13 @@ COPY --from=builder /build /app
# Fix ownership # Fix ownership
RUN chown -R peikarband:peikarband /home/peikarband/.local /app RUN chown -R peikarband:peikarband /home/peikarband/.local /app
# Add version info (must be before USER switch)
RUN echo "${VERSION}" > /app/.version && \
chown peikarband:peikarband /app/.version
# Security: Remove unnecessary setuid/setgid permissions
RUN find / -perm /6000 -type f -exec chmod a-s {} \; 2>/dev/null || true
# Set environment variables # Set environment variables
ENV PATH=/home/peikarband/.local/bin:$PATH \ ENV PATH=/home/peikarband/.local/bin:$PATH \
PYTHONUNBUFFERED=1 \ PYTHONUNBUFFERED=1 \
@@ -115,9 +123,6 @@ ENV PATH=/home/peikarband/.local/bin:$PATH \
REFLEX_ENV=production \ REFLEX_ENV=production \
ENVIRONMENT=production ENVIRONMENT=production
# Security: Remove unnecessary setuid/setgid permissions
RUN find / -perm /6000 -type f -exec chmod a-s {} \; 2>/dev/null || true
# Switch to non-root user # Switch to non-root user
USER peikarband USER peikarband
@@ -128,9 +133,6 @@ EXPOSE 3000 8000
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \ HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
CMD curl -f -s -o /dev/null -w "%{http_code}" http://localhost:8000/ping | grep -q "200" || exit 1 CMD curl -f -s -o /dev/null -w "%{http_code}" http://localhost:8000/ping | grep -q "200" || exit 1
# Add version info endpoint
RUN echo "${VERSION}" > /app/.version
# Use tini as init system for proper signal handling # Use tini as init system for proper signal handling
ENTRYPOINT ["/usr/bin/tini", "--"] ENTRYPOINT ["/usr/bin/tini", "--"]