From b4824655dd2735a05454d9a2490ad868f1398bda Mon Sep 17 00:00:00 2001 From: Steve Dogiakos Date: Thu, 11 Jun 2026 21:57:39 -0600 Subject: [PATCH] fix(docker): run container as non-root and exclude local files from image - Add .dockerignore: a local .env, the live SQLite database in data/, .git, and node_modules were previously copied into the published image by COPY - Run the app as the unprivileged node user; pre-create /app/data with matching ownership so named volumes inherit it - Set NODE_ENV=production in the image - Document the one-time volume chown needed when upgrading existing deployments --- .dockerignore | 15 +++++++++++++++ README.md | 11 +++++++++++ docker/Dockerfile | 8 +++++++- 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..06cf085 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,15 @@ +.git +.github +node_modules +data +*.db +*.db-shm +*.db-wal +.env +.env.* +!.env.example +*.log +.claude +CLAUDE.md +TODO.md +docker-compose.yml diff --git a/README.md b/README.md index 8ba8e18..5ac4a50 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,17 @@ docker compose up -d 4. Use the setup wizard to configure your first checking account (organization info, bank info, routing/account numbers), or import an existing ezCheckPrinting `.mdb` file. +#### Upgrading from images before v0.5 + +The container now runs as the unprivileged `node` user (UID 1000). Existing data +volumes were written as root, so fix ownership once before upgrading: + +```bash +docker compose down +docker run --rm -v check-printing-data:/data alpine chown -R 1000:1000 /data +docker compose up -d +``` + ### Development (local) ```bash diff --git a/docker/Dockerfile b/docker/Dockerfile index dafd214..2a32c25 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,7 @@ FROM node:20-slim +ENV NODE_ENV=production + # mdbtools for migration script (only needed on first run, stays in image for convenience) RUN apt-get update && apt-get install -y --no-install-recommends mdbtools && rm -rf /var/lib/apt/lists/* @@ -10,9 +12,13 @@ RUN npm ci --omit=dev COPY . . -# Data volume: SQLite database and any runtime uploads +# Data volume: SQLite database and any runtime uploads. +# Pre-create it owned by the unprivileged user so named volumes inherit ownership. +RUN mkdir -p /app/data && chown -R node:node /app VOLUME ["/app/data"] +USER node + EXPOSE 3000 CMD ["node", "src/app.js"]