steve/check-printing
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(docker): run container as non-root and exclude local files from image

Browse Source 
- Add .dockerignore: a local .env, the live SQLite database in data/, .git,
  and node_modules were previously copied into the published image by COPY
- Run the app as the unprivileged node user; pre-create /app/data with
  matching ownership so named volumes inherit it
- Set NODE_ENV=production in the image
- Document the one-time volume chown needed when upgrading existing
  deployments
This commit is contained in:
Steve Dogiakos
2026-06-11 21:57:39 -06:00
parent 674506bd2d
commit b4824655dd
3 changed files with 33 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+11
View File
@@ -46,6 +46,17 @@ docker compose up -d
4. Use the setup wizard to configure your first checking account (organization info, bank info, routing/account numbers), or import an existing ezCheckPrinting `.mdb` file.
#### Upgrading from images before v0.5
The container now runs as the unprivileged `node` user (UID 1000). Existing data
volumes were written as root, so fix ownership once before upgrading:
```bash
docker compose down
docker run --rm -v check-printing-data:/data alpine chown -R 1000:1000 /data
docker compose up -d
```
### Development (local)
```bash