fix(docker): run container as non-root and exclude local files from image
- Add .dockerignore: a local .env, the live SQLite database in data/, .git, and node_modules were previously copied into the published image by COPY - Run the app as the unprivileged node user; pre-create /app/data with matching ownership so named volumes inherit it - Set NODE_ENV=production in the image - Document the one-time volume chown needed when upgrading existing deployments
This commit is contained in:
+7
-1
@@ -1,5 +1,7 @@
|
||||
FROM node:20-slim
|
||||
|
||||
ENV NODE_ENV=production
|
||||
|
||||
# mdbtools for migration script (only needed on first run, stays in image for convenience)
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends mdbtools && rm -rf /var/lib/apt/lists/*
|
||||
|
||||
@@ -10,9 +12,13 @@ RUN npm ci --omit=dev
|
||||
|
||||
COPY . .
|
||||
|
||||
# Data volume: SQLite database and any runtime uploads
|
||||
# Data volume: SQLite database and any runtime uploads.
|
||||
# Pre-create it owned by the unprivileged user so named volumes inherit ownership.
|
||||
RUN mkdir -p /app/data && chown -R node:node /app
|
||||
VOLUME ["/app/data"]
|
||||
|
||||
USER node
|
||||
|
||||
EXPOSE 3000
|
||||
|
||||
CMD ["node", "src/app.js"]
|
||||
|
||||
Reference in New Issue
Block a user