-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: use a base image for Docker builds #6515
base: master
Are you sure you want to change the base?
Conversation
5fd5a6f
to
d60ac3d
Compare
ea45aa7
to
39e0c0e
Compare
@eatyourgreens could you use this PR opportunity to include code comments in the Dockerfile like |
Sure! I've added comments, and questions where I don't understand what the Dockerfile is doing. |
1b95940
to
645f823
Compare
Looking back through the Dockerfile history for this PR, I discovered that the monorepo originally built and ran on Node 8! That explains why it still has packages that were written as CommonJS modules, using |
645f823
to
10b3b5f
Compare
# Add build secrets. | ||
# NB. GitHub warns that ARG should not be used for sensitive data. | ||
ARG CONTENTFUL_ACCESS_TOKEN | ||
|
||
ADD yarn.lock /usr/src/ | ||
ARG CONTENTFUL_SPACE_ID | ||
|
||
RUN chown -R node:node . | ||
ARG SENTRY_AUTH_TOKEN |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the production image, change the owner and group of all the app files to `node:node`, then run the Next.js apps as `node`.
Split the Docker build into three stages: 1. base image: Node 20 Alpine with the build environment, package files, Yarn and Lerna config. 1. builder image: bootstraps the project and root apps from the base image. 1. runner image: installs only production dependencies and runs the built apps from the `builder` image. This is the image that's deployed to Kubernetes. Run the Next.js apps as the `node` user, to secure the apps in production.
10b3b5f
to
55e08c7
Compare
Split the Docker build into three stages:
builder
image. This is the image that's deployed to Kubernetes.Run the Next.js apps as the
node
user, to secure the apps in production.Please request review from
@zooniverse/frontend
team or an individual member of that team.Linked Issue and/or Talk Post
How to Review
This shouldn't change the final, deployed Docker image. App containers should still run as usual (though with the apps running as
node
, notroot
. See #6514.) The base image should cache some common build layers so that they don't run twice during a build and deploy (eg. settingNODE_ENV
or setting up the user and group.) It might be easiest to check this by running a branch deploy and checking that everything works as usual.In the running production container, everything in
/usr/src
should be owned/run bynode
.jimodonnell@Jims-MBP-2 front-end-monorepo % docker compose run --rm prod-shell [+] Creating 1/0 ✔ Network front-end-monorepo_default Created 0.0s /usr/src $ ls -al total 900 drwxr-xr-x 1 node node 4096 Dec 5 11:35 . drwxr-xr-x 1 root root 4096 Dec 5 11:29 .. drwxr-xr-x 3 node node 4096 Nov 26 13:25 .yarn -rw-r--r-- 1 node node 176 Nov 26 13:25 .yarnrc -rw-r--r-- 1 node node 145 Oct 12 07:57 lerna.json drwxr-xr-x 663 node node 32768 Dec 5 11:36 node_modules -rw-r--r-- 1 node node 1602 Nov 26 13:25 package.json drwxr-xr-x 1 node node 4096 Oct 30 12:32 packages -rw-r--r-- 1 node node 840981 Dec 5 08:26 yarn.lock /usr/src $ whoami node /usr/src $ ps -a PID USER TIME COMMAND 1 node 0:00 /bin/sh 10 node 0:00 ps -a
With docker compose, you can use the
prod-shell
service to check that the production image is set up correctly. eg. check the production deploy environment:Checklist
PR Creator - Please cater the checklist to fit the review needed for your code changes.
PR Reviewer - Use the checklist during your review. Each point should be checkmarked or discussed before PR approval.
General
yarn panic && yarn bootstrap
ordocker-compose up --build
and FEM works as expectedGeneral UX
Example Staging Project: i-fancy-cats
Refactoring