github/infisical
1
0
Fork 0
mirror of https://github.com/Infisical/infisical.git synced 2026-01-09 15:38:03 -05:00
Code Issues Packages Projects Releases Wiki Activity

run cmd as non root user and update port to non privileged

Browse Source
This commit is contained in:
Maidul Islam
2023-10-17 14:08:22 +01:00
parent 0b40de49ec
commit 04ac54bcfa
1 changed files with 20 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
Dockerfile.standalone-infisical
View File

@@ -41,9 +41,9 @@ FROM base AS frontend-runner
WORKDIR /app WORKDIR /app
RUN addgroup --system --gid 1001 nodejs RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 nextjs RUN adduser --system --uid 1001 non-root-user
RUN mkdir -p /app/.next/cache/images && chown nextjs:nodejs /app/.next/cache/images RUN mkdir -p /app/.next/cache/images && chown non-root-user:nodejs /app/.next/cache/images
VOLUME /app/.next/cache/images VOLUME /app/.next/cache/images
ARG POSTHOG_API_KEY ARG POSTHOG_API_KEY
@@ -53,13 +53,13 @@ ARG INTERCOM_ID
ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \ ENV NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID \
BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID BAKED_NEXT_PUBLIC_INTERCOM_ID=$INTERCOM_ID
COPY --chown=nextjs:nodejs --chmod=555 frontend/scripts ./scripts COPY --chown=non-root-user:nodejs --chmod=555 frontend/scripts ./scripts
COPY --from=frontend-builder /app/public ./public COPY --from=frontend-builder /app/public ./public
RUN chown nextjs:nodejs ./public/data RUN chown non-root-user:nodejs ./public/data
COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/standalone ./ COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/standalone ./
COPY --from=frontend-builder --chown=nextjs:nodejs /app/.next/static ./.next/static COPY --from=frontend-builder --chown=non-root-user:nodejs /app/.next/static ./.next/static
USER nextjs USER non-root-user
ENV NEXT_TELEMETRY_DISABLED 1 ENV NEXT_TELEMETRY_DISABLED 1
@@ -67,6 +67,8 @@ ENV NEXT_TELEMETRY_DISABLED 1
## BACKEND ## BACKEND
## ##
FROM base AS backend-build FROM base AS backend-build
RUN addgroup --system --gid 1001 nodejs \
&& adduser --system --uid 1001 non-root-user
WORKDIR /app WORKDIR /app
@@ -74,7 +76,7 @@ COPY backend/package*.json ./
RUN npm ci --only-production RUN npm ci --only-production
COPY /backend . COPY /backend .
COPY standalone-entrypoint.sh standalone-entrypoint.sh COPY --chown=non-root-user:nodejs standalone-entrypoint.sh standalone-entrypoint.sh
RUN npm run build RUN npm run build
# Production stage # Production stage
@@ -91,6 +93,8 @@ RUN mkdir frontend-build
# Production stage # Production stage
FROM base AS production FROM base AS production
RUN addgroup --system --gid 1001 nodejs \
&& adduser --system --uid 1001 non-root-user
WORKDIR / WORKDIR /
@@ -98,9 +102,7 @@ COPY --from=backend-runner /app /backend
COPY --from=frontend-runner /app ./backend/frontend-build COPY --from=frontend-runner /app ./backend/frontend-build
EXPOSE 80 ENV PORT 8080
ENV PORT 80
ENV HTTPS_ENABLED false ENV HTTPS_ENABLED false
ENV NODE_ENV production ENV NODE_ENV production
@@ -108,6 +110,13 @@ WORKDIR /backend
ENV TELEMETRY_ENABLED true ENV TELEMETRY_ENABLED true
HEALTHCHECK --interval=10s --timeout=3s --start-period=10s \
CMD node healthcheck.js
EXPOSE 8080
USER non-root-user
CMD ["./standalone-entrypoint.sh"] CMD ["./standalone-entrypoint.sh"]