build: bump docker image base, set node_env=prod

[rare-magma]

• OWASP recommends setting NODE_ENV=production in production builds link
• Alpine 3.17 is EOL next month link
• Debian bullseye is EOL since last month link
• Docker recommends using COPY instead of ADD for just copying files: reference

[coderabbitai]

Walkthrough

The pull request introduces several updates to multiple Dockerfiles within the project. The base images for the Dockerfiles have been changed from node:18-bullseye to node:18-bookworm and from node:18-bullseye-slim to node:18-bookworm-slim in the primary Dockerfile. Additionally, the Alpine base images in both docker/edge-ubuntu.Dockerfile and docker/stable-ubuntu.Dockerfile have been updated from alpine:3.17 to alpine:3.18.

In all affected Dockerfiles, ADD commands have been replaced with COPY commands for various files and directories, including .yarn, yarn.lock, package.json, .yarnrc.yml, app.js, src, and migrations. An environment variable NODE_ENV has been introduced and set to production in all Dockerfiles. The overall structure and logic of the Dockerfiles remain unchanged, with the modifications primarily focusing on updating base images and refining file handling methods.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (4)

Dockerfile (1)

1-1: Approve base image update and suggest documentation.

The update from 'bullseye' to 'bookworm' addresses the EOL concern mentioned in the PR objectives. This change improves long-term support and security for the project.

Consider adding a comment explaining the reason for this update, e.g.:

# Update to Debian Bookworm for long-term support and security updates
FROM node:18-bookworm as base

docker/edge-ubuntu.Dockerfile (2)

28-28: Approved: Added NODE_ENV as recommended by OWASP

Setting NODE_ENV=production is an excellent addition that aligns with OWASP recommendations for optimizing performance and security in production builds.

Consider moving this environment variable setting to an earlier stage in the Dockerfile, preferably right after the FROM instruction in the 'prod' stage. This ensures that all subsequent build steps are aware of the production environment, which can be beneficial for certain Node.js behaviors during the build process.

---

Line range hint 1-38: Consider adding a HEALTHCHECK instruction

The Dockerfile maintains a good structure with multi-stage builds, proper user creation, and correct permissions. However, it could benefit from the addition of a HEALTHCHECK instruction. This would allow Docker to periodically check if the container is still working as expected, which is particularly useful in orchestration scenarios.

Consider adding a HEALTHCHECK instruction near the end of the Dockerfile. For example:

HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:5006/ || exit 1

Adjust the URL and options as needed to match your application's specifics.

docker/edge-alpine.Dockerfile (1)

28-28: Approved: Setting NODE_ENV to production

Setting NODE_ENV to production is an excellent addition that aligns with OWASP recommendations for security and performance optimization in production builds.

Consider using ARG instead of ENV for NODE_ENV to allow overriding at build time if needed:

-ENV NODE_ENV production
+ARG NODE_ENV=production
+ENV NODE_ENV=${NODE_ENV}

This change would maintain the default production setting while allowing flexibility for different environments if required.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between a8c4c5f and 45c937b.

⛔ Files ignored due to path filters (1)

• upcoming-release-notes/479.md is excluded by !**/*.md

📒 Files selected for processing (5)

• Dockerfile (1 hunks)
• docker/edge-alpine.Dockerfile (2 hunks)
• docker/edge-ubuntu.Dockerfile (2 hunks)
• docker/stable-alpine.Dockerfile (2 hunks)
• docker/stable-ubuntu.Dockerfile (2 hunks)

🧰 Additional context used

🪛 Hadolint

Dockerfile

[error] 4-4: Use COPY instead of ADD for files and folders

(DL3020)

---

[error] 5-5: Use COPY instead of ADD for files and folders

(DL3020)

🔇 Additional comments (25)

Dockerfile (1)

8-8: Approve production image update.

The update to 'node:18-bookworm-slim' for the production stage is consistent with the base image change and maintains the use of a slim version, which is good for reducing the final image size.

docker/stable-ubuntu.Dockerfile (6)

1-1: Approved: Base image update enhances long-term support and security.

Updating the base image from node:18-bullseye to node:18-bookworm is a good move. This addresses the End of Life (EOL) concern mentioned in the PR objectives, as Debian Bullseye has reached its EOL. Bookworm, being the newer version, will provide better long-term support and security updates.

---

4-5: Approved: Switching from ADD to COPY improves Dockerfile clarity.

Replacing ADD with COPY for adding files is a positive change. This aligns with Docker's best practices, as mentioned in the PR objectives. The COPY command is more explicit and preferred over ADD when the goal is simply to copy files into the image. This change enhances the clarity of the Dockerfile and reduces potential confusion about the behavior of these commands.

---

9-9: Approved: Production image update maintains consistency and improves security.

Updating the production image from node:18-bullseye-slim to node:18-bookworm-slim is consistent with the change made in the base stage. This change addresses the End of Life (EOL) concern for the production image as well, ensuring that the entire build process uses up-to-date and supported base images.

---

20-20: Approved: Setting NODE_ENV enhances security and performance.

Adding ENV NODE_ENV production is an excellent security practice. This change directly addresses the OWASP recommendation mentioned in the PR objectives. Setting NODE_ENV to production in a production build can:

1. Optimize performance by disabling development-specific features.
2. Enhance security by ensuring that debug and error information is not exposed to potential attackers.

This is a crucial step in preparing the Docker image for a production environment.

---

22-24: Approved: Consistent use of COPY for application files.

The use of COPY commands for adding package.json, app.js, src, and migrations directories is consistent with the earlier changes and Docker best practices. The order of copying is logical:

1. Dependencies (already copied from the base stage)
2. Package configuration and main application file
3. Source code
4. Database migrations

This structure ensures that the most frequently changing files (source code) are copied last, which can help optimize Docker layer caching and reduce build times for subsequent builds.

---

Line range hint 1-24: Summary: Excellent updates improving security, maintainability, and adherence to best practices.

The changes made to this Dockerfile are comprehensive and well-thought-out:

1. Updating base images to node:18-bookworm addresses EOL concerns and enhances long-term support and security.
2. Switching from ADD to COPY for file operations improves clarity and follows Docker best practices.
3. Setting NODE_ENV=production aligns with OWASP recommendations, optimizing performance and security for production builds.
4. The overall structure of the Dockerfile remains clear and logical, with appropriate separation between the base and production stages.

These changes collectively contribute to a more secure, maintainable, and production-ready Docker image. Great job on implementing these improvements!

docker/stable-alpine.Dockerfile (6)

1-1: Excellent update to Alpine 3.18!

This change addresses the EOL concern for Alpine 3.17 mentioned in the PR objectives. Using the latest stable version (3.18) enhances security and ensures longer support for the base image.

---

4-5: Great job implementing Docker best practices!

Replacing ADD with COPY for file copying operations is an excellent change. This aligns perfectly with Docker's recommendation to use COPY for simple file copying, as mentioned in the PR objectives. It makes the Dockerfile more explicit and easier to understand.

Also applies to: 22-24

---

20-20: Crucial security enhancement: NODE_ENV set to production

Setting NODE_ENV=production is a critical change that directly addresses the PR objective and follows OWASP recommendations. This configuration optimizes both performance and security for production builds. Excellent implementation!

---

10-10: Consistent Alpine version update in production stage

Updating the production stage to Alpine 3.18 maintains consistency with the base stage and addresses the EOL concern. This change ensures that both stages benefit from the latest stable Alpine version, enhancing overall security and support.

---

Line range hint 1-24: Well-structured and focused changes

The changes made to the Dockerfile are well-focused on addressing the PR objectives without introducing unnecessary alterations to the existing structure. The conditional installation for armv7l architecture and other crucial parts remain intact, which is good. The overall structure and logic of the Dockerfile have been maintained while implementing the required updates.

---

Line range hint 1-24: Summary: Excellent Dockerfile improvements

This PR successfully addresses all stated objectives:

1. Updates Alpine to version 3.18, addressing EOL concerns.
2. Sets NODE_ENV to production, enhancing security and performance.
3. Replaces ADD with COPY, following Docker best practices.

These changes significantly improve the Dockerfile's security, maintainability, and adherence to best practices. Great work on this update!

docker/edge-ubuntu.Dockerfile (5)

1-1: Approved: Base image update addresses EOL concerns

Updating the base image from 'node:18-bullseye' to 'node:18-bookworm' is a good move. This change addresses the EOL concerns mentioned in the PR objectives, as Debian Bullseye has reached its end of life. Debian Bookworm provides longer support and potentially improved security.

---

4-5: Approved: Replaced ADD with COPY as per Docker best practices

The change from 'ADD' to 'COPY' for various files (.yarn, yarn.lock, package.json, .yarnrc.yml, artifacts.json) aligns with Docker's best practices. This modification makes the Dockerfile more explicit about its intentions and is the recommended approach when the goal is simply to copy files into the image.

Also applies to: 10-10

---

17-17: Approved: Consistent base image update in production stage

The change from 'node:18-bullseye-slim' to 'node:18-bookworm-slim' in the production stage is consistent with the update in the base stage. This change addresses the EOL concerns for Debian Bullseye while maintaining the use of a slim image, which is beneficial for reducing the final image size.

---

31-33: Approved: Consistent use of COPY in production stage

The replacement of 'ADD' with 'COPY' for package.json, app.js, src, and migrations in the production stage is consistent with the earlier changes and adheres to Docker's best practices. This change maintains a clear and explicit approach to file copying throughout the Dockerfile.

---

18-18: Approved: Retention of tini for proper process management

The retention of tini installation in the production stage is a good practice. Tini serves as a lightweight init system that helps manage zombie processes in containers, contributing to better overall process management and container health.

docker/edge-alpine.Dockerfile (7)

1-1: Approved: Base image update to Alpine 3.18

Updating the base image to Alpine 3.18 is a good move. It addresses the EOL concerns mentioned in the PR objectives and ensures that the image is using the latest stable version with security updates and bug fixes.

---

4-5: Approved: Replaced ADD with COPY for yarn-related files

Replacing ADD with COPY for .yarn, yarn.lock, package.json, and .yarnrc.yml is in line with Docker best practices. COPY is more explicit and preferred for simple file copying operations.

---

11-11: Approved: Replaced ADD with COPY for artifacts.json

Consistent with the previous changes, replacing ADD with COPY for artifacts.json follows Docker best practices and improves the clarity of the Dockerfile.

---

18-18: Approved: Production stage base image update to Alpine 3.18

Updating the production stage base image to Alpine 3.18 is consistent with the earlier change and addresses the EOL concerns mentioned in the PR objectives.

---

30-31: Approved: Replaced ADD with COPY for node_modules and /public

Replacing ADD with COPY for node_modules and /public directories is consistent with Docker best practices and improves the clarity of the Dockerfile.

---

31-33: Approved: Replaced ADD with COPY for application files

Replacing ADD with COPY for package.json, app.js, src, and migrations is consistent with Docker best practices. The order of copying dependencies first, followed by application files, is maintained, which is optimal for layer caching.

---

Line range hint 1-33: Overall: Excellent improvements to the Dockerfile

The changes made to this Dockerfile align perfectly with the PR objectives and Docker best practices:

1. Updating to Alpine 3.18 addresses EOL concerns and improves security.
2. Replacing ADD with COPY improves clarity and follows Docker recommendations.
3. Setting NODE_ENV to production enhances security and performance as per OWASP guidelines.

These modifications contribute to a more secure, maintainable, and efficient Docker setup. Great job on implementing these improvements!

To ensure all ADD commands have been replaced with COPY, run the following script:

✅ Verification successful

Verification Successful: No remaining ADD commands in docker/edge-alpine.Dockerfile

All ADD commands have been successfully replaced with COPY, adhering to Docker best practices.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for any remaining ADD commands in the Dockerfile

# Test: Search for ADD commands. Expect: No results.
rg --type dockerfile 'ADD' docker/edge-alpine.Dockerfile

Length of output: 91

---

Script:

#!/bin/bash
# Description: Check for any remaining ADD commands in the specified Dockerfile

# Test: Search for ADD commands. Expect: No results.
grep 'ADD' docker/edge-alpine.Dockerfile

Length of output: 40