Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(distroless): Provide distroless container image #313

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/nightly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
base: [debian, alpine]
base: [debian, alpine, distroless]
env:
HEDGEDOC_VERSION: master
HEDGEDOC_IMAGE: quay.io/hedgedoc/hedgedoc-nightly
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
base: [debian, alpine]
base: [debian, alpine, distroless]
env:
# renovate: datasource=github-tags depName=hedgedoc/hedgedoc versioning=semver
HEDGEDOC_VERSION: 1.9.3
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
base: [debian, alpine]
base: [debian, alpine, distroless]
env:
BASE: ${{ matrix.base }} # needed in tests/version.sh
steps:
Expand Down
49 changes: 49 additions & 0 deletions distroless/Dockerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
FROM docker.io/library/node:16.14.2-bullseye-slim@sha256:d54981fe891c9e3442ea05cb668bc8a2a3ee38609ecce52c7b5a609fadc6f64b AS base

FROM base AS builder


RUN apt-get update && apt-get install --no-install-recommends -y git jq ca-certificates python-is-python3 build-essential


# Build arguments to change source url, branch or tag
ARG CODIMD_REPOSITORY
ARG HEDGEDOC_REPOSITORY=https://github.com/hedgedoc/hedgedoc.git
ARG VERSION=master
RUN if [ -n "${CODIMD_REPOSITORY}" ]; then echo "CODIMD_REPOSITORY is deprecated. Please use HEDGEDOC_REPOSITORY instead" && exit 1; fi

# Clone the source and remove git repository but keep the HEAD file
RUN git clone --depth 1 --branch "$VERSION" "$HEDGEDOC_REPOSITORY" /hedgedoc
RUN git -C /hedgedoc log --pretty=format:'%ad %h %d' --abbrev-commit --date=short -1
RUN git -C /hedgedoc rev-parse HEAD > /tmp/gitref
RUN rm -rf /hedgedoc/.git/*
RUN mv /tmp/gitref /hedgedoc/.git/HEAD
RUN jq ".repository.url = \"${HEDGEDOC_REPOSITORY}\"" /hedgedoc/package.json > /hedgedoc/package.new.json
RUN mv /hedgedoc/package.new.json /hedgedoc/package.json


# Install app dependencies and build
WORKDIR /hedgedoc
RUN yarn install --production=false --frozen-lockfile
RUN yarn run build
RUN yarn install --production=true --frozen-lockfile
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This command seems not to prune dev dependencies if called after a non-production install.

see yarnpkg/yarn#6373

RUN rm -f /hedgedoc/config.json
RUN ln -s /files/config.json /hedgedoc/config.json
COPY --chown=$UID /resources/healthcheck.mjs /hedgedoc/healthcheck.mjs

# Use distroless image
FROM gcr.io/distroless/nodejs:16@sha256:2b0fe69900014a74bc85fd4588e86b90139777a8fa7e2feea1f14447ea82e651

ARG UID=10000
ENV NODE_ENV=production
ENV UPLOADS_MODE=0700

COPY --chown=$UID --from=builder /hedgedoc /hedgedoc
COPY ["resources/config.json", "/files/"]

HEALTHCHECK --interval=5s CMD node healthcheck.mjs
WORKDIR /hedgedoc
EXPOSE 3000
USER $UID

CMD ["app.js"]