🔧 chore(Dockerfile, compose.yaml): use distroless, update Node.js ver…

…sion and enhance security Updated Node.js version from 20 to 22 in the Dockerfile and switched to using a distroless image to improve container security by removing unnecessary packages and reducing the attack surface. Changed the user to nonroot and specified ownership in the COPY command to avoid running with root privileges. In compose.yaml, added the cap_drop option to remove container capabilities, further enhancing security.
yGuy · Dec 20, 2024 · 008cfbb · 008cfbb
1 parent 029231c
commit 008cfbb
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 9 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,8 @@
 # NPM builder image
-FROM node:20-slim as npm_builder
-#20.3.0-bookworm-slim (Debian 12)
+FROM node:22-bookworm-slim AS npm_builder
+#22.12.0-bookworm-slim (Debian 12)
+#22-bookworm-slim, 22-slim, 22.12-bookworm-slim, 22.12-slim, 22.12.0-bookworm-slim, 22.12.0-slim, jod-bookworm-slim, jod-slim, lts-bookworm-slim, lts-slim
+# bookworm = Debian12
 
 WORKDIR /app
 COPY [ "package.json", "package-lock.json", ".npmrc", \
@@ -18,19 +20,21 @@ RUN rm -rf node_modules/ && npm ci --omit dev
 
 
 # NPM runtime image
-FROM node:20-slim as npm_runtime
+# See: https://github.com/GoogleContainerTools/distroless/tree/main/examples/nodejs
+# For DEBUG: docker run -it --entrypoint=sh gcr.io/distroless/nodejs22-debian12:debug-nonroot
+FROM gcr.io/distroless/nodejs22-debian12:nonroot AS npm_runtime
 
 WORKDIR /app
 
 ARG NODE_ENV=production
 ENV NODE_ENV $NODE_ENV
 ENV PLUGINS=image-plugin,graph-plugin
 
-# Avoid running as root:
-USER node
-
-COPY --from=npm_builder [ "/app/node_modules/", "./node_modules/" ]
-COPY --from=npm_builder [ "/app/dist/", "./src/" ]
+COPY --chown=nonroot:nonroot --from=npm_builder [ "/app/node_modules/", "./node_modules/" ]
+COPY --chown=nonroot:nonroot --from=npm_builder [ "/app/dist/", "./src/" ]
 COPY [ "./license.md", "./" ]
 
-ENTRYPOINT [ "node", "src/botservice.mjs" ]
+# Avoid running as root:
+USER nonroot
+
+CMD [ "src/botservice.mjs" ]
diff --git a/compose.yaml b/compose.yaml
@@ -7,6 +7,8 @@ services:
       args:
         NODE_ENV: ${NODE_ENV:-production}
     restart: always
+    cap_drop:
+      - ALL
     env_file: .env # Dockerfileでも有効にするために必須
     # .envファイルより環境変数を有効にする場合
     # environment: