This commit is contained in:
estebanthi
70
Dockerfile
70
Dockerfile
@@ -1,50 +1,48 @@
|
||||
FROM node:20.12.2-slim
|
||||
FROM node:20-alpine AS build
|
||||
|
||||
ENV NODE_ENV=production
|
||||
ENV CHROME_PATH=/usr/bin/google-chrome-stable
|
||||
ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/google-chrome-stable
|
||||
|
||||
# Install Chrome and dependencies
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
ca-certificates wget gnupg \
|
||||
&& wget -qO- https://dl.google.com/linux/linux_signing_key.pub \
|
||||
| gpg --dearmor -o /usr/share/keyrings/google-linux-signing-keyring.gpg \
|
||||
&& echo "deb [arch=amd64 signed-by=/usr/share/keyrings/google-linux-signing-keyring.gpg] https://dl.google.com/linux/chrome/deb/ stable main" \
|
||||
> /etc/apt/sources.list.d/google-chrome.list \
|
||||
&& echo "deb http://deb.debian.org/debian trixie main" \
|
||||
> /etc/apt/sources.list.d/debian-trixie.list \
|
||||
&& apt-get update \
|
||||
&& apt-get install -y --no-install-recommends -t trixie \
|
||||
zlib1g libexpat1 liblzma5 libpcre2-8-0 libsqlite3-0 libxml2 xserver-common xvfb fonts-liberation \
|
||||
&& apt-get install -y --no-install-recommends google-chrome-stable \
|
||||
&& apt-mark manual google-chrome-stable \
|
||||
&& rm /etc/apt/sources.list.d/debian-trixie.list \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
RUN apk add --no-cache python3 make g++
|
||||
RUN corepack enable
|
||||
|
||||
# Create a non-root user for running the app
|
||||
RUN useradd --create-home --home-dir /app --shell /bin/sh appuser
|
||||
|
||||
# Set working directory
|
||||
WORKDIR /app
|
||||
|
||||
# Entrypoint script
|
||||
COPY docker-entrypoint.sh /usr/local/bin/
|
||||
RUN chmod 755 /usr/local/bin/docker-entrypoint.sh
|
||||
|
||||
# Copy and install dependencies
|
||||
COPY --chown=appuser:appuser package.json pnpm-lock.yaml ./
|
||||
USER appuser
|
||||
RUN corepack prepare pnpm@9.0.0 --activate \
|
||||
COPY package.json pnpm-lock.yaml ./
|
||||
RUN corepack prepare pnpm@10.28.0 --activate \
|
||||
&& pnpm install --frozen-lockfile --prod \
|
||||
&& pnpm store prune
|
||||
|
||||
# Copy app code
|
||||
COPY --chown=appuser:appuser . .
|
||||
COPY . .
|
||||
|
||||
FROM node:20-alpine
|
||||
|
||||
ENV NODE_ENV=production
|
||||
ENV CHROME_PATH=/usr/bin/chromium-browser
|
||||
ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
|
||||
|
||||
RUN apk add --no-cache chromium nss freetype harfbuzz ttf-freefont
|
||||
|
||||
# Remove npm/corepack to shrink attack surface and avoid bundled CVEs.
|
||||
RUN rm -rf /usr/local/lib/node_modules/npm \
|
||||
/usr/local/bin/npm \
|
||||
/usr/local/bin/npx \
|
||||
/usr/local/lib/node_modules/corepack \
|
||||
/usr/local/bin/corepack
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
COPY --from=build /app/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
|
||||
RUN chmod 755 /usr/local/bin/docker-entrypoint.sh
|
||||
|
||||
COPY --from=build --chown=node:node /app/package.json /app/package.json
|
||||
COPY --from=build --chown=node:node /app/index.js /app/index.js
|
||||
COPY --from=build --chown=node:node /app/endpoints /app/endpoints
|
||||
COPY --from=build --chown=node:node /app/node_modules /app/node_modules
|
||||
|
||||
RUN mkdir -p /app/cache && chown -R node:node /app
|
||||
|
||||
USER node
|
||||
|
||||
# Expose port (match your app's port)
|
||||
EXPOSE 10000
|
||||
|
||||
# Start Xvfb and run the bot
|
||||
CMD ["/usr/local/bin/docker-entrypoint.sh"]
|
||||
|
||||
Reference in New Issue
Block a user