From d1354b4ce8e35e120cc4bcb4665105ef55944a79 Mon Sep 17 00:00:00 2001 From: dakkar <dakkar@thenautilus.net> Date: Thu, 7 Mar 2024 13:42:11 +0000 Subject: [PATCH 1/3] always install the locked versions of dependencies --- Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8ad4bbbfb1..112e1d1a50 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,13 +20,15 @@ COPY . ./ RUN git submodule update --init --recursive RUN pnpm config set fetch-retries 5 RUN --mount=type=cache,target=/root/.local/share/pnpm/store,sharing=locked \ - pnpm i + pnpm i --frozen-lockfile --aggregate-output RUN pnpm build RUN node scripts/trim-deps.mjs RUN mv packages/frontend/assets sharkey-assets +RUN --mount=type=cache,target=/root/.local/share/pnpm/store,sharing=locked \ + pnpm prune RUN rm -r node_modules packages/frontend packages/sw RUN --mount=type=cache,target=/root/.local/share/pnpm/store,sharing=locked \ - pnpm i --prod + pnpm i --prod --frozen-lockfile --aggregate-output RUN rm -rf .git FROM node:${NODE_VERSION} -- GitLab From b0e37674c34b4e7ba62a9b2a4d5ac6a2ce89a759 Mon Sep 17 00:00:00 2001 From: dakkar <dakkar@thenautilus.net> Date: Thu, 7 Mar 2024 14:05:03 +0000 Subject: [PATCH 2/3] don't run as `root`, also use `jemalloc` --- Dockerfile | 69 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 39 insertions(+), 30 deletions(-) diff --git a/Dockerfile b/Dockerfile index 112e1d1a50..786f8d1f1a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ RUN apk add --update python3 && ln -sf python3 /usr/bin/python RUN python3 -m ensurepip RUN pip3 install --no-cache --upgrade pip setuptools -COPY . ./ +COPY --link . ./ RUN git submodule update --init --recursive RUN pnpm config set fetch-retries 5 @@ -33,39 +33,48 @@ RUN rm -rf .git FROM node:${NODE_VERSION} -WORKDIR /sharkey +ARG UID="991" +ARG GID="991" + +RUN apk add ffmpeg tini jemalloc \ + && corepack enable \ + && addgroup -g "${GID}" sharkey \ + && adduser -D -u "${UID}" -G sharkey -h /sharkey sharkey \ + && find / -type d -path /sys -prune -o -type d -path /proc -prune -o -type f -perm /u+s -exec chmod u-s {} \; \ + && find / -type d -path /sys -prune -o -type d -path /proc -prune -o -type f -perm /g+s -exec chmod g-s {} \; -RUN apk add ffmpeg tini +USER sharkey +WORKDIR /sharkey -COPY --from=build /sharkey/built ./built -COPY --from=build /sharkey/node_modules ./node_modules -COPY --from=build /sharkey/packages/backend/built ./packages/backend/built -COPY --from=build /sharkey/packages/backend/node_modules ./packages/backend/node_modules -COPY --from=build /sharkey/packages/megalodon/lib ./packages/megalodon/lib -COPY --from=build /sharkey/packages/megalodon/node_modules ./packages/megalodon/node_modules -COPY --from=build /sharkey/packages/misskey-js/built ./packages/misskey-js/built -COPY --from=build /sharkey/packages/misskey-js/node_modules ./packages/misskey-js/node_modules -COPY --from=build /sharkey/packages/misskey-reversi/built ./packages/misskey-reversi/built -COPY --from=build /sharkey/packages/misskey-reversi/node_modules ./packages/misskey-reversi/node_modules -COPY --from=build /sharkey/packages/misskey-bubble-game/built ./packages/misskey-bubble-game/built -COPY --from=build /sharkey/packages/misskey-bubble-game/node_modules ./packages/misskey-bubble-game/node_modules -COPY --from=build /sharkey/fluent-emojis ./fluent-emojis -COPY --from=build /sharkey/tossface-emojis/dist ./tossface-emojis/dist -COPY --from=build /sharkey/sharkey-assets ./packages/frontend/assets +COPY --chown=sharkey:sharkey --from=build /sharkey/built ./built +COPY --chown=sharkey:sharkey --from=build /sharkey/node_modules ./node_modules +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/backend/built ./packages/backend/built +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/backend/node_modules ./packages/backend/node_modules +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/megalodon/lib ./packages/megalodon/lib +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/megalodon/node_modules ./packages/megalodon/node_modules +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-js/built ./packages/misskey-js/built +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-js/node_modules ./packages/misskey-js/node_modules +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-reversi/built ./packages/misskey-reversi/built +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-reversi/node_modules ./packages/misskey-reversi/node_modules +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-bubble-game/built ./packages/misskey-bubble-game/built +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-bubble-game/node_modules ./packages/misskey-bubble-game/node_modules +COPY --chown=sharkey:sharkey --from=build /sharkey/fluent-emojis ./fluent-emojis +COPY --chown=sharkey:sharkey --from=build /sharkey/tossface-emojis/dist ./tossface-emojis/dist +COPY --chown=sharkey:sharkey --from=build /sharkey/sharkey-assets ./packages/frontend/assets -COPY package.json ./package.json -COPY pnpm-workspace.yaml ./pnpm-workspace.yaml -COPY packages/backend/package.json ./packages/backend/package.json -COPY packages/backend/check_connect.js ./packages/backend/check_connect.js -COPY packages/backend/ormconfig.js ./packages/backend/ormconfig.js -COPY packages/backend/migration ./packages/backend/migration -COPY packages/backend/assets ./packages/backend/assets -COPY packages/megalodon/package.json ./packages/megalodon/package.json -COPY packages/misskey-js/package.json ./packages/misskey-js/package.json -COPY packages/misskey-reversi/package.json ./packages/misskey-reversi/package.json -COPY packages/misskey-bubble-game/package.json ./packages/misskey-bubble-game/package.json +COPY --chown=sharkey:sharkey package.json ./package.json +COPY --chown=sharkey:sharkey pnpm-workspace.yaml ./pnpm-workspace.yaml +COPY --chown=sharkey:sharkey packages/backend/package.json ./packages/backend/package.json +COPY --chown=sharkey:sharkey packages/backend/check_connect.js ./packages/backend/check_connect.js +COPY --chown=sharkey:sharkey packages/backend/ormconfig.js ./packages/backend/ormconfig.js +COPY --chown=sharkey:sharkey packages/backend/migration ./packages/backend/migration +COPY --chown=sharkey:sharkey packages/backend/assets ./packages/backend/assets +COPY --chown=sharkey:sharkey packages/megalodon/package.json ./packages/megalodon/package.json +COPY --chown=sharkey:sharkey packages/misskey-js/package.json ./packages/misskey-js/package.json +COPY --chown=sharkey:sharkey packages/misskey-reversi/package.json ./packages/misskey-reversi/package.json +COPY --chown=sharkey:sharkey packages/misskey-bubble-game/package.json ./packages/misskey-bubble-game/package.json +ENV LD_PRELOAD=/usr/lib/libjemalloc.so.2 ENV NODE_ENV=production -RUN corepack enable ENTRYPOINT ["/sbin/tini", "--"] CMD ["pnpm", "run", "migrateandstart"] -- GitLab From dee818a3308a811ed74b2559ab24ab52233d9474 Mon Sep 17 00:00:00 2001 From: dakkar <dakkar@thenautilus.net> Date: Thu, 7 Mar 2024 14:21:22 +0000 Subject: [PATCH 3/3] reorder lines this makes the diff from upstream smaller --- Dockerfile | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index 786f8d1f1a..7e0a778862 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,10 +4,6 @@ ARG NODE_VERSION=20.10.0-alpine3.18 FROM node:${NODE_VERSION} as build -RUN corepack enable - -WORKDIR /sharkey - RUN apk add git linux-headers build-base ENV PYTHONUNBUFFERED=1 @@ -15,6 +11,10 @@ RUN apk add --update python3 && ln -sf python3 /usr/bin/python RUN python3 -m ensurepip RUN pip3 install --no-cache --upgrade pip setuptools +RUN corepack enable + +WORKDIR /sharkey + COPY --link . ./ RUN git submodule update --init --recursive @@ -46,18 +46,18 @@ RUN apk add ffmpeg tini jemalloc \ USER sharkey WORKDIR /sharkey -COPY --chown=sharkey:sharkey --from=build /sharkey/built ./built COPY --chown=sharkey:sharkey --from=build /sharkey/node_modules ./node_modules -COPY --chown=sharkey:sharkey --from=build /sharkey/packages/backend/built ./packages/backend/built COPY --chown=sharkey:sharkey --from=build /sharkey/packages/backend/node_modules ./packages/backend/node_modules -COPY --chown=sharkey:sharkey --from=build /sharkey/packages/megalodon/lib ./packages/megalodon/lib +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-js/node_modules ./packages/misskey-js/node_modules +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-reversi/node_modules ./packages/misskey-reversi/node_modules +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-bubble-game/node_modules ./packages/misskey-bubble-game/node_modules COPY --chown=sharkey:sharkey --from=build /sharkey/packages/megalodon/node_modules ./packages/megalodon/node_modules +COPY --chown=sharkey:sharkey --from=build /sharkey/built ./built COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-js/built ./packages/misskey-js/built -COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-js/node_modules ./packages/misskey-js/node_modules COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-reversi/built ./packages/misskey-reversi/built -COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-reversi/node_modules ./packages/misskey-reversi/node_modules COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-bubble-game/built ./packages/misskey-bubble-game/built -COPY --chown=sharkey:sharkey --from=build /sharkey/packages/misskey-bubble-game/node_modules ./packages/misskey-bubble-game/node_modules +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/backend/built ./packages/backend/built +COPY --chown=sharkey:sharkey --from=build /sharkey/packages/megalodon/lib ./packages/megalodon/lib COPY --chown=sharkey:sharkey --from=build /sharkey/fluent-emojis ./fluent-emojis COPY --chown=sharkey:sharkey --from=build /sharkey/tossface-emojis/dist ./tossface-emojis/dist COPY --chown=sharkey:sharkey --from=build /sharkey/sharkey-assets ./packages/frontend/assets -- GitLab