misc: update sample dockerfiles use non-root user (UID 2002) and base images (#6512)

* updated golang version to 1.23

* updated go sample dockerfile

* modified versions to java-21 LTS

* modified versions to node v22.14.0 LTS

* modified versions to node v22.14.0 LTS

* updated base images versions

* update Dockerfile for non-root user and update latest stable

* update dockerfile and nginx.conf

* added dockerfile for react

* refactor

* refactor

* refactor

* refactor

* resolved all review points

* wip

---------

Co-authored-by: pawan-59 <pawan@devtron.ai>
Co-authored-by: Badal Kumar Prusty <badalkumar@Badals-MacBook-Pro.local>

Author: 3 people

sample-docker-templates/django/Dockerfile

@@ -1,48 +1,47 @@
-# Dockerfile
+# Base Image - slim Python
+FROM python:3.13-slim
 
-# Base Image
-FROM python:3.8
+# Environment settings
+ENV PYTHONUNBUFFERED=1 LANG=C.UTF-8
 
-# set default environment variables
-ENV PYTHONUNBUFFERED 1
-ENV LANG C.UTF-8
-
-# to take runtime arguments and set env variables
+# Django superuser build args
 ARG DJANGO_SUPERUSER_USERNAME
-ENV DJANGO_SUPERUSER_USERNAME=${DJANGO_SUPERUSER_USERNAME}
-
 ARG DJANGO_SUPERUSER_PASSWORD
-ENV DJANGO_SUPERUSER_PASSWORD=${DJANGO_SUPERUSER_PASSWORD}
-
 ARG DJANGO_SUPERUSER_EMAIL
+ENV DJANGO_SUPERUSER_USERNAME=${DJANGO_SUPERUSER_USERNAME}
+ENV DJANGO_SUPERUSER_PASSWORD=${DJANGO_SUPERUSER_PASSWORD}
 ENV DJANGO_SUPERUSER_EMAIL=${DJANGO_SUPERUSER_EMAIL}
 
-# create and set working directory
-RUN mkdir /app
+# Set workdir
 WORKDIR /app
 
-RUN chown -R www-data:www-data /app
-
-# Add current directory code to working directory
-COPY . /app/
-
-# install environment dependencies
-RUN pip install -r requirements.txt 
-
-# install nginx
-RUN apt-get update && apt-get install nginx vim -y --no-install-recommends
+# Install system dependencies and nginx, then install Python deps
+COPY requirements.txt .
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends nginx vim && \
+    pip install --no-cache-dir -r requirements.txt && \
+    rm -rf /var/lib/apt/lists/*
 
-#Refer https://github.com/devtron-labs/devtron/blob/main/sample-docker-templates/django/nginx.default for sample nginx.default file
-COPY nginx.default /etc/nginx/sites-available/default
+# Copy app code, nginx.conf, and start script
+COPY app/ ./
+COPY nginx.conf /etc/nginx/nginx.conf
+RUN chmod +x start-server.sh
 
-RUN ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
+# Create non-root user and set permissions
+RUN groupadd -g 2002 nonroot && \
+    useradd -u 2002 -g nonroot -s /bin/bash -m nonroot && \
+    mkdir -p /tmp/nginx-logs && \
+    chown -R nonroot:nonroot /app /tmp/nginx-logs
 
+# Expose port 8080
+EXPOSE 8080
 
-# start server
-EXPOSE 8000
+# Switch to non-root
+USER nonroot
 
+# Stop signal for graceful shutdown
+# https://docs.docker.com/reference/dockerfile/#stopsignal
 STOPSIGNAL SIGTERM
 
-# Refer https://github.com/devtron-labs/devtron/blob/main/sample-docker-templates/django/start-server.sh for sample start-server.sh file
+# Start server (migrations, superuser, gunicorn, nginx)
 CMD ["/app/start-server.sh"]

sample-docker-templates/django/nginx.conf

@@ -0,0 +1,36 @@
+worker_processes auto;
+error_log  /tmp/nginx-logs/error.log warn;
+pid        /tmp/nginx-logs/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    access_log  /tmp/nginx-logs/access.log;
+
+    client_body_temp_path /tmp/nginx-logs/client_temp;
+    proxy_temp_path       /tmp/nginx-logs/proxy_temp;
+    fastcgi_temp_path     /tmp/nginx-logs/fastcgi_temp;
+    uwsgi_temp_path       /tmp/nginx-logs/uwsgi_temp;
+    scgi_temp_path        /tmp/nginx-logs/scgi_temp;
+
+    server {
+        listen       8080;
+        server_name  localhost;
+
+        location / {
+            proxy_pass http://127.0.0.1:8000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        location /static/ {
+            root /app;
+        }
+    }
+}

sample-docker-templates/django/nginx.default

@@ -1,22 +1,13 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2024. Devtron Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
+#!/bin/sh
 
-# start-server.sh
-python manage.py migrate 
-python manage.py createsuperuser --no-input
+# Apply DB migrations
+python /app/manage.py migrate
 
-(gunicorn DjangoApp.wsgi --user www-data --bind 0.0.0.0:8000 --workers 3) && nginx -g "daemon off;"
+# create superuser
+python /app/manage.py createsuperuser --no-input
+
+# Start gunicorn as non-root user binding on port 8000
+gunicorn demo-project.wsgi:application --user nonroot --bind 0.0.0.0:8000 --workers 3 &
+
+# Start nginx (already configured to run without root)
+nginx -g "daemon off;"

sample-docker-templates/django/start-server.sh

@@ -1,39 +1,40 @@
-#Base Image
-FROM python:3.8
+# Base Image - slim Python
+FROM python:3.13-slim
 
-#Getting System Ready to install dependencies
-RUN apt-get clean \
-    && apt-get -y update
+# Environment settings
+ENV PYTHONUNBUFFERED=1 LANG=C.UTF-8
 
-#Installing nginx
-RUN apt-get -y install nginx \
-    && apt-get -y install python3-dev \
-    && apt-get -y install build-essential
-
-#Creating symbolic link for access and error log from nginx
-RUN ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
+# Set workdir
+WORKDIR /app
 
-#Creating a dir in Container
-RUN mkdir /app
+COPY requirements.txt requirements.txt
 
-#Moving into the directory created
-WORKDIR /app
+# Install system dependencies and nginx, then install Python deps
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends nginx gcc python3-dev musl-dev build-essential libexpat1 && \
+    pip install --no-cache-dir -r requirements.txt && \
+    apt-get purge -y --auto-remove gcc python3-dev musl-dev build-essential && \
+    rm -rf /var/lib/apt/lists/*
 
-#Changing ownership of files in /app
-RUN chown -R www-data:www-data /app
+# Copy app code, configs, and start script
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY app.py uwsgi.ini start.sh ./
+RUN chmod +x start.sh
 
-#Adding the complete project in dir created
-ADD . /app/
+# Create non-root user and set permissions
+RUN groupadd -g 2002 nonroot && \
+    useradd -u 2002 -g nonroot -s /bin/bash -m nonroot && \
+    mkdir -p /tmp/nginx-logs && \
+    chown -R nonroot:nonroot /app /tmp/nginx-logs
 
-#Installing dependencies
-RUN pip3 install -r requirements.txt
+# Expose port 8080
+EXPOSE 8080
 
-# Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/nginx.default for sample nginx.default file
-COPY nginx.default /etc/nginx/sites-available/default
+# Switch to non-root
+USER nonroot
 
-#Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/start.sh for sample start.sh file
-#Making start.sh executable
-RUN chmod +x ./start.sh
+# Stop signal for graceful shutdown
+STOPSIGNAL SIGTERM
 
-CMD ["./start.sh"]
+# Start server (migrations, superuser, gunicorn, nginx)
+CMD ["/app/start.sh"]

sample-docker-templates/flask/Dockerfile

@@ -0,0 +1,35 @@
+worker_processes auto;
+error_log  /tmp/nginx-logs/error.log warn;
+pid        /tmp/nginx-logs/nginx.pid;
+
+events {}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    access_log  /tmp/nginx-logs/access.log;
+
+    client_body_temp_path /tmp/nginx-logs/client_temp;
+    proxy_temp_path       /tmp/nginx-logs/proxy_temp;
+    fastcgi_temp_path     /tmp/nginx-logs/fastcgi_temp;
+    uwsgi_temp_path       /tmp/nginx-logs/uwsgi_temp;
+    scgi_temp_path        /tmp/nginx-logs/scgi_temp;
+
+    server {
+        listen 8080;
+        server_name  localhost;
+
+        location / {
+            proxy_pass http://127.0.0.1:5000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        location /static/ {
+            alias /app/static/;
+        }
+    }
+}

sample-docker-templates/flask/nginx.conf

@@ -1,22 +1,7 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2024. Devtron Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-service nginx start
-# Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/uwsgi.ini for sample uwsgi.ini file
-uwsgi --ini uwsgi.ini
+#!/bin/sh
 
+# Start uWSGI in the background
+uwsgi --ini /app/uwsgi.ini &
 
+# Start Nginx in the foreground
+nginx -g "daemon off;"

sample-docker-templates/flask/nginx.default

@@ -1,14 +1,11 @@
 [uwsgi]
 module = app:app
-uid = www-data
-gid = www-data
 master = true
 processes = 5
 
-socket = /tmp/uwsgi.socket
-chmod-sock = 664
-vacuum = true
-
-die-on-term = true
-
+http = 127.0.0.1:5000
+uid = nonroot
+gid = nonroot
 
+vacuum = true
+die-on-term = true