diff --git a/sample-docker-templates/django/Dockerfile b/sample-docker-templates/django/Dockerfile index b84c90ebe6..7232599ce6 100644 --- a/sample-docker-templates/django/Dockerfile +++ b/sample-docker-templates/django/Dockerfile @@ -1,48 +1,44 @@ -# Dockerfile +# Base Image - slim Python +FROM python:3.13-slim -# Base Image -FROM python:3.8 +# Environment settings +ENV PYTHONUNBUFFERED=1 LANG=C.UTF-8 -# set default environment variables -ENV PYTHONUNBUFFERED 1 -ENV LANG C.UTF-8 - -# to take runtime arguments and set env variables +# Django superuser build args ARG DJANGO_SUPERUSER_USERNAME -ENV DJANGO_SUPERUSER_USERNAME=${DJANGO_SUPERUSER_USERNAME} - ARG DJANGO_SUPERUSER_PASSWORD -ENV DJANGO_SUPERUSER_PASSWORD=${DJANGO_SUPERUSER_PASSWORD} - ARG DJANGO_SUPERUSER_EMAIL +ENV DJANGO_SUPERUSER_USERNAME=${DJANGO_SUPERUSER_USERNAME} +ENV DJANGO_SUPERUSER_PASSWORD=${DJANGO_SUPERUSER_PASSWORD} ENV DJANGO_SUPERUSER_EMAIL=${DJANGO_SUPERUSER_EMAIL} -# create and set working directory -RUN mkdir /app +# Set workdir WORKDIR /app -RUN chown -R www-data:www-data /app - -# Add current directory code to working directory -COPY . /app/ - -# install environment dependencies -RUN pip install -r requirements.txt - -# install nginx -RUN apt-get update && apt-get install nginx vim -y --no-install-recommends +# Install system dependencies and nginx, then install Python deps +COPY requirements.txt . +RUN apt-get update && apt-get install -y --no-install-recommends nginx vim && \ + pip install --no-cache-dir -r requirements.txt && \ + rm -rf /var/lib/apt/lists/* -#Refer https://github.com/devtron-labs/devtron/blob/main/sample-docker-templates/django/nginx.default for sample nginx.default file -COPY nginx.default /etc/nginx/sites-available/default +# Copy app code, nginx.conf, and start script +COPY app/ ./ +COPY nginx.conf /etc/nginx/nginx.conf +COPY start-server.sh ./ +RUN chmod +x start-server.sh -RUN ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log +# Create non-root user and set permissions +RUN groupadd -g 2002 nonroot && useradd -u 2002 -g nonroot -s /bin/bash -m nonroot && \ + mkdir -p /tmp/nginx-logs && chown -R nonroot:nonroot /app /tmp/nginx-logs +# Expose port 8080 +EXPOSE 8080 -# start server -EXPOSE 8000 +# Switch to non-root +USER nonroot +# Stop signal for graceful shutdown STOPSIGNAL SIGTERM -# Refer https://github.com/devtron-labs/devtron/blob/main/sample-docker-templates/django/start-server.sh for sample start-server.sh file +# Start server (migrations, superuser, gunicorn, nginx) CMD ["/app/start-server.sh"] \ No newline at end of file diff --git a/sample-docker-templates/django/nginx.conf b/sample-docker-templates/django/nginx.conf new file mode 100644 index 0000000000..a657db03c5 --- /dev/null +++ b/sample-docker-templates/django/nginx.conf @@ -0,0 +1,36 @@ +worker_processes auto; +error_log /tmp/nginx-logs/error.log warn; +pid /tmp/nginx-logs/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + + access_log /tmp/nginx-logs/access.log; + + client_body_temp_path /tmp/nginx-logs/client_temp; + proxy_temp_path /tmp/nginx-logs/proxy_temp; + fastcgi_temp_path /tmp/nginx-logs/fastcgi_temp; + uwsgi_temp_path /tmp/nginx-logs/uwsgi_temp; + scgi_temp_path /tmp/nginx-logs/scgi_temp; + + server { + listen 8080; + server_name localhost; + + location / { + proxy_pass http://127.0.0.1:8000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /static/ { + root /app; + } + } +} diff --git a/sample-docker-templates/django/nginx.default b/sample-docker-templates/django/nginx.default deleted file mode 100644 index 952503a128..0000000000 --- a/sample-docker-templates/django/nginx.default +++ /dev/null @@ -1,15 +0,0 @@ -# nginx.default - -server { - listen 8020; - server_name example.org; - - location / { - proxy_pass http://127.0.0.1:8000; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - location /static { - root /app; - } -} diff --git a/sample-docker-templates/django/start-server.sh b/sample-docker-templates/django/start-server.sh index fa9671fede..a571b37dae 100755 --- a/sample-docker-templates/django/start-server.sh +++ b/sample-docker-templates/django/start-server.sh @@ -1,22 +1,13 @@ -#!/usr/bin/env bash -# -# Copyright (c) 2024. Devtron Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# +#!/bin/sh -# start-server.sh -python manage.py migrate -python manage.py createsuperuser --no-input +# Apply DB migrations +python /app/manage.py migrate -(gunicorn DjangoApp.wsgi --user www-data --bind 0.0.0.0:8000 --workers 3) && nginx -g "daemon off;" +# create superuser +python /app/manage.py createsuperuser --no-input + +# Start gunicorn as non-root user binding on port 8000 +gunicorn demo-project.wsgi:application --user nonroot --bind 0.0.0.0:8000 --workers 3 & + +# Start nginx (already configured to run without root) +nginx -g "daemon off;" diff --git a/sample-docker-templates/flask/Dockerfile b/sample-docker-templates/flask/Dockerfile index ad20d787cc..7d1dcfdba0 100644 --- a/sample-docker-templates/flask/Dockerfile +++ b/sample-docker-templates/flask/Dockerfile @@ -1,39 +1,40 @@ -#Base Image -FROM python:3.8 +# Base Image - slim Python +FROM python:3.13-slim -#Getting System Ready to install dependencies -RUN apt-get clean \ - && apt-get -y update +# Environment settings +ENV PYTHONUNBUFFERED=1 LANG=C.UTF-8 -#Installing nginx -RUN apt-get -y install nginx \ - && apt-get -y install python3-dev \ - && apt-get -y install build-essential - -#Creating symbolic link for access and error log from nginx -RUN ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log +# Set workdir +WORKDIR /app -#Creating a dir in Container -RUN mkdir /app +COPY requirements.txt requirements.txt -#Moving into the directory created -WORKDIR /app +# Install system dependencies and nginx, then install Python deps +RUN apt-get update && \ + apt-get install -y --no-install-recommends nginx gcc python3-dev musl-dev build-essential libexpat1 && \ + pip install --no-cache-dir -r requirements.txt && \ + apt-get purge -y --auto-remove gcc python3-dev musl-dev build-essential && \ + rm -rf /var/lib/apt/lists/* -#Changing ownership of files in /app -RUN chown -R www-data:www-data /app +# Copy app code, configs, and start script +COPY app.py ./ +COPY uwsgi.ini ./ +COPY nginx.conf /etc/nginx/nginx.conf +COPY start.sh ./ +RUN chmod +x start.sh -#Adding the complete project in dir created -ADD . /app/ +# Create non-root user and set permissions +RUN groupadd -g 2002 nonroot && useradd -u 2002 -g nonroot -s /bin/bash -m nonroot && \ + mkdir -p /tmp/nginx-logs && chown -R nonroot:nonroot /app /tmp/nginx-logs -#Installing dependencies -RUN pip3 install -r requirements.txt +# Expose port 8080 +EXPOSE 8080 -# Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/nginx.default for sample nginx.default file -COPY nginx.default /etc/nginx/sites-available/default +# Switch to non-root +USER nonroot -#Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/start.sh for sample start.sh file -#Making start.sh executable -RUN chmod +x ./start.sh +# Stop signal for graceful shutdown +STOPSIGNAL SIGTERM -CMD ["./start.sh"] +# Start server (migrations, superuser, gunicorn, nginx) +CMD ["/app/start.sh"] \ No newline at end of file diff --git a/sample-docker-templates/flask/nginx.conf b/sample-docker-templates/flask/nginx.conf new file mode 100644 index 0000000000..8b7f64cdf6 --- /dev/null +++ b/sample-docker-templates/flask/nginx.conf @@ -0,0 +1,35 @@ +worker_processes auto; +error_log /tmp/nginx-logs/error.log warn; +pid /tmp/nginx-logs/nginx.pid; + +events {} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /tmp/nginx-logs/access.log; + + client_body_temp_path /tmp/nginx-logs/client_temp; + proxy_temp_path /tmp/nginx-logs/proxy_temp; + fastcgi_temp_path /tmp/nginx-logs/fastcgi_temp; + uwsgi_temp_path /tmp/nginx-logs/uwsgi_temp; + scgi_temp_path /tmp/nginx-logs/scgi_temp; + + server { + listen 8080; + server_name localhost; + + location / { + proxy_pass http://127.0.0.1:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /static/ { + alias /app/static/; + } + } +} diff --git a/sample-docker-templates/flask/nginx.default b/sample-docker-templates/flask/nginx.default deleted file mode 100644 index c2fbc75164..0000000000 --- a/sample-docker-templates/flask/nginx.default +++ /dev/null @@ -1,23 +0,0 @@ -# nginx.default - -server { - listen 8000 default_server; - listen [::]:8000 default_server; - server_name example.org; - root /app; - - location / { - include uwsgi_params; - uwsgi_pass unix:/tmp/uwsgi.socket; - } - - location /static { - root /app; - } - - # For https uncomment the below lines - - # listen 443 ssl; - # give your ssl_certificate in this block - -} \ No newline at end of file diff --git a/sample-docker-templates/flask/start.sh b/sample-docker-templates/flask/start.sh index ef72c97d44..cbfafbf0f4 100644 --- a/sample-docker-templates/flask/start.sh +++ b/sample-docker-templates/flask/start.sh @@ -1,22 +1,7 @@ -#!/usr/bin/env bash -# -# Copyright (c) 2024. Devtron Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -service nginx start -# Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/uwsgi.ini for sample uwsgi.ini file -uwsgi --ini uwsgi.ini +#!/bin/sh +# Start uWSGI in the background +uwsgi --ini /app/uwsgi.ini & +# Start Nginx in the foreground +nginx -g "daemon off;" \ No newline at end of file diff --git a/sample-docker-templates/flask/uwsgi.ini b/sample-docker-templates/flask/uwsgi.ini index 9d73c94025..42d2601f34 100644 --- a/sample-docker-templates/flask/uwsgi.ini +++ b/sample-docker-templates/flask/uwsgi.ini @@ -1,14 +1,11 @@ [uwsgi] module = app:app -uid = www-data -gid = www-data master = true processes = 5 -socket = /tmp/uwsgi.socket -chmod-sock = 664 -vacuum = true - -die-on-term = true - +http = 127.0.0.1:5000 +uid = nonroot +gid = nonroot +vacuum = true +die-on-term = true \ No newline at end of file diff --git a/sample-docker-templates/go/Dockerfile b/sample-docker-templates/go/Dockerfile index d868e7c930..77fd0836ad 100644 --- a/sample-docker-templates/go/Dockerfile +++ b/sample-docker-templates/go/Dockerfile @@ -1,36 +1,43 @@ -################################# Build Container ############################### +################################# Build Container ################################# -FROM golang:1.16 as builder +# Use the latest stable Go image for building +FROM golang:1.22.3 AS builder -# Setup the working directory +# Set working directory inside the container WORKDIR /app -# COPY go module -COPY go.mod go.sum /app/ - -# Download go modules and cache for next time build +# Copy Go module files and download dependencies +COPY go.mod go.sum ./ RUN go mod download -# Add source code -ADD . /app/ +# Copy the entire source code into the container +COPY . . -# Build the source +# Build the Go binary with CGO disabled for static linking RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main app.go +################################# Production Container ############################ + +# Use a minimal and secure Alpine base image +FROM alpine:3.20 -################################# Prod Container ################################# +# Install CA certificates (for HTTPS calls) +RUN apk --no-cache add ca-certificates -# Use a minimal alpine image -FROM alpine:3.7 +# Create a non-root user with UID/GID 2002 +RUN addgroup -g 2002 nonroot && adduser -u 2002 -G nonroot -S nonroot -# Add ca-certificates in case you need them -RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* +# Switch to the non-root user +USER nonroot # Set working directory -WORKDIR /root +WORKDIR /home/nonroot -# Copy the binary from builder +# Copy the compiled binary from the builder stage COPY --from=builder /app/main . -# Run the binary -CMD ["./main"] \ No newline at end of file +# Expose port 8080 for the application +EXPOSE 8080 + +# Start the application +CMD ["./main"] diff --git a/sample-docker-templates/java/Gradle_Dockerfile b/sample-docker-templates/java/Gradle_Dockerfile index 30945dc67d..060dcc79fd 100644 --- a/sample-docker-templates/java/Gradle_Dockerfile +++ b/sample-docker-templates/java/Gradle_Dockerfile @@ -1,30 +1,38 @@ ################################# Build Container ############################### -# Base Image of Build Container -FROM gradle:4.7.0-jdk8-alpine AS build +# Use latest Gradle with JDK 21 and Alpine for minimal size and speed +FROM gradle:8.13.0-jdk21-alpine AS build -# Changing the ownership of file and copying files in container +# Set working directory and ensure proper permissions COPY --chown=gradle:gradle . /home/gradle/src - -# Moving into workdir WORKDIR /home/gradle/src -# Compiling & building the code -RUN gradle build --no-daemon +# Build the application without using the Gradle daemon +RUN gradle build --no-daemon ################################# Prod Container ################################# -# Base Image for Prod Container -FROM openjdk:8-jre-slim +# Use a minimal JDK base image for production +FROM eclipse-temurin:21-jdk-jammy -# Exposing Port of this container -EXPOSE 8080 +# Create a non-root user to run the app securely +RUN addgroup --gid 2002 nonroot && adduser --gid 2002 --uid 2002 nonroot --disabled-password --gecos "" + + +# Set the working directory +WORKDIR /app -# Creating a dir -RUN mkdir /app +# Copy the JAR file from the build stage +COPY --from=build /home/gradle/src/build/libs/*.jar /app/demo.jar -# Copying only the jar files created before -COPY --from=build /home/gradle/src/build/libs/*.jar /app/my-app.jar +# Set ownership of the jar file +RUN chown nonroot:nonroot /app/demo.jar + +# Switch to non-root user +USER nonroot + +# Expose the application port +EXPOSE 8080 -# Uncomment if you want to run default commands during the initialization of this container -# CMD exec java -jar /app/my-app.jar \ No newline at end of file +# Run the jar file +CMD ["java", "-jar", "/app/demo.jar"] diff --git a/sample-docker-templates/java/Maven_Dockerfile b/sample-docker-templates/java/Maven_Dockerfile index 52d7181417..bdd1db76f9 100644 --- a/sample-docker-templates/java/Maven_Dockerfile +++ b/sample-docker-templates/java/Maven_Dockerfile @@ -1,33 +1,45 @@ ################################# Build Container ############################### -# Base Image for Build Container -FROM maven:3.5.3-jdk-8-alpine as base +# Use latest Maven with Amazon Corretto 21 on Debian for consistent build environment +FROM maven:3.9.9-amazoncorretto-21-debian as base -# Moving into working directory +# Set working directory inside container WORKDIR /build -# Copying pom.xml file initially for caching +# Copy pom.xml separately to leverage Docker cache for dependencies COPY pom.xml . -# Downloading Dependencies +# Download dependencies for offline use RUN mvn dependency:go-offline -# Copying files to /build/src/ inside container +# Copy the source code to container COPY src/ /build/src/ -# Building package -RUN mvn package +# Build the project and package the application +RUN mvn clean package ################################# Prod Container ################################# -# Base Image for Prod Container -FROM openjdk:8-jre-alpine +# Use a slim OpenJDK 21 image based on Debian for production +FROM eclipse-temurin:21-jdk-jammy -# Exposing Port of this new container -EXPOSE 4567 +# Create a non-root user 'nonroot' for security best practices +RUN addgroup --gid 2002 nonroot && adduser --gid 2002 --uid 2002 nonroot --disabled-password --gecos "" -# Copying the executable jar file build on previous container -COPY --from=base /build/target/*.jar /app/my-app.jar +# Set working directory +WORKDIR /app -# Uncomment if you want to run default commands during the initialization of this container -# CMD exec java -jar /app/my-app.jar \ No newline at end of file +# Copy the built jar from build stage +COPY --from=base /build/target/*.jar /app/demo.jar + +# Change ownership to non-root user +RUN chown nonroot:nonroot /app/demo.jar + +# Switch to non-root user +USER nonroot + +# Expose the port the app listens on +EXPOSE 8080 + +# Default command to run the jar file +CMD ["java", "-jar", "/app/demo.jar"] diff --git a/sample-docker-templates/kotlin/Dockerfile b/sample-docker-templates/kotlin/Dockerfile index 198db63704..863e3d1fd9 100644 --- a/sample-docker-templates/kotlin/Dockerfile +++ b/sample-docker-templates/kotlin/Dockerfile @@ -1,41 +1,32 @@ -# Using Base image -FROM alpine:latest +# --- Build stage --- +FROM gradle:8.13.0-jdk21-alpine AS builder -# Build args -ARG VCS_REF -ARG BUILD_DATE +WORKDIR /src -# Setting resource quota -ARG MIN_MEM=2G -ARG MAX_MEM=2G +# Copy Gradle build files +COPY build.gradle.kts . +COPY settings.gradle.kts . -RUN apk add --update bash && \ - apk fetch openjdk8 && \ - apk add --no-cache openjdk8; +# Create directory structure and copy source code +RUN mkdir -p src/main/kotlin +COPY app.kt src/main/kotlin/App.kt -RUN apk add --no-cache build-base wget && \ - cd /usr/lib && \ - # Installing Kotlin compiler in zip file - wget 'https://github.com/JetBrains/kotlin/releases/download/v1.3.72/kotlin-compiler-1.3.72.zip' && \ - # Unzipping the downloaded zip file - unzip kotlin-compiler-*.zip && \ - rm kotlin-compiler-*.zip && \ - rm -f kotlinc/bin/*.bat; +# Build the Kotlin JAR +RUN gradle installDist --no-daemon --parallel -# Setting up environmental variable path -ENV PATH $PATH:/usr/lib/kotlinc/bin +# --- Final stage --- +FROM eclipse-temurin:21-jre-jammy -# Making a directory named 'app' in the container -RUN mkdir app +# Add a non-root user for security +RUN addgroup --gid 2002 nonroot && adduser --gid 2002 --uid 2002 nonroot --disabled-password --gecos "" -# Copying 'app.kt' from 'app' folder on host to recently created 'app' folder in container -COPY app/app.kt /app +WORKDIR /home/nonroot -# Set working directory -WORKDIR /app +# Copy the built distribution from the builder stage +COPY --from=builder /src/build/install/app ./ -# Compiling source -RUN kotlinc app.kt -include-runtime -d app.jar +USER nonroot +EXPOSE 8080 -# Execution -CMD ["java","-jar","./app.jar"] \ No newline at end of file +# Run the application +CMD ["bin/app"] \ No newline at end of file diff --git a/sample-docker-templates/node/Dockerfile b/sample-docker-templates/node/Dockerfile index 123a903771..746403165d 100644 --- a/sample-docker-templates/node/Dockerfile +++ b/sample-docker-templates/node/Dockerfile @@ -1,36 +1,43 @@ -# Base Image -From node:12.18.1 +# Use a minimal Node.js base image +FROM node:22-alpine -# Seeting up env as production +# Set environment for production ENV NODE_ENV=production -#Getting System Ready to install dependencies -RUN apt-get clean \ - && apt-get -y update - -# Installing nginx -RUN apt-get -y install nginx \ - && apt-get -y install python3-dev \ - && apt-get -y install build-essential +# Install necessary packages: nginx only +RUN apk update && apk add --no-cache nginx -# Creating symbolic link for access and error log from nginx -RUN ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log +# Set working directory +WORKDIR /app +# Copy application code +COPY . . -# Making /app dir as working dir -WORKDIR /app +# Main global config +COPY nginx.conf /etc/nginx/nginx.conf + +# Default server/site config +COPY nginx-default.conf /etc/nginx/http.d/default.conf + +# Install production dependencies +RUN npm install --production --prefer-offline --no-audit && \ + npm i -g pm2 -# Adding complete files and dirs in app dir in container -ADD . /app/ +# Create non-root user and set permissions +RUN addgroup -g 2002 nonroot && \ + adduser -u 2002 -G nonroot -S nonroot && \ + mkdir -p /var/lib/nginx/tmp/client_body && \ + chown -R nonroot:nonroot /app /var/log/nginx /var/lib/nginx -# Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/node/nginx.default for sample nginx.default -COPY nginx.default /etc/nginx/sites-available/default +# Expose port 8080 +EXPOSE 8080 -# Installing dependencies -RUN npm install --production -RUN npm i -g pm2 +# Switch to non-root user +USER nonroot -# Starting Server -CMD ["sh", "-c", "service nginx start ; pm2-runtime src/index.js -i 0"] +# Link logs to stdout/stderr +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log +# Start your app listening on port 8080 +CMD ["sh", "-c", "nginx && pm2-runtime src/index.js -i 0 --port=8080"] \ No newline at end of file diff --git a/sample-docker-templates/node/nginx-default.conf b/sample-docker-templates/node/nginx-default.conf new file mode 100644 index 0000000000..fd1cac68a1 --- /dev/null +++ b/sample-docker-templates/node/nginx-default.conf @@ -0,0 +1,34 @@ +# This contains a server block defining how a specific domain/route should be handled. +# nginx-default.conf + +# To allow a non-root container process to bind to privileged ports (e.g., 80 or 443), +# you need to add the NET_BIND_SERVICE capability to the security context: +# +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# add: +# - NET_BIND_SERVICE +# drop: +# - ALL +# +# Since adding capabilities may reduce security or require extra setup in Kubernetes, +# it's simpler and safer to use an unprivileged port like 8080 for your app. + + +server { + listen 8080; + listen [::]:8080; + root /app; + server_name localhost; + + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://127.0.0.1:3000; + } + +} \ No newline at end of file diff --git a/sample-docker-templates/node/nginx.conf b/sample-docker-templates/node/nginx.conf new file mode 100644 index 0000000000..40a22b8fa2 --- /dev/null +++ b/sample-docker-templates/node/nginx.conf @@ -0,0 +1,23 @@ +# This is the global Nginx configuration file (typically contains user, worker_processes, http block, etc.) +# /etc/nginx/nginx.conf + +# user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log notice; +pid /tmp/nginx.pid; +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + sendfile on; + keepalive_timeout 65; + + include /etc/nginx/http.d/*.conf; +} diff --git a/sample-docker-templates/node/nginx.default b/sample-docker-templates/node/nginx.default deleted file mode 100644 index 831c838473..0000000000 --- a/sample-docker-templates/node/nginx.default +++ /dev/null @@ -1,17 +0,0 @@ -# nginx.default - -server { - listen 80; - listen [::]:80; - server_name example.org; - root /app; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://127.0.0.1:3000; - } - -} diff --git a/sample-docker-templates/php/Apache_Dockerfile b/sample-docker-templates/php/Apache_Dockerfile index 66d9b684b8..5965c42912 100644 --- a/sample-docker-templates/php/Apache_Dockerfile +++ b/sample-docker-templates/php/Apache_Dockerfile @@ -1,16 +1,18 @@ -# Base Image -FROM php:7-apache +# Using latest stable PHP with Apache (8.3) +FROM php:8.3-apache -# Enabling modules from /etc/apache2/mods-available to /etc/apache2/mods-enabled +# Enable apache mod_rewrite RUN a2enmod rewrite -# Restarting apache2 server -RUN /etc/init.d/apache2 restart +# Create non-root user with UID/GID 2002 and set ownership +RUN groupadd -g 2002 nonroot && useradd -u 2002 -g nonroot -m nonroot && \ + chown -R nonroot:www-data /var/www/html -# Giving ownship of html dir to www-data user -RUN chown -R www-data:www-data /var/www/html +# Copy application source code +COPY --chown=nonroot:www-data . /var/www/html/ +# Switch to non-root user for security +USER nonroot -# Copy application source -COPY . /var/www/html/ - +# Apache runs as www-data internally, so no need to restart here +# CMD is inherited from base image and will run apache2 in foreground by default diff --git a/sample-docker-templates/php/Nginx_Dockerfile b/sample-docker-templates/php/Nginx_Dockerfile index 1a925599af..22357f96d6 100644 --- a/sample-docker-templates/php/Nginx_Dockerfile +++ b/sample-docker-templates/php/Nginx_Dockerfile @@ -1,31 +1,24 @@ -# base image -FROM ubuntu:16.04 +# Use Ubuntu 24.04 LTS as base image for latest stable environment +FROM ubuntu:24.04 -# update & install system -RUN apt-get update -RUN apt-get -y upgrade +ENV DEBIAN_FRONTEND=noninteractive -# installing packages -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --fix-missing php7.0 \ - php7.0-cli \ - php-fpm +RUN apt-get update && apt-get upgrade -y && \ + apt-get install -y --no-install-recommends \ + php8.3 php8.3-cli php8.3-fpm nginx && \ + apt-get clean && rm -rf /var/lib/apt/lists/* -RUN DEBIAN_FRONTEND="noninteractive" apt-get install -y nginx-full +# Create non-root user and set permissions +RUN groupadd -g 2002 nonroot && useradd -u 2002 -g nonroot -s /bin/bash -m nonroot && \ + mkdir -p /run/php && chown -R nonroot:nonroot /var/www/html /run/php -# copying nginx conf to its path COPY nginx-site.conf /etc/nginx/sites-available/default -# setting working dir WORKDIR /var/www/html/ - -# creating nested dir where fpm service would be found -RUN mkdir -p /run/php - -# copying static files to location COPY . /var/www/html -# service exposed EXPOSE 80 -# executing command -CMD ["/bin/bash", "-c", "service php7.0-fpm start && nginx -g \"daemon off;\""] \ No newline at end of file +USER nonroot + +CMD ["/bin/bash", "-c", "php-fpm8.3 --daemonize && nginx -g 'daemon off;'"] diff --git a/sample-docker-templates/php/nginx-site.conf b/sample-docker-templates/php/nginx-site.conf index ad094bf4f6..dfd383d0fa 100644 --- a/sample-docker-templates/php/nginx-site.conf +++ b/sample-docker-templates/php/nginx-site.conf @@ -1,6 +1,6 @@ server { - listen 80; ## listen for ipv4; this line is default and implied - listen [::]:80 default ipv6only=on; ## listen for ipv6 + listen 8080; # listen for ipv4 as non-root + listen [::]:8080 default ipv6only=on; # listen for ipv6 as non-root root /var/www/html; index index.php index.html index.htm; @@ -40,7 +40,7 @@ server { location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/php/php7.0-fpm.sock; + fastcgi_pass unix:/run/php/php8.3-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_index index.php; diff --git a/sample-docker-templates/php/php7.4/Dockerfile b/sample-docker-templates/php/php7.4/Dockerfile index ddff47d9fe..1955b99d3e 100644 --- a/sample-docker-templates/php/php7.4/Dockerfile +++ b/sample-docker-templates/php/php7.4/Dockerfile @@ -1,24 +1,25 @@ -FROM ubuntu:20.04 +FROM ubuntu:24.04 -RUN apt-get update -RUN apt-get -y upgrade +ENV DEBIAN_FRONTEND=noninteractive -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --fix-missing php7.4 \ - php7.4-cli \ - php-fpm \ - php7.4-mysql \ - php7.4-curl \ - net-tools +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + php8.3-cli \ + php8.3-fpm \ + nginx && \ + apt-get clean && rm -rf /var/lib/apt/lists/* + +RUN groupadd -g 2002 nonroot && useradd -u 2002 -g nonroot -s /bin/bash -m nonroot && \ + mkdir -p /run/php && chown -R nonroot:nonroot /var/www/html /run/php -RUN DEBIAN_FRONTEND="noninteractive" apt-get install -y nginx-full ADD nginx-site.conf /etc/nginx/sites-available/default WORKDIR /var/www/html/ -RUN mkdir -p /run/php - COPY . /var/www/html EXPOSE 80 -CMD ["/bin/bash", "-c", "service php7.4-fpm start && nginx -g \"daemon off;\""] \ No newline at end of file +USER nonroot + +CMD ["/bin/bash", "-c", "php-fpm8.3 --daemonize && nginx -g 'daemon off;'"] diff --git a/sample-docker-templates/php/php7.4/nginx-site.conf b/sample-docker-templates/php/php7.4/nginx-site.conf index 6b0e2929cb..dfd383d0fa 100644 --- a/sample-docker-templates/php/php7.4/nginx-site.conf +++ b/sample-docker-templates/php/php7.4/nginx-site.conf @@ -1,6 +1,6 @@ server { - listen 80; ## listen for ipv4; this line is default and implied - listen [::]:80 default ipv6only=on; ## listen for ipv6 + listen 8080; # listen for ipv4 as non-root + listen [::]:8080 default ipv6only=on; # listen for ipv6 as non-root root /var/www/html; index index.php index.html index.htm; @@ -40,7 +40,7 @@ server { location ~ \.php$ { try_files $uri =404; fastcgi_split_path_info ^(.+\.php)(/.+)$; - fastcgi_pass unix:/run/php/php7.4-fpm.sock; + fastcgi_pass unix:/run/php/php8.3-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_index index.php; diff --git a/sample-docker-templates/react/Dockerfile b/sample-docker-templates/react/Dockerfile index c89eb45a94..51811c54b4 100644 --- a/sample-docker-templates/react/Dockerfile +++ b/sample-docker-templates/react/Dockerfile @@ -1,32 +1,48 @@ ###### BUILD ENVIRONMENT ###### -# Base Image -FROM node:12.18.1 as build +# Use official Node.js LTS base image for building React app +FROM node:22.14.0 as build -# Moving into working directory +# Set working directory WORKDIR /app -# Adding all files and dirs to /app inside container -ADD . /app/ +# Copy all source files to container +COPY . /app/ -# Installing dependencies +# Install dependencies RUN npm install -# Creating Production build for react-app +# Create production build of React app RUN npm run build -# In this dockerfile using the concept of docker multistage build ###### PRODUCTION ENVIRONMENT ###### -# Base Image for prod env +# Use official stable nginx Alpine image (small and secure) FROM nginx:stable-alpine -# Adding the build files from previous container to nginx/html +# Create non-root user and group +RUN addgroup -g 2002 nonroot && adduser -u 2002 -G nonroot -S nonroot + +# Copy React build files from build stage to nginx html folder COPY --from=build /app/build /usr/share/nginx/html -# Exposing port 80 to listen http requests -EXPOSE 80 +# Give permissions to nonroot user for required nginx folders +RUN chown -R nonroot:nonroot /usr/share/nginx/html /var/cache/nginx /var/log/nginx/ + +# Copy custom NGINX config file +COPY nginx.conf /etc/nginx/nginx.conf + +# Link logs to stdout/stderr +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log + + +# Switch to non-root user +USER nonroot + +# Expose port 8080 (non-root) +EXPOSE 8080 -# Command to run +# Run nginx in foreground CMD ["nginx", "-g", "daemon off;"] diff --git a/sample-docker-templates/react/nginx.conf b/sample-docker-templates/react/nginx.conf new file mode 100644 index 0000000000..a874a4849d --- /dev/null +++ b/sample-docker-templates/react/nginx.conf @@ -0,0 +1,32 @@ +worker_processes auto; +error_log /var/log/nginx/error.log warn; +pid /tmp/nginx.pid; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + sendfile on; + keepalive_timeout 65; + + server { + listen 8080; + server_name localhost; + + root /usr/share/nginx/html; + index index.html index.htm; + + location / { + try_files $uri $uri/ /index.html; + } + + error_page 404 /index.html; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + } +} diff --git a/sample-docker-templates/rust/Dockerfile b/sample-docker-templates/rust/Dockerfile index 97e7454de0..34d251889b 100644 --- a/sample-docker-templates/rust/Dockerfile +++ b/sample-docker-templates/rust/Dockerfile @@ -1,25 +1,30 @@ -# Using Base image -FROM alpine:latest +# --- Build Stage --- +FROM rust:1.77-alpine AS builder -#Build args -ARG VCS_REF -ARG BUILD_DATE +WORKDIR /src -# Setting resource quota -ARG MIN_MEM=2G -ARG MAX_MEM=2G +# Copy your Rust source code +COPY src/main.rs . -# Installing rust and making a folder named 'src' into it -RUN apk add --no-cache rust && mkdir /src +# Build the Rust binary +RUN rustc main.rs -o app -# Copying 'main.rs' from 'src' folder on host to recently created 'src' folder in container -COPY src/main.rs /src +# --- Final Stage --- +FROM alpine:3.21 -# Set working directory -WORKDIR /src +# Create a non-root user for security +RUN addgroup -g 2002 nonroot && adduser -u 2002 -G nonroot -S nonroot + +WORKDIR /app + +# Copy the compiled Rust binary from the builder stage +COPY --from=builder /src/app . + +# Expose the port your Rust app uses (adjust as needed) +EXPOSE 8080 -#Compiling source -RUN rustc main.rs +# Switch to non-root user +USER nonroot -#Execution -CMD ["./main"] \ No newline at end of file +# Command to run the app +CMD ["./app"]