From 04dfaa3bd5c4f1bbc1687db88f865ae18c74c7dc Mon Sep 17 00:00:00 2001 From: pawan-59 Date: Mon, 10 Feb 2025 15:05:52 +0530 Subject: [PATCH 1/8] updated golang version to 1.23 --- sample-docker-templates/go/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sample-docker-templates/go/Dockerfile b/sample-docker-templates/go/Dockerfile index d868e7c930..df2846bafa 100644 --- a/sample-docker-templates/go/Dockerfile +++ b/sample-docker-templates/go/Dockerfile @@ -1,6 +1,6 @@ ################################# Build Container ############################### -FROM golang:1.16 as builder +FROM golang:1.23 as builder # Setup the working directory WORKDIR /app From e09f6adde5635186e33f4c9524239fbadee98cf2 Mon Sep 17 00:00:00 2001 From: pawan-59 Date: Mon, 10 Feb 2025 15:16:53 +0530 Subject: [PATCH 2/8] updated go sample dockerfile --- sample-docker-templates/go/Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sample-docker-templates/go/Dockerfile b/sample-docker-templates/go/Dockerfile index df2846bafa..d3471013af 100644 --- a/sample-docker-templates/go/Dockerfile +++ b/sample-docker-templates/go/Dockerfile @@ -1,6 +1,6 @@ ################################# Build Container ############################### -FROM golang:1.23 as builder +FROM golang:1.23 AS builder # Setup the working directory WORKDIR /app @@ -17,11 +17,10 @@ ADD . /app/ # Build the source RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main app.go - ################################# Prod Container ################################# # Use a minimal alpine image -FROM alpine:3.7 +FROM alpine:3.21 # Add ca-certificates in case you need them RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* From 5e0cb7bcd811e1b9e5a25ec0b149e20e029ba2de Mon Sep 17 00:00:00 2001 From: Badal Kumar Prusty Date: Tue, 18 Mar 2025 18:43:40 +0530 Subject: [PATCH 3/8] modified versions to java-21 LTS --- sample-docker-templates/java/Gradle_Dockerfile | 13 +++++++------ sample-docker-templates/java/Maven_Dockerfile | 12 ++++++------ 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/sample-docker-templates/java/Gradle_Dockerfile b/sample-docker-templates/java/Gradle_Dockerfile index 30945dc67d..0fd259a9a6 100644 --- a/sample-docker-templates/java/Gradle_Dockerfile +++ b/sample-docker-templates/java/Gradle_Dockerfile @@ -1,7 +1,7 @@ ################################# Build Container ############################### # Base Image of Build Container -FROM gradle:4.7.0-jdk8-alpine AS build +FROM gradle:8.13.0-jdk21-alpine AS build # Changing the ownership of file and copying files in container COPY --chown=gradle:gradle . /home/gradle/src @@ -9,13 +9,14 @@ COPY --chown=gradle:gradle . /home/gradle/src # Moving into workdir WORKDIR /home/gradle/src -# Compiling & building the code -RUN gradle build --no-daemon +# Compiling & building the code +RUN gradle build --no-daemon ################################# Prod Container ################################# # Base Image for Prod Container -FROM openjdk:8-jre-slim +FROM openjdk:21-jdk-slim + # Exposing Port of this container EXPOSE 8080 @@ -24,7 +25,7 @@ EXPOSE 8080 RUN mkdir /app # Copying only the jar files created before -COPY --from=build /home/gradle/src/build/libs/*.jar /app/my-app.jar +COPY --from=build /home/gradle/src/build/libs/*.jar /app/demo.jar # Uncomment if you want to run default commands during the initialization of this container -# CMD exec java -jar /app/my-app.jar \ No newline at end of file +# CMD ["java","-jar","/app/demo.jar"] \ No newline at end of file diff --git a/sample-docker-templates/java/Maven_Dockerfile b/sample-docker-templates/java/Maven_Dockerfile index 52d7181417..84c4e062e1 100644 --- a/sample-docker-templates/java/Maven_Dockerfile +++ b/sample-docker-templates/java/Maven_Dockerfile @@ -1,7 +1,7 @@ ################################# Build Container ############################### # Base Image for Build Container -FROM maven:3.5.3-jdk-8-alpine as base +FROM maven:3.9.9-amazoncorretto-21-debian as base # Moving into working directory WORKDIR /build @@ -16,18 +16,18 @@ RUN mvn dependency:go-offline COPY src/ /build/src/ # Building package -RUN mvn package +RUN mvn clean package ################################# Prod Container ################################# # Base Image for Prod Container -FROM openjdk:8-jre-alpine +FROM openjdk:21-jdk-slim # Exposing Port of this new container -EXPOSE 4567 +EXPOSE 8080 # Copying the executable jar file build on previous container -COPY --from=base /build/target/*.jar /app/my-app.jar +COPY --from=base /build/target/*.jar /app/demo.jar # Uncomment if you want to run default commands during the initialization of this container -# CMD exec java -jar /app/my-app.jar \ No newline at end of file +# CMD ["java","-jar","/app/demo.jar"] \ No newline at end of file From a6434a2eeab77b39698c2b16d57199437fb65977 Mon Sep 17 00:00:00 2001 From: Badal Kumar Prusty Date: Tue, 18 Mar 2025 18:47:15 +0530 Subject: [PATCH 4/8] modified versions to node v22.14.0 LTS --- sample-docker-templates/node/Dockerfile | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/sample-docker-templates/node/Dockerfile b/sample-docker-templates/node/Dockerfile index 123a903771..a233a8952d 100644 --- a/sample-docker-templates/node/Dockerfile +++ b/sample-docker-templates/node/Dockerfile @@ -1,5 +1,5 @@ # Base Image -From node:12.18.1 +FROM node:22.14.0 # Seeting up env as production ENV NODE_ENV=production @@ -32,5 +32,4 @@ RUN npm install --production RUN npm i -g pm2 # Starting Server -CMD ["sh", "-c", "service nginx start ; pm2-runtime src/index.js -i 0"] - +CMD ["sh", "-c", "service nginx start ; pm2-runtime src/index.js -i 0"] \ No newline at end of file From b3928e0230011b950908e777abedcc9771a4d95a Mon Sep 17 00:00:00 2001 From: Badal Kumar Prusty Date: Tue, 8 Apr 2025 13:40:12 +0530 Subject: [PATCH 5/8] modified versions to node v22.14.0 LTS --- sample-docker-templates/react/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sample-docker-templates/react/Dockerfile b/sample-docker-templates/react/Dockerfile index c89eb45a94..37adc438cf 100644 --- a/sample-docker-templates/react/Dockerfile +++ b/sample-docker-templates/react/Dockerfile @@ -1,7 +1,7 @@ ###### BUILD ENVIRONMENT ###### # Base Image -FROM node:12.18.1 as build +FROM node:22.14.0 as build # Moving into working directory WORKDIR /app @@ -30,3 +30,4 @@ EXPOSE 80 # Command to run CMD ["nginx", "-g", "daemon off;"] + From 5e60dadc4d24075ddb4727231592511feaced2d8 Mon Sep 17 00:00:00 2001 From: Badal Kumar Prusty Date: Thu, 10 Apr 2025 18:08:31 +0530 Subject: [PATCH 6/8] updated base images versions --- sample-docker-templates/django/Dockerfile | 2 +- sample-docker-templates/flask/Dockerfile | 2 +- sample-docker-templates/php/php7.4/Dockerfile | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/sample-docker-templates/django/Dockerfile b/sample-docker-templates/django/Dockerfile index b84c90ebe6..688abbccc0 100644 --- a/sample-docker-templates/django/Dockerfile +++ b/sample-docker-templates/django/Dockerfile @@ -1,7 +1,7 @@ # Dockerfile # Base Image -FROM python:3.8 +FROM python:3.13 # set default environment variables ENV PYTHONUNBUFFERED 1 diff --git a/sample-docker-templates/flask/Dockerfile b/sample-docker-templates/flask/Dockerfile index ad20d787cc..6d121d760d 100644 --- a/sample-docker-templates/flask/Dockerfile +++ b/sample-docker-templates/flask/Dockerfile @@ -1,5 +1,5 @@ #Base Image -FROM python:3.8 +FROM python:3.13 #Getting System Ready to install dependencies RUN apt-get clean \ diff --git a/sample-docker-templates/php/php7.4/Dockerfile b/sample-docker-templates/php/php7.4/Dockerfile index ddff47d9fe..5d70e73c79 100644 --- a/sample-docker-templates/php/php7.4/Dockerfile +++ b/sample-docker-templates/php/php7.4/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 +FROM ubuntu:24.04 RUN apt-get update RUN apt-get -y upgrade From 30b5b0547007acc98d67bc7d628e3bda272f209d Mon Sep 17 00:00:00 2001 From: Badal Kumar Prusty Date: Fri, 23 May 2025 16:16:44 +0530 Subject: [PATCH 7/8] update Dockerfile for non-root user and update latest stable --- sample-docker-templates/django/Dockerfile | 49 +++++++------ .../django/start-server.sh | 33 ++++----- sample-docker-templates/flask/Dockerfile | 71 +++++++++++-------- sample-docker-templates/flask/start.sh | 26 ++----- sample-docker-templates/flask/uwsgi.ini | 9 +-- sample-docker-templates/go/Dockerfile | 44 +++++++----- .../java/Gradle_Dockerfile | 36 ++++++---- sample-docker-templates/java/Maven_Dockerfile | 38 ++++++---- sample-docker-templates/kotlin/Dockerfile | 51 ++++++------- sample-docker-templates/node/Dockerfile | 53 +++++++------- sample-docker-templates/php/Apache_Dockerfile | 21 +++--- sample-docker-templates/php/Nginx_Dockerfile | 30 ++------ sample-docker-templates/php/php7.4/Dockerfile | 24 ++++--- sample-docker-templates/react/Dockerfile | 31 ++++---- sample-docker-templates/rust/Dockerfile | 29 +++++--- 15 files changed, 288 insertions(+), 257 deletions(-) diff --git a/sample-docker-templates/django/Dockerfile b/sample-docker-templates/django/Dockerfile index 688abbccc0..cdd532c72e 100644 --- a/sample-docker-templates/django/Dockerfile +++ b/sample-docker-templates/django/Dockerfile @@ -1,13 +1,12 @@ -# Dockerfile - # Base Image -FROM python:3.13 +# Using official python 3.13-slim for smaller footprint and latest stable version +FROM python:3.13-slim -# set default environment variables -ENV PYTHONUNBUFFERED 1 -ENV LANG C.UTF-8 +# Set environment variables for Python behavior +ENV PYTHONUNBUFFERED=1 +ENV LANG=C.UTF-8 -# to take runtime arguments and set env variables +# Accept build arguments for Django superuser creation ARG DJANGO_SUPERUSER_USERNAME ENV DJANGO_SUPERUSER_USERNAME=${DJANGO_SUPERUSER_USERNAME} @@ -17,32 +16,40 @@ ENV DJANGO_SUPERUSER_PASSWORD=${DJANGO_SUPERUSER_PASSWORD} ARG DJANGO_SUPERUSER_EMAIL ENV DJANGO_SUPERUSER_EMAIL=${DJANGO_SUPERUSER_EMAIL} -# create and set working directory +# Create app directory and assign ownership later to non-root user RUN mkdir /app + WORKDIR /app -RUN chown -R www-data:www-data /app +# Install system dependencies and nginx with minimal packages, no recommends +RUN apt-get update && apt-get install -y --no-install-recommends nginx vim && \ + rm -rf /var/lib/apt/lists/* -# Add current directory code to working directory +# Copy app source code COPY . /app/ -# install environment dependencies -RUN pip install -r requirements.txt +# Install Python dependencies +RUN pip install --no-cache-dir -r requirements.txt -# install nginx -RUN apt-get update && apt-get install nginx vim -y --no-install-recommends +# Create a non-root user 'nonroot' and group, change ownership of /app and nginx logs +RUN groupadd -r nonroot && useradd -r -g nonroot nonroot && \ + chown -R nonroot:nonroot /app /var/log/nginx -#Refer https://github.com/devtron-labs/devtron/blob/main/sample-docker-templates/django/nginx.default for sample nginx.default file +# Copy nginx config file COPY nginx.default /etc/nginx/sites-available/default -RUN ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log +# Symlink nginx logs to stdout/stderr for container logging +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log - -# start server +# Expose port 8000 for Django/gunicorn and nginx EXPOSE 8000 +# Use non-root user for better security +USER nonroot + +# Set stop signal for graceful shutdown STOPSIGNAL SIGTERM -# Refer https://github.com/devtron-labs/devtron/blob/main/sample-docker-templates/django/start-server.sh for sample start-server.sh file -CMD ["/app/start-server.sh"] \ No newline at end of file +# Start server script (migrations, superuser creation, gunicorn & nginx) +CMD ["/app/start-server.sh"] diff --git a/sample-docker-templates/django/start-server.sh b/sample-docker-templates/django/start-server.sh index fa9671fede..5e59ce4446 100755 --- a/sample-docker-templates/django/start-server.sh +++ b/sample-docker-templates/django/start-server.sh @@ -1,22 +1,15 @@ -#!/usr/bin/env bash -# -# Copyright (c) 2024. Devtron Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# +#!/bin/sh -# start-server.sh -python manage.py migrate -python manage.py createsuperuser --no-input +# Apply DB migrations +python manage.py migrate -(gunicorn DjangoApp.wsgi --user www-data --bind 0.0.0.0:8000 --workers 3) && nginx -g "daemon off;" +# Create superuser if details provided (non-interactive) +if [ -n "$DJANGO_SUPERUSER_USERNAME" ] && [ -n "$DJANGO_SUPERUSER_PASSWORD" ] && [ -n "$DJANGO_SUPERUSER_EMAIL" ]; then + python manage.py createsuperuser --no-input || true +fi + +# Start gunicorn as non-root user binding on all interfaces port 8000, 3 workers +gunicorn DjangoApp.wsgi --user nonroot --bind 0.0.0.0:8000 --workers 3 & + +# Start nginx in foreground +nginx -g "daemon off;" diff --git a/sample-docker-templates/flask/Dockerfile b/sample-docker-templates/flask/Dockerfile index 6d121d760d..bcdcbc6d6b 100644 --- a/sample-docker-templates/flask/Dockerfile +++ b/sample-docker-templates/flask/Dockerfile @@ -1,39 +1,50 @@ -#Base Image -FROM python:3.13 - -#Getting System Ready to install dependencies -RUN apt-get clean \ - && apt-get -y update - -#Installing nginx -RUN apt-get -y install nginx \ - && apt-get -y install python3-dev \ - && apt-get -y install build-essential - -#Creating symbolic link for access and error log from nginx -RUN ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log - -#Creating a dir in Container -RUN mkdir /app - -#Moving into the directory created +# Base Image - Using python:3.13-slim for reduced image size +FROM python:3.13-slim + +# Set environment variables +ENV PYTHONUNBUFFERED=1 +ENV LANG=C.UTF-8 + +# Install system dependencies (nginx, build tools) without recommended packages to keep image small +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + nginx \ + python3-dev \ + build-essential \ + # Clean up to reduce image size + && rm -rf /var/lib/apt/lists/* + +# Symlink nginx logs to stdout/stderr for containerized log access +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log + +# Create application directory +RUN mkdir -p /app + +# Set working directory WORKDIR /app -#Changing ownership of files in /app -RUN chown -R www-data:www-data /app +# Add application code +COPY . /app/ -#Adding the complete project in dir created -ADD . /app/ +# Install Python dependencies +RUN pip install --no-cache-dir -r requirements.txt -#Installing dependencies -RUN pip3 install -r requirements.txt - -# Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/nginx.default for sample nginx.default file +# Copy nginx config COPY nginx.default /etc/nginx/sites-available/default -#Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/start.sh for sample start.sh file -#Making start.sh executable +# Make start.sh executable RUN chmod +x ./start.sh +# Create a non-root user and change ownership of /app to that user +RUN groupadd -r nonroot && useradd -r -g nonroot nonroot && \ + chown -R nonroot:nonroot /app /var/log/nginx + +# Expose port 80 (used by nginx) +EXPOSE 80 + +# Switch to non-root user for better container security +USER nonroot + +# Run app with start.sh CMD ["./start.sh"] diff --git a/sample-docker-templates/flask/start.sh b/sample-docker-templates/flask/start.sh index ef72c97d44..777905edea 100644 --- a/sample-docker-templates/flask/start.sh +++ b/sample-docker-templates/flask/start.sh @@ -1,22 +1,8 @@ -#!/usr/bin/env bash -# -# Copyright (c) 2024. Devtron Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -service nginx start -# Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/uwsgi.ini for sample uwsgi.ini file -uwsgi --ini uwsgi.ini +#!/bin/bash +set -e +# Start nginx in the background +nginx +# Start uwsgi with provided ini config +exec uwsgi --ini uwsgi.ini diff --git a/sample-docker-templates/flask/uwsgi.ini b/sample-docker-templates/flask/uwsgi.ini index 9d73c94025..df30ced52f 100644 --- a/sample-docker-templates/flask/uwsgi.ini +++ b/sample-docker-templates/flask/uwsgi.ini @@ -1,14 +1,15 @@ [uwsgi] module = app:app -uid = www-data -gid = www-data + master = true processes = 5 socket = /tmp/uwsgi.socket -chmod-sock = 664 +chmod-socket = 664 vacuum = true die-on-term = true - +# Run as non-root user +uid = nonroot +gid = nonroot diff --git a/sample-docker-templates/go/Dockerfile b/sample-docker-templates/go/Dockerfile index d3471013af..5cb93d47bd 100644 --- a/sample-docker-templates/go/Dockerfile +++ b/sample-docker-templates/go/Dockerfile @@ -1,35 +1,41 @@ -################################# Build Container ############################### +################################# Build Container ################################# -FROM golang:1.23 AS builder +# Use the latest stable Go image for building +FROM golang:1.22.3 AS builder -# Setup the working directory +# Set working directory inside the container WORKDIR /app -# COPY go module -COPY go.mod go.sum /app/ - -# Download go modules and cache for next time build +# Copy Go module files and download dependencies +COPY go.mod go.sum ./ RUN go mod download -# Add source code -ADD . /app/ +# Copy the entire source code into the container +COPY . . -# Build the source +# Build the Go binary with CGO disabled for static linking RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main app.go -################################# Prod Container ################################# +################################# Production Container ############################ + +# Use a minimal and secure Alpine base image +FROM alpine:3.20 -# Use a minimal alpine image -FROM alpine:3.21 +# Install CA certificates (for HTTPS calls) +RUN apk --no-cache add ca-certificates -# Add ca-certificates in case you need them -RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* +# Create a non-root user and switch to it +RUN adduser -D -g '' nonroot +USER nonroot # Set working directory -WORKDIR /root +WORKDIR /home/nonroot -# Copy the binary from builder +# Copy the compiled binary from the builder stage COPY --from=builder /app/main . -# Run the binary -CMD ["./main"] \ No newline at end of file +# Expose port if your app serves over a specific port (optional) +# EXPOSE 8080 + +# Start the application +CMD ["./main"] diff --git a/sample-docker-templates/java/Gradle_Dockerfile b/sample-docker-templates/java/Gradle_Dockerfile index 0fd259a9a6..ed7a69fed3 100644 --- a/sample-docker-templates/java/Gradle_Dockerfile +++ b/sample-docker-templates/java/Gradle_Dockerfile @@ -1,31 +1,37 @@ ################################# Build Container ############################### -# Base Image of Build Container +# Use latest Gradle with JDK 21 and Alpine for minimal size and speed FROM gradle:8.13.0-jdk21-alpine AS build -# Changing the ownership of file and copying files in container +# Set working directory and ensure proper permissions COPY --chown=gradle:gradle . /home/gradle/src - -# Moving into workdir WORKDIR /home/gradle/src -# Compiling & building the code +# Build the application without using the Gradle daemon RUN gradle build --no-daemon ################################# Prod Container ################################# -# Base Image for Prod Container -FROM openjdk:21-jdk-slim - +# Use a minimal JDK base image for production +FROM eclipse-temurin:21-jdk-jammy -# Exposing Port of this container -EXPOSE 8080 +# Create a non-root user to run the app securely +RUN useradd -m -s /bin/bash nonroot -# Creating a dir -RUN mkdir /app +# Set the working directory +WORKDIR /app -# Copying only the jar files created before +# Copy the JAR file from the build stage COPY --from=build /home/gradle/src/build/libs/*.jar /app/demo.jar -# Uncomment if you want to run default commands during the initialization of this container -# CMD ["java","-jar","/app/demo.jar"] \ No newline at end of file +# Set ownership of the jar file +RUN chown nonroot:nonroot /app/demo.jar + +# Switch to non-root user +USER nonroot + +# Expose the application port +EXPOSE 8080 + +# Run the jar file +CMD ["java", "-jar", "/app/demo.jar"] diff --git a/sample-docker-templates/java/Maven_Dockerfile b/sample-docker-templates/java/Maven_Dockerfile index 84c4e062e1..774d485afd 100644 --- a/sample-docker-templates/java/Maven_Dockerfile +++ b/sample-docker-templates/java/Maven_Dockerfile @@ -1,33 +1,45 @@ ################################# Build Container ############################### -# Base Image for Build Container +# Use latest Maven with Amazon Corretto 21 on Debian for consistent build environment FROM maven:3.9.9-amazoncorretto-21-debian as base -# Moving into working directory +# Set working directory inside container WORKDIR /build -# Copying pom.xml file initially for caching +# Copy pom.xml separately to leverage Docker cache for dependencies COPY pom.xml . -# Downloading Dependencies +# Download dependencies for offline use RUN mvn dependency:go-offline -# Copying files to /build/src/ inside container +# Copy the source code to container COPY src/ /build/src/ -# Building package +# Build the project and package the application RUN mvn clean package ################################# Prod Container ################################# -# Base Image for Prod Container -FROM openjdk:21-jdk-slim +# Use a slim OpenJDK 21 image based on Debian for production +FROM eclipse-temurin:21-jdk-jammy -# Exposing Port of this new container -EXPOSE 8080 +# Create a non-root user 'nonroot' for security best practices +RUN useradd -m -s /bin/bash nonroot + +# Set working directory +WORKDIR /app -# Copying the executable jar file build on previous container +# Copy the built jar from build stage COPY --from=base /build/target/*.jar /app/demo.jar -# Uncomment if you want to run default commands during the initialization of this container -# CMD ["java","-jar","/app/demo.jar"] \ No newline at end of file +# Change ownership to non-root user +RUN chown nonroot:nonroot /app/demo.jar + +# Switch to non-root user +USER nonroot + +# Expose the port the app listens on +EXPOSE 8080 + +# Default command to run the jar file +CMD ["java", "-jar", "/app/demo.jar"] diff --git a/sample-docker-templates/kotlin/Dockerfile b/sample-docker-templates/kotlin/Dockerfile index 198db63704..ca63ec6ce2 100644 --- a/sample-docker-templates/kotlin/Dockerfile +++ b/sample-docker-templates/kotlin/Dockerfile @@ -1,41 +1,44 @@ -# Using Base image -FROM alpine:latest +# Use specific Alpine version (3.21) for stability and reproducibility +FROM alpine:3.21 -# Build args +# Metadata args for build info (optional) ARG VCS_REF ARG BUILD_DATE -# Setting resource quota +# Setting resource quota args (optional, for your usage) ARG MIN_MEM=2G ARG MAX_MEM=2G -RUN apk add --update bash && \ - apk fetch openjdk8 && \ - apk add --no-cache openjdk8; +# Install required packages: bash, openjdk8, unzip, build-base, wget +RUN apk add --no-cache bash openjdk8 unzip build-base wget -RUN apk add --no-cache build-base wget && \ - cd /usr/lib && \ - # Installing Kotlin compiler in zip file - wget 'https://github.com/JetBrains/kotlin/releases/download/v1.3.72/kotlin-compiler-1.3.72.zip' && \ - # Unzipping the downloaded zip file - unzip kotlin-compiler-*.zip && \ - rm kotlin-compiler-*.zip && \ - rm -f kotlinc/bin/*.bat; +# Download and install Kotlin compiler +RUN cd /usr/lib && \ + wget https://github.com/JetBrains/kotlin/releases/download/v1.3.72/kotlin-compiler-1.3.72.zip && \ + unzip kotlin-compiler-1.3.72.zip && \ + rm kotlin-compiler-1.3.72.zip && \ + rm -f kotlinc/bin/*.bat -# Setting up environmental variable path -ENV PATH $PATH:/usr/lib/kotlinc/bin +# Add Kotlin compiler to PATH +ENV PATH="/usr/lib/kotlinc/bin:${PATH}" -# Making a directory named 'app' in the container -RUN mkdir app +# Create app directory and set permissions +RUN mkdir /app -# Copying 'app.kt' from 'app' folder on host to recently created 'app' folder in container -COPY app/app.kt /app +# Copy source code into container +COPY app/app.kt /app/ # Set working directory WORKDIR /app -# Compiling source +# Create a non-root user 'nonroot' and assign ownership of /app to it +RUN adduser -D nonroot && chown -R nonroot:nonroot /app + +# Switch to non-root user +USER nonroot + +# Compile Kotlin source to jar RUN kotlinc app.kt -include-runtime -d app.jar -# Execution -CMD ["java","-jar","./app.jar"] \ No newline at end of file +# Run the compiled jar +CMD ["java", "-jar", "./app.jar"] diff --git a/sample-docker-templates/node/Dockerfile b/sample-docker-templates/node/Dockerfile index a233a8952d..86ef2d9c20 100644 --- a/sample-docker-templates/node/Dockerfile +++ b/sample-docker-templates/node/Dockerfile @@ -1,35 +1,38 @@ -# Base Image -FROM node:22.14.0 +# Use a smaller, secure, and stable Node.js image +FROM node:22-alpine -# Seeting up env as production +# Set environment as production ENV NODE_ENV=production -#Getting System Ready to install dependencies -RUN apt-get clean \ - && apt-get -y update - -# Installing nginx -RUN apt-get -y install nginx \ - && apt-get -y install python3-dev \ - && apt-get -y install build-essential +# Install necessary packages: nginx only +RUN apk update && apk add --no-cache nginx -# Creating symbolic link for access and error log from nginx -RUN ln -sf /dev/stdout /var/log/nginx/access.log \ - && ln -sf /dev/stderr /var/log/nginx/error.log +# Create app directory and give access to non-root user +WORKDIR /app +# Copy app files +COPY . /app/ -# Making /app dir as working dir -WORKDIR /app +# Use COPY instead of ADD (best practice) +COPY nginx.default /etc/nginx/http.d/default.conf + +# Install production dependencies +RUN npm install --production && \ + npm i -g pm2 + +# Create non-root user and assign directory +RUN addgroup -S nonroot && adduser -S nonroot -G nonroot && \ + chown -R nonroot:nonroot /app /var/log/nginx -# Adding complete files and dirs in app dir in container -ADD . /app/ +# Expose port 80 for nginx +EXPOSE 80 -# Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/node/nginx.default for sample nginx.default -COPY nginx.default /etc/nginx/sites-available/default +# Use non-root user for container execution +USER nonroot -# Installing dependencies -RUN npm install --production -RUN npm i -g pm2 +# Create symlinks for nginx logs (optional, but helpful for logging) +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log -# Starting Server -CMD ["sh", "-c", "service nginx start ; pm2-runtime src/index.js -i 0"] \ No newline at end of file +# Start nginx and node app properly +CMD ["sh", "-c", "nginx && pm2-runtime src/index.js -i 0"] diff --git a/sample-docker-templates/php/Apache_Dockerfile b/sample-docker-templates/php/Apache_Dockerfile index 66d9b684b8..b5dfe4133a 100644 --- a/sample-docker-templates/php/Apache_Dockerfile +++ b/sample-docker-templates/php/Apache_Dockerfile @@ -1,16 +1,17 @@ -# Base Image -FROM php:7-apache +# Using latest stable PHP with Apache (8.2) +FROM php:8.2-apache -# Enabling modules from /etc/apache2/mods-available to /etc/apache2/mods-enabled +# Enable apache mod_rewrite RUN a2enmod rewrite -# Restarting apache2 server -RUN /etc/init.d/apache2 restart +# Give ownership of /var/www/html to non-root user +RUN useradd -m nonroot && chown -R nonroot:www-data /var/www/html -# Giving ownship of html dir to www-data user -RUN chown -R www-data:www-data /var/www/html +# Copy application source code +COPY --chown=nonroot:www-data . /var/www/html/ +# Switch to non-root user for security +USER nonroot -# Copy application source -COPY . /var/www/html/ - +# Apache runs as www-data internally, so no need to restart here +# CMD is inherited from base image and will run apache2 in foreground by default diff --git a/sample-docker-templates/php/Nginx_Dockerfile b/sample-docker-templates/php/Nginx_Dockerfile index 1a925599af..5e4cb4edc7 100644 --- a/sample-docker-templates/php/Nginx_Dockerfile +++ b/sample-docker-templates/php/Nginx_Dockerfile @@ -1,31 +1,15 @@ -# base image -FROM ubuntu:16.04 +# Use Ubuntu 24.04 LTS as base image for latest stable environment +FROM ubuntu:24.04 -# update & install system -RUN apt-get update -RUN apt-get -y upgrade +RUN apt-get update && apt-get upgrade -y && \ + apt-get install -y php8.2 php8.2-cli php8.2-fpm nginx && \ + apt-get clean && rm -rf /var/lib/apt/lists/* -# installing packages -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --fix-missing php7.0 \ - php7.0-cli \ - php-fpm - -RUN DEBIAN_FRONTEND="noninteractive" apt-get install -y nginx-full - -# copying nginx conf to its path +# Copy configs, code, etc. COPY nginx-site.conf /etc/nginx/sites-available/default - -# setting working dir WORKDIR /var/www/html/ - -# creating nested dir where fpm service would be found -RUN mkdir -p /run/php - -# copying static files to location COPY . /var/www/html -# service exposed EXPOSE 80 -# executing command -CMD ["/bin/bash", "-c", "service php7.0-fpm start && nginx -g \"daemon off;\""] \ No newline at end of file +CMD ["/bin/bash", "-c", "service php8.2-fpm start && nginx -g 'daemon off;'"] diff --git a/sample-docker-templates/php/php7.4/Dockerfile b/sample-docker-templates/php/php7.4/Dockerfile index 5d70e73c79..8a2fd72567 100644 --- a/sample-docker-templates/php/php7.4/Dockerfile +++ b/sample-docker-templates/php/php7.4/Dockerfile @@ -1,16 +1,18 @@ FROM ubuntu:24.04 -RUN apt-get update -RUN apt-get -y upgrade +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update && apt-get -y upgrade && \ + apt-get install -y --no-install-recommends \ + php8.2 \ + php8.2-cli \ + php8.2-fpm \ + php8.2-mysql \ + php8.2-curl \ + net-tools \ + nginx && \ + apt-get clean && rm -rf /var/lib/apt/lists/* -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y --fix-missing php7.4 \ - php7.4-cli \ - php-fpm \ - php7.4-mysql \ - php7.4-curl \ - net-tools - -RUN DEBIAN_FRONTEND="noninteractive" apt-get install -y nginx-full ADD nginx-site.conf /etc/nginx/sites-available/default WORKDIR /var/www/html/ @@ -21,4 +23,4 @@ COPY . /var/www/html EXPOSE 80 -CMD ["/bin/bash", "-c", "service php7.4-fpm start && nginx -g \"daemon off;\""] \ No newline at end of file +CMD ["/bin/bash", "-c", "service php8.2-fpm start && nginx -g 'daemon off;'"] diff --git a/sample-docker-templates/react/Dockerfile b/sample-docker-templates/react/Dockerfile index 37adc438cf..d2a5b9be22 100644 --- a/sample-docker-templates/react/Dockerfile +++ b/sample-docker-templates/react/Dockerfile @@ -1,33 +1,40 @@ ###### BUILD ENVIRONMENT ###### -# Base Image +# Use official Node.js LTS base image for building React app FROM node:22.14.0 as build -# Moving into working directory +# Set working directory WORKDIR /app -# Adding all files and dirs to /app inside container -ADD . /app/ +# Copy all source files to container +COPY . /app/ -# Installing dependencies +# Install dependencies RUN npm install -# Creating Production build for react-app +# Create production build of React app RUN npm run build -# In this dockerfile using the concept of docker multistage build ###### PRODUCTION ENVIRONMENT ###### -# Base Image for prod env +# Use official stable nginx Alpine image (small and secure) FROM nginx:stable-alpine -# Adding the build files from previous container to nginx/html +# Create a non-root user and group 'nonroot' for security best practice +RUN addgroup -S nonroot && adduser -S nonroot -G nonroot + +# Copy React build files from build stage to nginx html folder COPY --from=build /app/build /usr/share/nginx/html -# Exposing port 80 to listen http requests +# Change ownership to nonroot user to avoid running as root inside container +RUN chown -R nonroot:nonroot /usr/share/nginx/html + +# Switch to non-root user +USER nonroot + +# Expose port 80 for HTTP EXPOSE 80 -# Command to run +# Run nginx in foreground CMD ["nginx", "-g", "daemon off;"] - diff --git a/sample-docker-templates/rust/Dockerfile b/sample-docker-templates/rust/Dockerfile index 97e7454de0..720322d5bf 100644 --- a/sample-docker-templates/rust/Dockerfile +++ b/sample-docker-templates/rust/Dockerfile @@ -1,25 +1,34 @@ -# Using Base image -FROM alpine:latest +# Use a specific Alpine version for stability instead of 'latest' +FROM alpine:3.21 -#Build args +# Build args for metadata (optional, can be used for labels) ARG VCS_REF ARG BUILD_DATE -# Setting resource quota +# Set resource quota as environment variables (optional usage) ARG MIN_MEM=2G ARG MAX_MEM=2G -# Installing rust and making a folder named 'src' into it -RUN apk add --no-cache rust && mkdir /src +# Install rust compiler and related tools, and create working dir +RUN apk add --no-cache rust && mkdir /src -# Copying 'main.rs' from 'src' folder on host to recently created 'src' folder in container +# Copy source code into container COPY src/main.rs /src # Set working directory WORKDIR /src -#Compiling source +# Compile Rust source to binary 'main' RUN rustc main.rs -#Execution -CMD ["./main"] \ No newline at end of file +# Create non-root user for security +RUN addgroup -S nonroot && adduser -S nonroot -G nonroot + +# Change ownership of the compiled binary +RUN chown nonroot:nonroot /src/main + +# Switch to non-root user +USER nonroot + +# Run the compiled binary +CMD ["./main"] From 474826da34db2d25a75420ac3afc032e0fe1dc48 Mon Sep 17 00:00:00 2001 From: Badal Kumar Prusty Date: Fri, 23 May 2025 19:13:41 +0530 Subject: [PATCH 8/8] update dockerfile and nginx.conf --- .../java/Gradle_Dockerfile | 2 +- sample-docker-templates/java/Maven_Dockerfile | 2 +- sample-docker-templates/node/Dockerfile | 39 ++++++++------ .../node/nginx-default.conf | 34 ++++++++++++ sample-docker-templates/node/nginx.conf | 23 ++++++++ sample-docker-templates/node/nginx.default | 17 ------ sample-docker-templates/react/Dockerfile | 53 ++++++++++--------- 7 files changed, 109 insertions(+), 61 deletions(-) create mode 100644 sample-docker-templates/node/nginx-default.conf create mode 100644 sample-docker-templates/node/nginx.conf delete mode 100644 sample-docker-templates/node/nginx.default diff --git a/sample-docker-templates/java/Gradle_Dockerfile b/sample-docker-templates/java/Gradle_Dockerfile index ed7a69fed3..96df2f0f79 100644 --- a/sample-docker-templates/java/Gradle_Dockerfile +++ b/sample-docker-templates/java/Gradle_Dockerfile @@ -16,7 +16,7 @@ RUN gradle build --no-daemon FROM eclipse-temurin:21-jdk-jammy # Create a non-root user to run the app securely -RUN useradd -m -s /bin/bash nonroot +RUN addgroup -g 2002 nonroot && adduser -u 2002 -G nonroot -S nonroot # Set the working directory WORKDIR /app diff --git a/sample-docker-templates/java/Maven_Dockerfile b/sample-docker-templates/java/Maven_Dockerfile index 774d485afd..ce8e6398bf 100644 --- a/sample-docker-templates/java/Maven_Dockerfile +++ b/sample-docker-templates/java/Maven_Dockerfile @@ -24,7 +24,7 @@ RUN mvn clean package FROM eclipse-temurin:21-jdk-jammy # Create a non-root user 'nonroot' for security best practices -RUN useradd -m -s /bin/bash nonroot +RUN addgroup -g 2002 nonroot && adduser -u 2002 -G nonroot -S nonroot # Set working directory WORKDIR /app diff --git a/sample-docker-templates/node/Dockerfile b/sample-docker-templates/node/Dockerfile index 86ef2d9c20..746403165d 100644 --- a/sample-docker-templates/node/Dockerfile +++ b/sample-docker-templates/node/Dockerfile @@ -1,38 +1,43 @@ -# Use a smaller, secure, and stable Node.js image +# Use a minimal Node.js base image FROM node:22-alpine -# Set environment as production +# Set environment for production ENV NODE_ENV=production # Install necessary packages: nginx only RUN apk update && apk add --no-cache nginx -# Create app directory and give access to non-root user +# Set working directory WORKDIR /app -# Copy app files -COPY . /app/ +# Copy application code +COPY . . -# Use COPY instead of ADD (best practice) -COPY nginx.default /etc/nginx/http.d/default.conf +# Main global config +COPY nginx.conf /etc/nginx/nginx.conf + +# Default server/site config +COPY nginx-default.conf /etc/nginx/http.d/default.conf # Install production dependencies -RUN npm install --production && \ +RUN npm install --production --prefer-offline --no-audit && \ npm i -g pm2 -# Create non-root user and assign directory -RUN addgroup -S nonroot && adduser -S nonroot -G nonroot && \ - chown -R nonroot:nonroot /app /var/log/nginx +# Create non-root user and set permissions +RUN addgroup -g 2002 nonroot && \ + adduser -u 2002 -G nonroot -S nonroot && \ + mkdir -p /var/lib/nginx/tmp/client_body && \ + chown -R nonroot:nonroot /app /var/log/nginx /var/lib/nginx -# Expose port 80 for nginx -EXPOSE 80 +# Expose port 8080 +EXPOSE 8080 -# Use non-root user for container execution +# Switch to non-root user USER nonroot -# Create symlinks for nginx logs (optional, but helpful for logging) +# Link logs to stdout/stderr RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ ln -sf /dev/stderr /var/log/nginx/error.log -# Start nginx and node app properly -CMD ["sh", "-c", "nginx && pm2-runtime src/index.js -i 0"] +# Start your app listening on port 8080 +CMD ["sh", "-c", "nginx && pm2-runtime src/index.js -i 0 --port=8080"] \ No newline at end of file diff --git a/sample-docker-templates/node/nginx-default.conf b/sample-docker-templates/node/nginx-default.conf new file mode 100644 index 0000000000..fd1cac68a1 --- /dev/null +++ b/sample-docker-templates/node/nginx-default.conf @@ -0,0 +1,34 @@ +# This contains a server block defining how a specific domain/route should be handled. +# nginx-default.conf + +# To allow a non-root container process to bind to privileged ports (e.g., 80 or 443), +# you need to add the NET_BIND_SERVICE capability to the security context: +# +# securityContext: +# allowPrivilegeEscalation: false +# capabilities: +# add: +# - NET_BIND_SERVICE +# drop: +# - ALL +# +# Since adding capabilities may reduce security or require extra setup in Kubernetes, +# it's simpler and safer to use an unprivileged port like 8080 for your app. + + +server { + listen 8080; + listen [::]:8080; + root /app; + server_name localhost; + + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://127.0.0.1:3000; + } + +} \ No newline at end of file diff --git a/sample-docker-templates/node/nginx.conf b/sample-docker-templates/node/nginx.conf new file mode 100644 index 0000000000..40a22b8fa2 --- /dev/null +++ b/sample-docker-templates/node/nginx.conf @@ -0,0 +1,23 @@ +# This is the global Nginx configuration file (typically contains user, worker_processes, http block, etc.) +# /etc/nginx/nginx.conf + +# user nginx; +worker_processes auto; +error_log /var/log/nginx/error.log notice; +pid /tmp/nginx.pid; +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + sendfile on; + keepalive_timeout 65; + + include /etc/nginx/http.d/*.conf; +} diff --git a/sample-docker-templates/node/nginx.default b/sample-docker-templates/node/nginx.default deleted file mode 100644 index 831c838473..0000000000 --- a/sample-docker-templates/node/nginx.default +++ /dev/null @@ -1,17 +0,0 @@ -# nginx.default - -server { - listen 80; - listen [::]:80; - server_name example.org; - root /app; - - location / { - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass http://127.0.0.1:3000; - } - -} diff --git a/sample-docker-templates/react/Dockerfile b/sample-docker-templates/react/Dockerfile index d2a5b9be22..746403165d 100644 --- a/sample-docker-templates/react/Dockerfile +++ b/sample-docker-templates/react/Dockerfile @@ -1,40 +1,43 @@ -###### BUILD ENVIRONMENT ###### +# Use a minimal Node.js base image +FROM node:22-alpine -# Use official Node.js LTS base image for building React app -FROM node:22.14.0 as build +# Set environment for production +ENV NODE_ENV=production + +# Install necessary packages: nginx only +RUN apk update && apk add --no-cache nginx # Set working directory WORKDIR /app -# Copy all source files to container -COPY . /app/ - -# Install dependencies -RUN npm install - -# Create production build of React app -RUN npm run build - +# Copy application code +COPY . . -###### PRODUCTION ENVIRONMENT ###### +# Main global config +COPY nginx.conf /etc/nginx/nginx.conf -# Use official stable nginx Alpine image (small and secure) -FROM nginx:stable-alpine +# Default server/site config +COPY nginx-default.conf /etc/nginx/http.d/default.conf -# Create a non-root user and group 'nonroot' for security best practice -RUN addgroup -S nonroot && adduser -S nonroot -G nonroot +# Install production dependencies +RUN npm install --production --prefer-offline --no-audit && \ + npm i -g pm2 -# Copy React build files from build stage to nginx html folder -COPY --from=build /app/build /usr/share/nginx/html +# Create non-root user and set permissions +RUN addgroup -g 2002 nonroot && \ + adduser -u 2002 -G nonroot -S nonroot && \ + mkdir -p /var/lib/nginx/tmp/client_body && \ + chown -R nonroot:nonroot /app /var/log/nginx /var/lib/nginx -# Change ownership to nonroot user to avoid running as root inside container -RUN chown -R nonroot:nonroot /usr/share/nginx/html +# Expose port 8080 +EXPOSE 8080 # Switch to non-root user USER nonroot -# Expose port 80 for HTTP -EXPOSE 80 +# Link logs to stdout/stderr +RUN ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log -# Run nginx in foreground -CMD ["nginx", "-g", "daemon off;"] +# Start your app listening on port 8080 +CMD ["sh", "-c", "nginx && pm2-runtime src/index.js -i 0 --port=8080"] \ No newline at end of file