Skip to content

Instantly share code, notes, and snippets.

@spara

spara/Review_of_Protips_for_Dockerizing_Node.md

Last active July 11, 2017 04:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save spara/8e23eab473e7e018cdc18d751128d1ac to your computer and use it in GitHub Desktop.
Save spara/8e23eab473e7e018cdc18d751128d1ac to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Review_of_Protips_for_Dockerizing_Node.md

Protip 1: Create a Non-root User

This is good advice particularly in Linux

RUN groupadd -r nodejs \
   && useradd -m -r -g nodejs nodejs

USER nodejs

Protip 2: Enable User Namespace Mapping

Another good tip for securing containers:

To use user namespace mapping, simply start a Docker daemon with the --userns-remap flag.

dockerd --userns-remap=default

Protip 3: Start Caching node_modules

Layer creation can be leveraged to to cache portions of an application that rarely change, speeding up build times. This caching mechanism can be leveraged in a Node.js app - by caching its node_modules directory. By adding the app's package.json and running npm install before copying in the app's source files, npm install doesn't need to be run after every build.

COPY package.json .
RUN npm install --production
COPY . .

Protip 4: Add a Process ID Safety Net

The primary reason is that PID1 doesn't receive some signals such as SIGTERM which means that node won't stop. However, if you use the exec form instead of the shell form PID1. This is not necessary as long as you use the exec form

ADD https://github.com/Yelp/dumb-init/releases/download/v1.1.1/dumb-init_1.1.1_amd64 /usr/local/bin/dumb-init
RUN chmod +x /usr/local/bin/dumb-init

CMD ["dumb-init", "node", "index.js"]

Protip 5: Tag Docker Images When Building

This just good practice for managing builds.

docker  build -t appnamespace/app:0.0.1 .

Protip 6: Enable Process Management Outside of the Container

This makes sense:

It is recommended that the process is restarted at the container level, rather than from within the container. This has the advantage of requiring a single tool for all containers, regardless of what's running inside. This can be leveraged by an agnostic tool like systemd or upstart.

Protip 7: Use the Production Image as a Base Image

This is common sense:

The benefit of this inheritance model - where development images inherit the environment from the production image - is that all the tests, code coverage, and linting are being run in the same environment that will be pushed into production.

As a team increases its use of Docker, this practice ends up yielding a much better developer experience. When this pattern is used, bugs that manifest themselves in an application's production images will nearly always manifest themselves in the developer images as well.

Protip 8: Fixing Time Drift in Docker

This is good advice particularly for auditing:

Keeping the local environment's clock in sync with the host is simple. From the host machine, run:

docker-machine ssh [docker_machine_name] ntpclient -s -h pool.ntp.org
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment