gistfile1.txt

################################################################
# Note, for performance reasons the order of statements matters!
################################################################

# CIS = Docker security guidelines 1.13.0
# Skipped CIS: 4.4 (by infra)

# CIS 4.2. trusted base image, versio pinning

# !!! OBS OBS OBS! When updating FROM, also update exact same name to .gitlab-ci.yml / BASE_IMAGE !!!!
FROM node:8.1.2-alpine
# !!! OBS OBS OBS! When updating FROM, also update exact same name to .gitlab-ci.yml / BASE_IMAGE !!!!

MAINTAINER Digia Finland Oyj

################################################################
# Environment
################################################################

# CIS 4.3. do not install unnecessary packages
# CIS 4.7. Do not add "apk update" step here!

# Add required apps
RUN apk --no-cache add bash sudo pigz yarn

# CIS 4.8. Remove suid bit from sudo
RUN chmod ug-s /usr/bin/sudo

# FOR ROBOT
RUN apk --no-cache add python py-pip
RUN pip install robotframework==3.0.2 robotframework-selenium2library==1.8.0

# App resides in /app, angular code in /app/angular
RUN mkdir /app /app/angular /app/node -p

# CIS 4.1. Set user & group (run as non-root)
RUN addgroup app && adduser -h /app app -D -G app
RUN chown app:app /app -R
WORKDIR /app

# Use non-root user for security
USER app

################################################################
# Node.JS server modules (for serving dist/ files in production)
################################################################

# Add Node.JS server
COPY node/package.json /app/node/package.json
COPY node/yarn.lock /app/node/yarn.lock
USER root
RUN chown app:app /app -R
USER app
RUN cd node && yarn install

################################################################
# Angular
################################################################

# Copy package.json's & install packages
# Angular first, as its larger
COPY angular/package.json /app/angular/package.json
COPY angular/yarn.lock /app/angular/yarn.lock

USER root
RUN chown app:app /app/angular/yarn.lock

# Install angular packages
USER app
RUN cd angular && yarn install -q

# TODO maybe optional step. Takes ~20Mb, speeds up development start, archive node_modules (use parallel gzip)
RUN cd angular && tar -cf - node_modules |pigz > /app/.angular_node_modules.tar.gz

# Copy files (if modified, no need to reinstall npm) and build angular (copy node_modules & remove, because 3rd party libraries fail otherwise)
# TODO: when https://github.com/moby/moby/issues/15771 finished, exclude angular/e2e and copy it later on (to skip build for them)
COPY angular/ /app/angular/

USER root
RUN cd angular && chown -R app:app src/assets/docs
USER app
RUN cd angular && ./node_modules/raml2html/bin/raml2html -i src/docs/rest-api/v1/rest-api.raml -o src/assets/docs/rest-api.html
RUN cd angular && chown app:app src/assets/docs/rest-api.html

USER app
RUN cd angular && ./node_modules/.bin/ng build --aot -prod --progress false

################################################################
# Node.JS runtime files
################################################################

# Node.JS files & others (no build needed for these)
COPY node/server.js /app/node/server.js

################################################################
# Entrypoint & misc
################################################################

# Entrypoints / dev env
COPY docker/entrypoint.sh /app/entrypoint.sh
COPY docker/bashrc /app/.bashrc

# Startup
CMD ["./entrypoint.sh"]

# Privileges handled at entrypoint
USER root

# CIS 4.6. Add healthcheck. Using python because it exists. Another alternative is curl but would need to be installed
HEALTHCHECK --interval=30s --timeout=3s CMD python -c "import urllib2; urllib2.urlopen('http://localhost:10080').read()" || exit 1

# Listen at 10080
EXPOSE 10080