P1: Harden Docker image — tini PID 1, HEALTHCHECK, pinned digest (#171)#189
Open
dkijania wants to merge 1 commit into
Open
P1: Harden Docker image — tini PID 1, HEALTHCHECK, pinned digest (#171)#189dkijania wants to merge 1 commit into
dkijania wants to merge 1 commit into
Conversation
The runtime container ran `npm start` as PID 1, which forwards signals poorly — so SIGTERM didn't cleanly reach node and the new graceful shutdown couldn't run. It also had no container healthcheck and used a floating `node:20-alpine` tag. - Run `node build/src/index.js` directly under `tini` as PID 1, so the process receives SIGTERM and shuts down gracefully (and zombies are reaped). - Add a `HEALTHCHECK` hitting the built-in `/healthcheck` endpoint (honours $PORT). - Pin both stages to the `node:20-alpine` image digest for reproducible, tamper-evident builds (bump via Dependabot — #175). - Add a `.dockerignore` to keep the build context lean. Verified locally: the image builds; runs as non-root (uid 1001); tini 0.19.0 is PID 1; `node build/src/index.js` is the entrypoint chain (reaches buildContext). Closes #171. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01QSuak9smCHbp4N17xjjLF6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Part of the production-readiness epic (#163). Closes #171.
The runtime container ran
npm startas PID 1, which forwards signals poorly — so SIGTERM didn't cleanly reach node and the new graceful shutdown (#170) couldn't run. It also had no container healthcheck and used a floatingnode:20-alpinetag.Changes
tinias PID 1: runnode build/src/index.jsdirectly under tini, so node receives SIGTERM (graceful shutdown) and zombies are reaped.HEALTHCHECK: hits the built-in/healthcheckendpoint (honours$PORT, defaults to 8080).node:20-alpine@sha256:fb4cd12c…) for reproducible, tamper-evident builds — bump via Dependabot (P1: Supply chain — Dependabot, npm audit gate, image scan, SBOM #175)..dockerignoreto keep the build context lean.Verification (built and run locally)
uid=1001 nodeuser).node build/src/index.jsunder tini — reachesbuildContext(errors only on the expected missingPG_CONN), confirming the entrypoint chain.No app code changed; lint and
prettier --debug-check .pass.🤖 Generated with Claude Code