From 946865cc3717a1ec2f061e2a8a391dd24c3f0a65 Mon Sep 17 00:00:00 2001 From: Geoff Wilson Date: Wed, 28 Aug 2024 11:58:16 -0400 Subject: [PATCH 1/3] New release Dockerfile using ruby-alpine --- Dockerfile | 68 ++++++++++++++++++++---------------------------------- 1 file changed, 25 insertions(+), 43 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9713604..298fef6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,66 +1,48 @@ # syntax = docker/dockerfile:1 +FROM ruby:3.3.4-alpine AS base -# This Dockerfile is designed for production, not development. Use with Kamal or build'n'run by hand: -# docker build -t my-app . -# docker run -d -p 80:80 -p 443:443 --name my-app -e RAILS_MASTER_KEY= my-app +# Install build dependencies +RUN apk add --no-cache build-base git pkgconfig -# Make sure RUBY_VERSION matches the Ruby version in .ruby-version -ARG RUBY_VERSION=3.3.4 -FROM docker.io/library/ruby:$RUBY_VERSION-slim AS base - -# Rails app lives here -WORKDIR /rails - -# Install base packages -RUN apt-get update -qq && \ - apt-get install --no-install-recommends -y curl libjemalloc2 libsqlite3-0 libvips && \ - rm -rf /var/lib/apt/lists /var/cache/apt/archives +WORKDIR /app # Set production environment ENV RAILS_ENV="production" \ BUNDLE_DEPLOYMENT="1" \ BUNDLE_PATH="/usr/local/bundle" \ - BUNDLE_WITHOUT="development" + BUNDLE_WITHOUT="test development" -# Throw-away build stage to reduce size of final image -FROM base AS build +FROM base AS builder -# Install packages needed to build gems -RUN apt-get update -qq && \ - apt-get install --no-install-recommends -y build-essential git pkg-config && \ - rm -rf /var/lib/apt/lists /var/cache/apt/archives - -# Install application gems +# Install gems COPY Gemfile Gemfile.lock ./ -RUN bundle install && \ - rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \ +RUN bundle install --jobs 4 --retry 3 && \ + rm -rf ~/.bundle/ $BUNDLE_PATH/ruby/*/cache \ + $BUNDLE_PATH/ruby/*/bundler/gems/*/.git && \ bundle exec bootsnap precompile --gemfile - + # Copy application code COPY . . -# Precompile bootsnap code for faster boot times +# Precompile bootsnap RUN bundle exec bootsnap precompile app/ lib/ +# Final stage +FROM base +# Install runtime dependencies +RUN apk add --no-cache curl jemalloc sqlite-libs vips tzdata +WORKDIR /app -# Final stage for app image -FROM base - -# Copy built artifacts: gems, application -COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}" -COPY --from=build /rails /rails +# Copy built artifacts +COPY --from=builder /usr/local/bundle /usr/local/bundle +COPY --from=builder /app /app -# Run and own only the runtime files as a non-root user for security -RUN groupadd --system --gid 1000 rails && \ - useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \ +# Add non-root user +RUN addgroup -S rails && adduser -S rails -G rails && \ chown -R rails:rails db log storage tmp -USER 1000:1000 - -# Entrypoint prepares the database. -ENTRYPOINT ["/rails/bin/docker-entrypoint"] +USER rails:rails -# Start the server by default, this can be overwritten at runtime -EXPOSE 3000 -CMD ["./bin/rails", "server"] +# Start the server +CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0"] \ No newline at end of file From 2e618dd5323f3ad02da7e5b81580976f5eec51f4 Mon Sep 17 00:00:00 2001 From: Geoff Wilson Date: Wed, 28 Aug 2024 14:28:07 -0400 Subject: [PATCH 2/3] A few more tweaks for prod/release Dockerfile --- Dockerfile | 44 +++++++++++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 17 deletions(-) diff --git a/Dockerfile b/Dockerfile index 298fef6..14dc515 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,26 +1,29 @@ # syntax = docker/dockerfile:1 -FROM ruby:3.3.4-alpine AS base +ARG RUBY_VERSION=3.3.4 +ARG RAILS_ROOT=/app +FROM ruby:$RUBY_VERSION-alpine AS builder # Install build dependencies RUN apk add --no-cache build-base git pkgconfig -WORKDIR /app - # Set production environment ENV RAILS_ENV="production" \ + RAILS_ROOT="/app" \ BUNDLE_DEPLOYMENT="1" \ - BUNDLE_PATH="/usr/local/bundle" \ + BUNDLE_PATH="/app/.bundle" \ BUNDLE_WITHOUT="test development" -FROM base AS builder +WORKDIR $RAILS_ROOT # Install gems COPY Gemfile Gemfile.lock ./ -RUN bundle install --jobs 4 --retry 3 && \ - rm -rf ~/.bundle/ $BUNDLE_PATH/ruby/*/cache \ - $BUNDLE_PATH/ruby/*/bundler/gems/*/.git && \ - bundle exec bootsnap precompile --gemfile - +RUN bundle config --global frozen 1 \ + && bundle config set path 'vendor/bundle' \ + && bundle install --without development:test -j4 --retry 3 \ + && rm -rf vendor/bundle/ruby/3.3.0/cache/*.gem # \ + && find vendor/bundle/ruby/3.3.0/gems/ -name "*.c" -delete \ + && find vendor/bundle/ruby/3.3.0/gems/ -name "*.o" -delete + # Copy application code COPY . . @@ -28,21 +31,28 @@ COPY . . RUN bundle exec bootsnap precompile app/ lib/ # Final stage -FROM base +FROM ruby:$RUBY_VERSION-alpine # Install runtime dependencies RUN apk add --no-cache curl jemalloc sqlite-libs vips tzdata -WORKDIR /app +ENV RAILS_ENV="production" \ + RAILS_ROOT="/app" \ + BUNDLE_DEPLOYMENT="1" \ + BUNDLE_APP_CONFIG="/app/.bundle" \ + BUNDLE_WITHOUT="test development" + +WORKDIR $RAILS_ROOT # Copy built artifacts -COPY --from=builder /usr/local/bundle /usr/local/bundle -COPY --from=builder /app /app +COPY --from=builder $RAILS_ROOT $RAILS_ROOT # Add non-root user -RUN addgroup -S rails && adduser -S rails -G rails && \ - chown -R rails:rails db log storage tmp +RUN addgroup -S rails && adduser -S rails -G rails # && \ + # chown -R rails:rails db log storage tmp USER rails:rails +# Start the server by default, this can be overwritten at runtime +EXPOSE 3000 # Start the server -CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0"] \ No newline at end of file +CMD ["bin/rails", "server", "-b", "0.0.0.0"] \ No newline at end of file From fc6baa06c1350cfc51a824601744f7096929ad08 Mon Sep 17 00:00:00 2001 From: Geoff Wilson Date: Wed, 28 Aug 2024 14:33:44 -0400 Subject: [PATCH 3/3] Fix the chown for rails user --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 14dc515..e5ec729 100644 --- a/Dockerfile +++ b/Dockerfile @@ -48,8 +48,8 @@ WORKDIR $RAILS_ROOT COPY --from=builder $RAILS_ROOT $RAILS_ROOT # Add non-root user -RUN addgroup -S rails && adduser -S rails -G rails # && \ - # chown -R rails:rails db log storage tmp +RUN addgroup -S rails && adduser -S rails -G rails && \ + chown -R rails:rails db log storage tmp USER rails:rails # Start the server by default, this can be overwritten at runtime