nodejs/nodebestpractices
1
0
Fork 0
mirror of https://github.com/goldbergyoni/nodebestpractices.git synced 2025-10-29 00:19:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #722 from goldbergyoni/docker-generic-advice

Browse Source 
Docker generic advice - 1st draft
This commit is contained in:
Yoni Goldberg
2020-07-26 16:16:34 +03:00
committed by GitHub
parent 9ae01ea82f 765b84d000
commit d3e1879b3f
2 changed files with 31 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -1234,11 +1234,10 @@ Bear in mind that with the introduction of the new V8 engine alongside the new E
## ![✔] 8.16. Generic Docker practices
**TL;DR:**
**TL;DR:** This is a collection of Docker advice that is not related directly to Node.js - the Node implementation is not much different than any other language. Click read more to skim through.
**Otherwise:**
🔗 [**Read More: Generic Docker practices**](/sections/docker/file.md)
🔗 [**Read More: Generic Docker practices**](/sections/docker/generic-tips.md)
<br /><br /><br />

29
sections/docker/generic-tips.md Normal file
View File

@ -0,0 +1,29 @@
[✔]: ../../assets/images/checkbox-small-blue.png
# Common Node.js Docker best practices
This common Docker guidelines section contains best practices that are standardized among all programming languages and have no special Node.js interpretation
## ![✔] Prefer COPY over ADD command
**TL;DR:** COPY is safer as it copies local files only while ADD supports fancier fetches like downloading binaries from remote sites
## ![✔] Avoid updating the base OS
**TL;DR:** Updating the local binaries during build (e.g. apt-get update) creates inconsistent images every time it runs and also demands elevated privileges. Instead use base images that are updated frequently
## ![✔] Classify images using labels
**TL;DR:** Providing metadata for each image might help Ops professionals treat it adequately. For example, include the maintainer name, build date and other information that might prove useful when someone needs to reason about an image
## ![✔] Use unprivileged containers
**TL;DR:** Privileged container have the same permissions and capabilities as the root user over the host machine. This is rarely needed and as a rule of thumb one should use the 'node' user that is created within official Node images
## ![✔] Inspect and verify the final result
**TL;DR:** Sometimes it's easy to overlook side effects in the build process like leaked secrets or unnecessary files. Inspecting the produced image using tools like [Dive](https://github.com/wagoodman/dive) can easily help to identify such issues
## ![✔] Perform integrity check
**TL;DR:** While pulling base or final images, the network might be mislead and redirected to download malicious images. Nothing in the standard Docker protocol prevents this unless signing and verifying the content. [Docker Notary](https://docs.docker.com/notary/getting_started/) is one of the tools to achieve this