Dockerfile improvements

[bmaupin]

Describe the bug

Since the loopback scaffolding automatically generates a Dockerfile, I've noticed a lot of developers in our organisation assume that this Dockerfile is ready out-of-the-box for production deployments.

Is the generated Dockerfile meant for local developer use? In this case, I think it might be good to mention this somewhere (maybe in the Dockerfile itself) and that it needs some adjustments to be production ready.

Alternatively, I would suggest these changes:

1. The Dockerfile uses npm install, which is great for local development, but I think it should be npm ci for deployments. npm ci --only=production would be even better, but that won't work without additional changes, because of my next point.
2. The built Dockerfile includes devDependencies. If I build it as-is (e.g. docker build .), the image size is 393MB because it includes all of the original TypeScript, the transpiled JavaScript, dependencies, and devDependencies. Changing npm install to npm ci --only=production won't work in a single-stage build because those devDependencies are needed to transpile the TypeScript. By using a multi-stage build, this allows only including the needed files, which reduces the image size to 277MB, and should have a positive impact on storage, deployment times, application startup times, etc.
3. The Dockerfile does the build at runtime, so every time the application is run, it calls npm start, which calls prestart, which calls rebuild, which calls build (and so on). The build should be done when the container is built, so when the container is run, all it has to do is run the code.

I'm not an expert, but here's a Dockerfile that uses a mutli-stage build to fix all of the above issues:

# Check out https://hub.docker.com/_/node to select a new base image
FROM docker.io/library/node:18-slim as builder

# Set to a non-root built-in user `node`
USER node

# Create app directory (with user `node`)
RUN mkdir -p /home/node/app

WORKDIR /home/node/app

# Install app dependencies
# A wildcard is used to ensure both package.json AND package-lock.json are copied
# where available (npm@5+)
COPY --chown=node package*.json ./

RUN npm ci

# Bundle app source code
COPY --chown=node . .

RUN npm run build


FROM docker.io/library/node:18-slim

USER node

RUN mkdir -p /home/node/app

WORKDIR /home/node/app

COPY --chown=node --from=builder /home/node/app/dist dist
COPY --chown=node --from=builder /home/node/app/package*.json ./

RUN npm ci --only=production

# Bind to all network interfaces so that it can be mapped to the host OS
ENV HOST=0.0.0.0 PORT=3000

EXPOSE ${PORT}
CMD [ "node", "." ]

Logs

No response

Additional information

No response

Reproduction

1. Generate a new application
2. CD to the directory
3. Build the Dockerfile and observe the size
4. Change npm install to npm ci --only=production in Dockerfile
5. Build an image using the Dockerfile and observe that the build fails

[dhmlau]

@bmaupin, thanks for your suggestion.
Would it work better to use npm install --production then?

[bmaupin]

@bmaupin, thanks for your suggestion. Would it work better to use npm install --production then?

I think my original wording in the issue description was a bit misleading so I tried to update it. The short version is that npm ci --only=production is ideal for the final built image but will only work with some additional changes to the Dockerfile.

As far as I understand, npm install should only be used for local development. When building the application for deployment (especially for production), npm ci should be used. It ensures that the dependencies are installed cleanly and will also result in reproducible builds; this isn't the case with npm install because it may update packages in package-lock.json unless package versions are explicitly pinned.

In addition, modifying the existing Dockerfile (I think this is it? and replacing npm install with npm install --production will break the build, because the devDependencies are required for the npm run build command to work.

I had to solve this with a multi-stage build in my example above, where the first stage uses npm ci to install all dependencies (including devDependencies) and run the build, then in the second stage, the built JavaScript files are copied and npm ci --only=production is run to exclude devDependencies from the final container image.

[bmaupin]

I was working with a Loopback 4 application today and I noticed another issue with the generated Dockerfile: it does a build every time the container image is run. This of course is slower, and it also presents more potential points of failure at runtime.

The Dockerfile I proposed already remediates this, but I added an extra note about this in the issue description.