diff --git a/backend/services/identity-service/Dockerfile b/backend/services/identity-service/Dockerfile index 0a269ab0..cf5dd90d 100644 --- a/backend/services/identity-service/Dockerfile +++ b/backend/services/identity-service/Dockerfile @@ -33,7 +33,9 @@ RUN ls -la dist/src/ && test -f dist/src/main.js # Production stage - use Debian slim for OpenSSL compatibility FROM node:20-slim -WORKDIR /app +# Create non-root user first +RUN groupadd -g 1001 nodejs && \ + useradd -u 1001 -g nodejs nestjs # Install OpenSSL, CA certificates, and curl for health checks RUN apt-get update && apt-get install -y --no-install-recommends \ @@ -42,17 +44,24 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ && rm -rf /var/lib/apt/lists/* +# Create app directory with correct ownership +RUN mkdir -p /app && chown nestjs:nodejs /app +WORKDIR /app + +# Switch to non-root user before installing dependencies +USER nestjs + # Install production dependencies + ts-node for seed -COPY package*.json ./ -COPY tsconfig*.json ./ +COPY --chown=nestjs:nodejs package*.json ./ +COPY --chown=nestjs:nodejs tsconfig*.json ./ RUN npm ci --only=production && npm install ts-node typescript @types/node --save-dev # Copy Prisma schema and generate client -COPY prisma ./prisma/ +COPY --chown=nestjs:nodejs prisma ./prisma/ RUN DATABASE_URL="postgresql://user:pass@localhost:5432/db" npx prisma generate # Copy built files -COPY --from=builder /app/dist ./dist +COPY --chown=nestjs:nodejs --from=builder /app/dist ./dist # Create startup script that runs migrations and seed before starting the app RUN echo '#!/bin/sh\n\ @@ -64,16 +73,6 @@ npx prisma db seed || echo "Seed completed (or already seeded)"\n\ echo "Starting application..."\n\ exec node dist/src/main.js\n' > /app/start.sh && chmod +x /app/start.sh -# Create non-root user -RUN groupadd -g 1001 nodejs && \ - useradd -u 1001 -g nodejs nestjs - -# Change ownership of app directory -RUN chown -R nestjs:nodejs /app - -# Switch to non-root user -USER nestjs - ENV NODE_ENV=production # Expose port diff --git a/backend/services/referral-service/Dockerfile b/backend/services/referral-service/Dockerfile index fac9b1bd..2c41398f 100644 --- a/backend/services/referral-service/Dockerfile +++ b/backend/services/referral-service/Dockerfile @@ -33,7 +33,9 @@ RUN ls -la dist/ && test -f dist/main.js # Production stage - use Debian slim for OpenSSL compatibility FROM node:20-slim -WORKDIR /app +# Create non-root user first +RUN groupadd -g 1001 nodejs && \ + useradd -u 1001 -g nodejs nestjs # Install OpenSSL and curl for health checks RUN apt-get update && apt-get install -y --no-install-recommends \ @@ -41,17 +43,24 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ && rm -rf /var/lib/apt/lists/* +# Create app directory with correct ownership +RUN mkdir -p /app && chown nestjs:nodejs /app +WORKDIR /app + +# Switch to non-root user before installing dependencies +USER nestjs + # Install production dependencies + ts-node for seed -COPY package*.json ./ -COPY tsconfig*.json ./ +COPY --chown=nestjs:nodejs package*.json ./ +COPY --chown=nestjs:nodejs tsconfig*.json ./ RUN npm ci --only=production && npm install ts-node typescript @types/node --save-dev -# Copy Prisma schema and generate client (dummy DATABASE_URL for build time only) -COPY prisma ./prisma/ +# Copy Prisma schema and generate client +COPY --chown=nestjs:nodejs prisma ./prisma/ RUN DATABASE_URL="postgresql://user:pass@localhost:5432/db" npx prisma generate # Copy built files -COPY --from=builder /app/dist ./dist +COPY --chown=nestjs:nodejs --from=builder /app/dist ./dist # Create startup script that runs migrations and seed before starting the app RUN echo '#!/bin/sh\n\ @@ -63,16 +72,6 @@ npx prisma db seed || echo "Seed completed (or already seeded)"\n\ echo "Starting application..."\n\ exec node dist/main.js\n' > /app/start.sh && chmod +x /app/start.sh -# Create non-root user -RUN groupadd -g 1001 nodejs && \ - useradd -u 1001 -g nodejs nestjs - -# Change ownership of app directory -RUN chown -R nestjs:nodejs /app - -# Switch to non-root user -USER nestjs - # Expose port EXPOSE 3004