diff --git a/backend/services/admin-service/Dockerfile b/backend/services/admin-service/Dockerfile index 17a96bf6..09769b89 100644 --- a/backend/services/admin-service/Dockerfile +++ b/backend/services/admin-service/Dockerfile @@ -33,7 +33,9 @@ RUN ls -la dist/ && test -f dist/main.js # Production stage - use Debian slim for OpenSSL compatibility FROM node:20-slim -WORKDIR /app +# Create non-root user with home directory (npm cache needs it) +RUN groupadd -g 1001 nodejs && \ + useradd -u 1001 -g nodejs -m nestjs # Install OpenSSL and curl for health checks RUN apt-get update && apt-get install -y --no-install-recommends \ @@ -41,16 +43,23 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ && rm -rf /var/lib/apt/lists/* +# Create app directory with correct ownership +RUN mkdir -p /app && chown nestjs:nodejs /app +WORKDIR /app + +# Switch to non-root user before installing dependencies +USER nestjs + # Install production dependencies only -COPY package*.json ./ +COPY --chown=nestjs:nodejs package*.json ./ RUN npm ci --only=production # Copy Prisma schema and generate client (dummy DATABASE_URL for build time only) -COPY prisma ./prisma/ +COPY --chown=nestjs:nodejs prisma ./prisma/ RUN DATABASE_URL="postgresql://user:pass@localhost:5432/db" npx prisma generate # Copy built files -COPY --from=builder /app/dist ./dist +COPY --chown=nestjs:nodejs --from=builder /app/dist ./dist # Create startup script that runs migrations before starting the app RUN printf '%s\n' \ @@ -62,15 +71,7 @@ RUN printf '%s\n' \ 'exec node dist/main.js' \ > /app/start.sh && chmod +x /app/start.sh -# Create non-root user -RUN groupadd -g 1001 nodejs && \ - useradd -u 1001 -g nodejs nestjs - -# Change ownership of app directory -RUN chown -R nestjs:nodejs /app - -# Switch to non-root user -USER nestjs +ENV NODE_ENV=production # Expose port EXPOSE 3010 diff --git a/backend/services/blockchain-service/Dockerfile b/backend/services/blockchain-service/Dockerfile index 4d8bec84..dcbc0130 100644 --- a/backend/services/blockchain-service/Dockerfile +++ b/backend/services/blockchain-service/Dockerfile @@ -33,7 +33,9 @@ RUN ls -la dist/ && test -f dist/main.js # Production stage - use Debian slim for OpenSSL compatibility FROM node:20-slim -WORKDIR /app +# Create non-root user with home directory (npm cache needs it) +RUN groupadd -g 1001 nodejs && \ + useradd -u 1001 -g nodejs -m nestjs # Install OpenSSL and curl for health checks RUN apt-get update && apt-get install -y --no-install-recommends \ @@ -41,16 +43,23 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ && rm -rf /var/lib/apt/lists/* +# Create app directory with correct ownership +RUN mkdir -p /app && chown nestjs:nodejs /app +WORKDIR /app + +# Switch to non-root user before installing dependencies +USER nestjs + # Install production dependencies only -COPY package*.json ./ +COPY --chown=nestjs:nodejs package*.json ./ RUN npm ci --only=production # Copy Prisma schema and generate client -COPY prisma ./prisma/ +COPY --chown=nestjs:nodejs prisma ./prisma/ RUN DATABASE_URL="postgresql://user:pass@localhost:5432/db" npx prisma generate # Copy built files -COPY --from=builder /app/dist ./dist +COPY --chown=nestjs:nodejs --from=builder /app/dist ./dist # Create startup script that syncs schema before starting the app RUN echo '#!/bin/sh\n\ @@ -60,16 +69,6 @@ npx prisma db push --skip-generate\n\ echo "Starting application..."\n\ exec node dist/main.js\n' > /app/start.sh && chmod +x /app/start.sh -# Create non-root user -RUN groupadd -g 1001 nodejs && \ - useradd -u 1001 -g nodejs nestjs - -# Change ownership of app directory -RUN chown -R nestjs:nodejs /app - -# Switch to non-root user -USER nestjs - ENV NODE_ENV=production # Expose port diff --git a/backend/services/leaderboard-service/Dockerfile b/backend/services/leaderboard-service/Dockerfile index c691856b..03489611 100644 --- a/backend/services/leaderboard-service/Dockerfile +++ b/backend/services/leaderboard-service/Dockerfile @@ -36,7 +36,9 @@ RUN ls -la dist/src/ && test -f dist/src/main.js # Production stage - use Debian slim for OpenSSL compatibility FROM node:20-slim AS production -WORKDIR /app +# Create non-root user with home directory (npm cache needs it) +RUN groupadd -g 1001 nodejs && \ + useradd -u 1001 -g nodejs -m nestjs # Install OpenSSL and curl for health checks RUN apt-get update && apt-get install -y --no-install-recommends \ @@ -44,16 +46,23 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ && rm -rf /var/lib/apt/lists/* +# Create app directory with correct ownership +RUN mkdir -p /app && chown nestjs:nodejs /app +WORKDIR /app + +# Switch to non-root user before installing dependencies +USER nestjs + # Copy package files and install production dependencies -COPY package*.json ./ +COPY --chown=nestjs:nodejs package*.json ./ RUN npm ci --only=production # Copy Prisma files and generate client (dummy DATABASE_URL for build time only) -COPY prisma ./prisma/ +COPY --chown=nestjs:nodejs prisma ./prisma/ RUN DATABASE_URL="postgresql://user:pass@localhost:5432/db" npx prisma generate # Copy built application -COPY --from=builder /app/dist ./dist +COPY --chown=nestjs:nodejs --from=builder /app/dist ./dist # Create startup script that runs migrations before starting the app RUN echo '#!/bin/sh\n\ @@ -63,16 +72,6 @@ npx prisma migrate deploy || npx prisma db push --accept-data-loss\n\ echo "Starting application..."\n\ exec node dist/src/main.js\n' > /app/start.sh && chmod +x /app/start.sh -# Create non-root user -RUN groupadd -g 1001 nodejs && \ - useradd -u 1001 -g nodejs nestjs - -# Change ownership of app directory -RUN chown -R nestjs:nodejs /app - -# Switch to non-root user -USER nestjs - ENV NODE_ENV=production # Expose port diff --git a/backend/services/mpc-service/Dockerfile b/backend/services/mpc-service/Dockerfile index 8453b9b9..98137da8 100644 --- a/backend/services/mpc-service/Dockerfile +++ b/backend/services/mpc-service/Dockerfile @@ -31,7 +31,9 @@ RUN ls -la dist/ && test -f dist/main.js # Production stage - use Debian slim for OpenSSL compatibility FROM node:20-slim -WORKDIR /app +# Create non-root user with home directory (npm cache needs it) +RUN groupadd -g 1001 nodejs && \ + useradd -u 1001 -g nodejs -m nestjs # Install OpenSSL and curl for health checks RUN apt-get update && apt-get install -y --no-install-recommends \ @@ -39,33 +41,33 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ && rm -rf /var/lib/apt/lists/* +# Create app directory with correct ownership +RUN mkdir -p /app && chown nestjs:nodejs /app + +# Create temp directory for TSS +RUN mkdir -p /tmp/tss && chown nestjs:nodejs /tmp/tss + +WORKDIR /app + +# Switch to non-root user before installing dependencies +USER nestjs + # Install production dependencies only -COPY package*.json ./ +COPY --chown=nestjs:nodejs package*.json ./ RUN npm ci --only=production # Copy Prisma schema, migrations and generate client -COPY prisma ./prisma/ +COPY --chown=nestjs:nodejs prisma ./prisma/ RUN DATABASE_URL="postgresql://user:pass@localhost:5432/db" npx prisma generate # Copy built files -COPY --from=builder /app/dist ./dist +COPY --chown=nestjs:nodejs --from=builder /app/dist ./dist # Copy entrypoint script -COPY docker-entrypoint.sh ./ +COPY --chown=nestjs:nodejs docker-entrypoint.sh ./ RUN chmod +x docker-entrypoint.sh -# Create non-root user -RUN groupadd -g 1001 nodejs && \ - useradd -u 1001 -g nodejs nestjs - -# Create temp directory for TSS -RUN mkdir -p /tmp/tss && chown -R nestjs:nodejs /tmp/tss - -# Change ownership of app directory -RUN chown -R nestjs:nodejs /app - -# Switch to non-root user -USER nestjs +ENV NODE_ENV=production # Expose port EXPOSE 3006 diff --git a/backend/services/presence-service/Dockerfile b/backend/services/presence-service/Dockerfile index cddf99a5..40fa76d3 100644 --- a/backend/services/presence-service/Dockerfile +++ b/backend/services/presence-service/Dockerfile @@ -33,7 +33,9 @@ RUN ls -la dist/ && test -f dist/main.js # Production stage - use Debian slim for OpenSSL compatibility FROM node:20-slim -WORKDIR /app +# Create non-root user with home directory (npm cache needs it) +RUN groupadd -g 1001 nodejs && \ + useradd -u 1001 -g nodejs -m nestjs # Install OpenSSL and curl for health checks RUN apt-get update && apt-get install -y --no-install-recommends \ @@ -41,16 +43,23 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ && rm -rf /var/lib/apt/lists/* +# Create app directory with correct ownership +RUN mkdir -p /app && chown nestjs:nodejs /app +WORKDIR /app + +# Switch to non-root user before installing dependencies +USER nestjs + # Install production dependencies only -COPY package*.json ./ +COPY --chown=nestjs:nodejs package*.json ./ RUN npm ci --only=production # Copy Prisma schema and generate client -COPY prisma ./prisma/ +COPY --chown=nestjs:nodejs prisma ./prisma/ RUN DATABASE_URL="postgresql://user:pass@localhost:5432/db" npx prisma generate # Copy built files -COPY --from=builder /app/dist ./dist +COPY --chown=nestjs:nodejs --from=builder /app/dist ./dist # Create startup script that runs migrations before starting the app RUN echo '#!/bin/sh\n\ @@ -60,16 +69,6 @@ npx prisma migrate deploy || npx prisma db push --accept-data-loss\n\ echo "Starting application..."\n\ exec node dist/main.js\n' > /app/start.sh && chmod +x /app/start.sh -# Create non-root user -RUN groupadd -g 1001 nodejs && \ - useradd -u 1001 -g nodejs nestjs - -# Change ownership of app directory -RUN chown -R nestjs:nodejs /app - -# Switch to non-root user -USER nestjs - ENV NODE_ENV=production # Expose port diff --git a/backend/services/reporting-service/Dockerfile b/backend/services/reporting-service/Dockerfile index 77ae03db..ccbb7bcf 100644 --- a/backend/services/reporting-service/Dockerfile +++ b/backend/services/reporting-service/Dockerfile @@ -38,7 +38,9 @@ RUN ls -la dist/src/ && test -f dist/src/main.js # Production stage - use Debian slim for OpenSSL compatibility FROM node:20-slim -WORKDIR /app +# Create non-root user with home directory (npm cache needs it) +RUN groupadd -g 1001 nodejs && \ + useradd -u 1001 -g nodejs -m nestjs # Install OpenSSL and curl for health checks RUN apt-get update && apt-get install -y --no-install-recommends \ @@ -46,16 +48,23 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ && rm -rf /var/lib/apt/lists/* +# Create app directory with correct ownership +RUN mkdir -p /app && chown nestjs:nodejs /app +WORKDIR /app + +# Switch to non-root user before installing dependencies +USER nestjs + # Install production dependencies only -COPY package*.json ./ +COPY --chown=nestjs:nodejs package*.json ./ RUN npm ci --only=production # Copy Prisma schema and generate client (dummy DATABASE_URL for build time only) -COPY prisma ./prisma/ +COPY --chown=nestjs:nodejs prisma ./prisma/ RUN DATABASE_URL="postgresql://user:pass@localhost:5432/db" npx prisma generate # Copy built files -COPY --from=builder /app/dist ./dist +COPY --chown=nestjs:nodejs --from=builder /app/dist ./dist # Create startup script that runs migrations before starting the app RUN echo '#!/bin/sh\n\ @@ -65,16 +74,6 @@ npx prisma migrate deploy || npx prisma db push --accept-data-loss\n\ echo "Starting application..."\n\ exec node dist/src/main.js\n' > /app/start.sh && chmod +x /app/start.sh -# Create non-root user -RUN groupadd -g 1001 nodejs && \ - useradd -u 1001 -g nodejs nestjs - -# Change ownership of app directory -RUN chown -R nestjs:nodejs /app - -# Switch to non-root user -USER nestjs - ENV NODE_ENV=production # Expose port diff --git a/backend/services/reward-service/Dockerfile b/backend/services/reward-service/Dockerfile index fc213b26..eb025e2b 100644 --- a/backend/services/reward-service/Dockerfile +++ b/backend/services/reward-service/Dockerfile @@ -36,7 +36,9 @@ RUN ls -la dist/src/ && test -f dist/src/main.js # Production stage - use Debian slim for OpenSSL compatibility FROM node:20-slim -WORKDIR /app +# Create non-root user with home directory (npm cache needs it) +RUN groupadd -g 1001 nodejs && \ + useradd -u 1001 -g nodejs -m nestjs # Install OpenSSL and curl for health checks RUN apt-get update && apt-get install -y --no-install-recommends \ @@ -44,16 +46,23 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ && rm -rf /var/lib/apt/lists/* +# Create app directory with correct ownership +RUN mkdir -p /app && chown nestjs:nodejs /app +WORKDIR /app + +# Switch to non-root user before installing dependencies +USER nestjs + # Install production dependencies only -COPY package*.json ./ +COPY --chown=nestjs:nodejs package*.json ./ RUN npm ci --only=production # Copy Prisma schema and generate client -COPY prisma ./prisma/ +COPY --chown=nestjs:nodejs prisma ./prisma/ RUN DATABASE_URL="postgresql://user:pass@localhost:5432/db" npx prisma generate # Copy built files -COPY --from=builder /app/dist ./dist +COPY --chown=nestjs:nodejs --from=builder /app/dist ./dist # Create startup script that runs migrations before starting the app RUN echo '#!/bin/sh\n\ @@ -63,16 +72,6 @@ npx prisma migrate deploy || npx prisma db push --accept-data-loss\n\ echo "Starting application..."\n\ exec node dist/src/main.js\n' > /app/start.sh && chmod +x /app/start.sh -# Create non-root user -RUN groupadd -g 1001 nodejs && \ - useradd -u 1001 -g nodejs nestjs - -# Change ownership of app directory -RUN chown -R nestjs:nodejs /app - -# Switch to non-root user -USER nestjs - ENV NODE_ENV=production # Expose port diff --git a/backend/services/wallet-service/Dockerfile b/backend/services/wallet-service/Dockerfile index 38951586..a8a122f0 100644 --- a/backend/services/wallet-service/Dockerfile +++ b/backend/services/wallet-service/Dockerfile @@ -33,7 +33,9 @@ RUN ls -la dist/ && test -f dist/main.js # Production stage - use Debian slim for OpenSSL compatibility FROM node:20-slim -WORKDIR /app +# Create non-root user with home directory (npm cache needs it) +RUN groupadd -g 1001 nodejs && \ + useradd -u 1001 -g nodejs -m nestjs # Install OpenSSL and curl for health checks RUN apt-get update && apt-get install -y --no-install-recommends \ @@ -41,16 +43,23 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ curl \ && rm -rf /var/lib/apt/lists/* +# Create app directory with correct ownership +RUN mkdir -p /app && chown nestjs:nodejs /app +WORKDIR /app + +# Switch to non-root user before installing dependencies +USER nestjs + # Install production dependencies only -COPY package*.json ./ +COPY --chown=nestjs:nodejs package*.json ./ RUN npm install --omit=dev # Copy Prisma schema and migrations, then generate client (dummy DATABASE_URL for build time only) -COPY prisma ./prisma/ +COPY --chown=nestjs:nodejs prisma ./prisma/ RUN DATABASE_URL="postgresql://user:pass@localhost:5432/db" npx prisma generate # Copy built files -COPY --from=builder /app/dist ./dist +COPY --chown=nestjs:nodejs --from=builder /app/dist ./dist # Create startup script that runs migrations before starting the app RUN echo '#!/bin/sh\n\ @@ -60,15 +69,7 @@ npx prisma migrate deploy || npx prisma db push --accept-data-loss\n\ echo "Starting application..."\n\ exec node dist/main.js\n' > /app/start.sh && chmod +x /app/start.sh -# Create non-root user -RUN groupadd -g 1001 nodejs && \ - useradd -u 1001 -g nodejs nestjs - -# Change ownership of app directory -RUN chown -R nestjs:nodejs /app - -# Switch to non-root user -USER nestjs +ENV NODE_ENV=production # Expose port EXPOSE 3001