Merge pull request #54 from dehydr8/docker-compose

Rework docker setup to use security best practices
dehydr8 · May 11, 2021 · 3083504 · 3083504
2 parents 3a0e2f9 + af992a6
commit 3083504
Show file tree

Hide file tree

Showing 65 changed files with 898 additions and 269 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -1,4 +1,6 @@
 node_modules/
 deploy/
 build/
-db/
+db/
+**/*.test.js
+.heroku/
diff --git a/.travis.yml b/.travis.yml
@@ -30,7 +30,7 @@ matrix:
         - echo "$DOCKER_PASS" | docker login -u "$DOCKER_USER" --password-stdin
         - echo "$HEROKU_API_KEY" | docker login -u "$HEROKU_USER" --password-stdin registry.heroku.com
       script:
-        - docker build -t $REPO:$COMMIT .
+        - docker build -f heroku/Dockerfile -t $REPO:$COMMIT .
         - docker tag $REPO:$COMMIT $REPO:latest
         - docker tag $REPO:$COMMIT $REPO:$TRAVIS_TAG
         - docker tag $REPO:$COMMIT $REPO:$TRAVIS_TAG

diff --git a/Dockerfile b/Dockerfile
diff --git a/README.md b/README.md
@@ -33,14 +33,18 @@ npm run start
 The UI can also be built and served statically, keep in mind that the values of the port numbers will be hard coded in the generated files.
 
 ### Docker
-The docker image uses `supervisord` to run both the UI and the server in the same container. The UI is built and served using `nginx`, it is also used to proxy requests from `/api` to the public API.
+To start a dockerized version of the EoP game use
 
-```
-docker build . -t eop:latest
-docker run --rm -it -p 8080:80 eop:latest
+```bash
+docker-compose up --build
 ```
 
 This would start EoP on port `8080` and would be accessible at `http://localhost:8080/`.
+The docker-compose setup starts two container: 
+ * `threats-client`: running `nginx` as a reverse proxy and serving the react application
+ * `threats-server`: running the `nodejs` backends: public API and game server
+
+![docker-compose setup](docs/docker-setup.svg)
 
 ## TODO
 * Spectator mode
@@ -50,7 +54,6 @@ This would start EoP on port `8080` and would be accessible at `http://localhost
 * Improve test coverage, write tests for possible game states and moves
 * Refactor and have reusable components
 * Optimize component renders through `shouldComponentUpdate`
-* Optimize docker image, currently using `ubuntu:latest`
 * Write contributing guide
 
 ## Credits

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,19 @@
+version: '3'
+
+services:
+  client:
+    build:
+      context: .
+      dockerfile: docker/client.dockerfile
+    container_name: threats-client
+    restart: unless-stopped
+    ports:
+      - "8080:8080"
+
+  server:
+    build:
+      context: .
+      dockerfile: docker/server.dockerfile
+    container_name: threats-server
+    restart: unless-stopped
+    network_mode: service:client
diff --git a/docker/client.dockerfile b/docker/client.dockerfile
@@ -0,0 +1,13 @@
+FROM node:15.14.0-alpine3.13 AS builder
+WORKDIR /usr/src/app
+COPY package.json ./
+COPY package-lock.json ./
+COPY ./public ./public
+COPY ./src ./src
+RUN npm ci
+RUN npm run build
+
+FROM nginxinc/nginx-unprivileged:1.18-alpine
+COPY docker/files/etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf
+COPY --from=builder /usr/src/app/build /usr/share/nginx/html/
+EXPOSE 8080
diff --git a/docker/files/etc/nginx/conf.d/default.conf b/docker/files/etc/nginx/conf.d/default.conf
@@ -0,0 +1,23 @@
+server {
+	listen       8080;
+    server_name  localhost;
+
+    location / {
+        root   /usr/share/nginx/html;
+        index  index.html;
+		try_files $uri /index.html;
+    }
+
+	location /api/ {
+        proxy_pass http://localhost:8001/;
+	}
+
+	location /socket.io/ {
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $host;
+        proxy_pass http://localhost:8000/socket.io/;
+	}
+}
diff --git a/docker/server.dockerfile b/docker/server.dockerfile
@@ -0,0 +1,18 @@
+FROM node:15.14.0-alpine3.13 AS builder
+WORKDIR /usr/src/app
+COPY package.json ./
+COPY package-lock.json ./
+RUN npm ci --only=production
+
+FROM node:15.14.0-alpine3.13
+RUN apk add dumb-init
+WORKDIR /usr/src/app
+RUN chown node:node /usr/src/app
+USER node
+ENV NODE_ENV production
+COPY --chown=node:node  --from=builder /usr/src/app/node_modules /usr/src/app/node_modules
+COPY --chown=node:node ./src/server /usr/src/app/src/server
+COPY --chown=node:node ./src/game /usr/src/app/src/game
+COPY --chown=node:node ./src/utils /usr/src/app/src/utils
+CMD [ "dumb-init", "node", "-r", "esm", "/usr/src/app/src/server/server.js" ]
+