From c0c8751d538301b172c7eb05a3020084ae9c3d17 Mon Sep 17 00:00:00 2001
From: Martin Sommer <martin.sommer@staffbase.com>
Date: Wed, 21 Oct 2020 17:06:38 +0200
Subject: [PATCH 1/3] :recycle: Using yarn for all Docker related stuff and set
 "production" mode

---
 .dockerignore        | 3 +++
 Dockerfile           | 6 ++++--
 docker/entrypoint.sh | 8 ++++----
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 3978a0f7a..1b115c822 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,2 +1,5 @@
 .git
 .gitignore
+# Ignore local node_modules because we fetch only production dependencies
+# during the container build.
+node_modules
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 48e78441f..c4aed29a1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,8 +6,10 @@ COPY . /iframely
 
 WORKDIR /iframely
 
+ENV NODE_ENV=production
+
 RUN apk add --no-cache git && \
-    npm install -g forever && \
-    npm install
+    yarn add forever && \
+    yarn install --frozen-lockfile --production
 
 ENTRYPOINT [ "/iframely/docker/entrypoint.sh" ]
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index c461c51c9..bc301738d 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -5,7 +5,7 @@ export ARGC="$#"
 
 function sigterm_handler() {
     echo "SIGTERM signal received."
-    forever stopall
+    yarn forever stopall
 }
 
 trap "sigterm_handler; exit" TERM
@@ -14,13 +14,13 @@ function entrypoint() {
     if [ "$ARGC" -eq 0 ]
     then
         # Run server in cluster mode by default
-        forever start cluster.js
+        yarn forever start cluster.js
     else
         # Use command line arguments supplied at runtime
-        forever start $ARGV
+        yarn forever start $ARGV
     fi
 
-    forever --fifo logs 0 &
+    yarn forever --fifo logs 0 &
     wait
 }
 

From b35f9426de16707f450889767f5f1c6474ae7212 Mon Sep 17 00:00:00 2001
From: Martin Sommer <martin.sommer@staffbase.com>
Date: Wed, 21 Oct 2020 17:33:37 +0200
Subject: [PATCH 2/3] :heavy_minus_sign: Remove forever.js from the Dockerfile

---
 Dockerfile           |  1 -
 docker/entrypoint.sh | 28 ++--------------------------
 2 files changed, 2 insertions(+), 27 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c4aed29a1..f06df00df 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,7 +9,6 @@ WORKDIR /iframely
 ENV NODE_ENV=production
 
 RUN apk add --no-cache git && \
-    yarn add forever && \
     yarn install --frozen-lockfile --production
 
 ENTRYPOINT [ "/iframely/docker/entrypoint.sh" ]
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index bc301738d..0237e6839 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -1,27 +1,3 @@
-#!/bin/ash
+#!/bin/sh
 
-export ARGV="$@"
-export ARGC="$#"
-
-function sigterm_handler() {
-    echo "SIGTERM signal received."
-    yarn forever stopall
-}
-
-trap "sigterm_handler; exit" TERM
-
-function entrypoint() {
-    if [ "$ARGC" -eq 0 ]
-    then
-        # Run server in cluster mode by default
-        yarn forever start cluster.js
-    else
-        # Use command line arguments supplied at runtime
-        yarn forever start $ARGV
-    fi
-
-    yarn forever --fifo logs 0 &
-    wait
-}
-
-entrypoint
+exec node cluster.js

From 20a2ced30334560a597c4ecd46df79960dcf5b66 Mon Sep 17 00:00:00 2001
From: Martin Sommer <martin.sommer@staffbase.com>
Date: Mon, 30 Nov 2020 16:48:32 +0100
Subject: [PATCH 3/3] :recycle: Re-create the Dockerfile with cache layers in
 mind

---
 Dockerfile | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f06df00df..5ec5ff351 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,14 +1,22 @@
-FROM node:12-alpine
+FROM node:12.18-alpine3.12
 
 EXPOSE 8061
 
-COPY . /iframely
-
 WORKDIR /iframely
 
-ENV NODE_ENV=production
+# Create new non-root user
+RUN addgroup -S iframelygroup && adduser -S iframely -G iframelygroup
+
+# This will change the config to `config.<VALUE>.js` and the express server to change its behaviour.
+# You should overwrite this on the CLI with `-e NODE_ENV=production`.
+ENV NODE_ENV=local
+
+## Utilize docker layer cache
+COPY package.json yarn.lock /iframely/
+RUN yarn install --pure-lockfile --production
+
+COPY . /iframely
 
-RUN apk add --no-cache git && \
-    yarn install --frozen-lockfile --production
+USER iframely
 
 ENTRYPOINT [ "/iframely/docker/entrypoint.sh" ]