# Build context: bytelyst-devops-tools/dashboard/ (monorepo root) # # Uses pnpm (matches `packageManager` field in package.json) and the # workspace `pnpm-lock.yaml` at the dashboard root. The previously-used # `npm ci` against `backend/package-lock.json` was broken because the # npm lockfile had been regenerated inside the pnpm workspace and # contained pnpm-store symlinks (e.g. node_modules/typescript pointing # at ../node_modules/.pnpm/typescript@5.9.3/...), which npm treated as # `link: true` and skipped installing — leaving `tsc` missing. # # BYTELYST_PACKAGE_SOURCE=gitea disables the `.pnpmfile.cjs` filesystem # lookup of `learning_ai_common_plat` (which isn't in the build context). # Backend has no `@bytelyst/*` deps so the pnpmfile is a no-op for it, # but we set the env explicitly for clarity. # --- Stage 1: Build --- FROM node:20-alpine AS builder ENV BYTELYST_PACKAGE_SOURCE=gitea RUN corepack enable && corepack prepare pnpm@10.6.5 --activate WORKDIR /app # Workspace metadata (pnpm needs the root files to resolve the workspace). COPY package.json pnpm-lock.yaml pnpm-workspace.yaml .pnpmfile.cjs ./ COPY backend/package.json ./backend/ RUN pnpm install --frozen-lockfile --filter "@bytelyst/devops-backend..." --ignore-scripts COPY backend/tsconfig.json ./backend/ COPY backend/src/ ./backend/src/ # Build-time env vars (baked into the bundle) ARG BYTELYST_COMMIT_SHA=unknown ARG BYTELYST_COMMIT_SHA_FULL=unknown ARG BYTELYST_BRANCH=unknown ARG BYTELYST_BUILT_AT=unknown ARG BYTELYST_COMMIT_AUTHOR=unknown ARG BYTELYST_COMMIT_MESSAGE=unknown ARG BYTELYST_DOCKER_IMAGE=devops-backend:latest ENV BYTELYST_COMMIT_SHA=${BYTELYST_COMMIT_SHA} \ BYTELYST_COMMIT_SHA_FULL=${BYTELYST_COMMIT_SHA_FULL} \ BYTELYST_BRANCH=${BYTELYST_BRANCH} \ BYTELYST_BUILT_AT=${BYTELYST_BUILT_AT} \ BYTELYST_COMMIT_AUTHOR=${BYTELYST_COMMIT_AUTHOR} \ BYTELYST_COMMIT_MESSAGE=${BYTELYST_COMMIT_MESSAGE} \ BYTELYST_DOCKER_IMAGE=${BYTELYST_DOCKER_IMAGE} WORKDIR /app/backend RUN pnpm run build # Carve out a production-only deploy bundle (node_modules without devDeps). RUN pnpm --filter "@bytelyst/devops-backend" deploy --prod --legacy /deploy # --- Stage 2: Run --- # Use Debian slim (not Alpine) because vm-health-check.sh uses GNU df flags # (--output=pcent, --output=avail) that BusyBox df does not support. FROM node:20-slim AS runner WORKDIR /app/backend # Install tools needed by the VM management module: # bash — vm-health-check.sh and vm-cleanup.sh require bash # docker.io — docker CLI to communicate with the host daemon via socket # python3 — used in inline python3 -c snippets inside the scripts RUN apt-get update && apt-get install -y --no-install-recommends \ curl bash docker.io python3 \ && rm -rf /var/lib/apt/lists/* # Non-root user setup (Phase 5 P2 mitigation roadmap, item #4). # The backend doesn't strictly need root — its only privileged action is # talking to the docker daemon, which group membership covers. We create # the user + a docker group at a build-arg-configurable GID so the GID # can match the host's docker group (`getent group docker` on the host). # # Default `BACKEND_USER=root` keeps the current behaviour so existing # deployments don't break. Set `BACKEND_USER=app` to run non-root; this # requires the bind-mounted log files in `/var/log/vm-*.log` and # `/var/log/docker-watchdog.log` to be group-readable+writable by the # matching docker GID (or world-readable for read-only paths). See # `dashboard/DEPLOYMENT.md` Privilege Surface → "Running non-root". ARG BACKEND_USER=root ARG DOCKER_GID=999 # `docker.io` in debian:bookworm-slim creates a `docker` group at a # distro-chosen GID (commonly 101). Reconcile it to ${DOCKER_GID} so the # in-container group matches the host's docker GID. If no `docker` group # exists yet, create one at ${DOCKER_GID}. RUN if getent group docker >/dev/null; then \ groupmod --gid "${DOCKER_GID}" docker; \ else \ groupadd --system --gid "${DOCKER_GID}" docker; \ fi \ && useradd --system --create-home --uid 1001 --gid "${DOCKER_GID}" --shell /sbin/nologin app \ && chown -R app:"${DOCKER_GID}" /app # Bring in the deploy bundle (package.json, prod node_modules) and compiled JS. COPY --from=builder --chown=app:${DOCKER_GID} /deploy/package.json ./package.json COPY --from=builder --chown=app:${DOCKER_GID} /deploy/node_modules ./node_modules COPY --from=builder --chown=app:${DOCKER_GID} /app/backend/dist ./dist ENV NODE_ENV=production ENV PORT=4004 EXPOSE 4004 # Switch to non-root only when explicitly opted in via build arg. If the # arg is `app`, the next two layers actually drop privileges; if `root`, # they're a no-op. USER ${BACKEND_USER} CMD ["node", "dist/server.js"]