bytelyst/bytelyst-devops-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4326001650
bytelyst-devops-tools/dashboard/backend/Dockerfile
Hermes VM 254ef2704c fix(dashboard): switch backend+web Dockerfiles to pnpm; add missing pino dep 
The image rebuilds were broken because `backend/package-lock.json` and
`web/package-lock.json` had been regenerated inside the pnpm workspace
and contained pnpm-store symlinks (e.g. `node_modules/typescript` →
`../node_modules/.pnpm/typescript@5.9.3/...` with `link: true`). When
`npm ci` ran in Docker outside the pnpm workspace, those link targets
didn't exist, so devDeps including TypeScript were silently not
installed — leaving `tsc: not found` at build time.

Fix aligns Docker builds with the declared `packageManager: pnpm@10.6.5`
field:

  - Both Dockerfiles now use corepack + pnpm with the workspace
    `pnpm-lock.yaml` and `--filter ... --frozen-lockfile`
  - Production stage uses `pnpm deploy --prod --legacy` to carve out a
    devDep-free node_modules
  - Drop the stale `backend/package-lock.json` and
    `web/package-lock.json` (they're regenerated wrong every time anyone
    runs npm in here)
  - Add `pino` + `pino-pretty` to backend deps (used by
    `src/lib/logger.ts` from the Phase 5 P1 structured-logging work but
    never declared)
  - Fix pre-existing bug in backend runtime stage: `docker.io` package
    in debian:bookworm-slim pre-creates a `docker` group at GID ~101,
    so `groupadd --gid 999` then `useradd --gid 999` failed. Use
    `groupmod` when the group already exists.

After this commit:
  - 87/87 tests pass (74 backend + 13 web)
  - typecheck clean
  - lint: 0 errors (only pre-existing unused-var warnings)
  - `docker compose build && up` succeeds end-to-end
  - Tailscale URL serves the new dashboard with all Phase 1-7 work live
  - CORS allow-list driven by `EXTRA_CORS_ORIGINS` env var (no hot-patch
    needed in the running container)

Generated with [Devin](https://cli.devin.ai/docs)

Co-Authored-By: Devin <158243242+devin-ai-integration[bot]@users.noreply.github.com>
2026-05-30 10:13:37 +00:00

113 lines
4.7 KiB
Docker
Raw Blame History

# Build context: bytelyst-devops-tools/dashboard/ (monorepo root)
#
# Uses pnpm (matches `packageManager` field in package.json) and the
# workspace `pnpm-lock.yaml` at the dashboard root. The previously-used
# `npm ci` against `backend/package-lock.json` was broken because the
# npm lockfile had been regenerated inside the pnpm workspace and
# contained pnpm-store symlinks (e.g. node_modules/typescript pointing
# at ../node_modules/.pnpm/typescript@5.9.3/...), which npm treated as
# `link: true` and skipped installing — leaving `tsc` missing.
#
# BYTELYST_PACKAGE_SOURCE=gitea disables the `.pnpmfile.cjs` filesystem
# lookup of `learning_ai_common_plat` (which isn't in the build context).
# Backend has no `@bytelyst/*` deps so the pnpmfile is a no-op for it,
# but we set the env explicitly for clarity.
# --- Stage 1: Build ---
FROM node:20-alpine AS builder
ENV BYTELYST_PACKAGE_SOURCE=gitea
RUN corepack enable && corepack prepare pnpm@10.6.5 --activate
WORKDIR /app
# Workspace metadata (pnpm needs the root files to resolve the workspace).
COPY package.json pnpm-lock.yaml pnpm-workspace.yaml .pnpmfile.cjs ./
COPY backend/package.json ./backend/
RUN pnpm install --frozen-lockfile --filter "@bytelyst/devops-backend..." --ignore-scripts
COPY backend/tsconfig.json ./backend/
COPY backend/src/ ./backend/src/
# Build-time env vars (baked into the bundle)
ARG BYTELYST_COMMIT_SHA=unknown
ARG BYTELYST_COMMIT_SHA_FULL=unknown
ARG BYTELYST_BRANCH=unknown
ARG BYTELYST_BUILT_AT=unknown
ARG BYTELYST_COMMIT_AUTHOR=unknown
ARG BYTELYST_COMMIT_MESSAGE=unknown
ARG BYTELYST_DOCKER_IMAGE=devops-backend:latest
ENV BYTELYST_COMMIT_SHA=${BYTELYST_COMMIT_SHA} \
BYTELYST_COMMIT_SHA_FULL=${BYTELYST_COMMIT_SHA_FULL} \
BYTELYST_BRANCH=${BYTELYST_BRANCH} \
BYTELYST_BUILT_AT=${BYTELYST_BUILT_AT} \
BYTELYST_COMMIT_AUTHOR=${BYTELYST_COMMIT_AUTHOR} \
BYTELYST_COMMIT_MESSAGE=${BYTELYST_COMMIT_MESSAGE} \
BYTELYST_DOCKER_IMAGE=${BYTELYST_DOCKER_IMAGE}
WORKDIR /app/backend
RUN pnpm run build
# Carve out a production-only deploy bundle (node_modules without devDeps).
RUN pnpm --filter "@bytelyst/devops-backend" deploy --prod --legacy /deploy
# --- Stage 2: Run ---
# Use Debian slim (not Alpine) because vm-health-check.sh uses GNU df flags
# (--output=pcent, --output=avail) that BusyBox df does not support.
FROM node:20-slim AS runner
WORKDIR /app/backend
# Install tools needed by the VM management module:
# bash — vm-health-check.sh and vm-cleanup.sh require bash
# docker.io — docker CLI to communicate with the host daemon via socket
# python3 — used in inline python3 -c snippets inside the scripts
RUN apt-get update && apt-get install -y --no-install-recommends \
curl bash docker.io python3 \
&& rm -rf /var/lib/apt/lists/*
# Non-root user setup (Phase 5 P2 mitigation roadmap, item #4).
# The backend doesn't strictly need root — its only privileged action is
# talking to the docker daemon, which group membership covers. We create
# the user + a docker group at a build-arg-configurable GID so the GID
# can match the host's docker group (`getent group docker` on the host).
#
# Default `BACKEND_USER=root` keeps the current behaviour so existing
# deployments don't break. Set `BACKEND_USER=app` to run non-root; this
# requires the bind-mounted log files in `/var/log/vm-*.log` and
# `/var/log/docker-watchdog.log` to be group-readable+writable by the
# matching docker GID (or world-readable for read-only paths). See
# `dashboard/DEPLOYMENT.md` Privilege Surface → "Running non-root".
ARG BACKEND_USER=root
ARG DOCKER_GID=999
# `docker.io` in debian:bookworm-slim creates a `docker` group at a
# distro-chosen GID (commonly 101). Reconcile it to ${DOCKER_GID} so the
# in-container group matches the host's docker GID. If no `docker` group
# exists yet, create one at ${DOCKER_GID}.
RUN if getent group docker >/dev/null; then \
groupmod --gid "${DOCKER_GID}" docker; \
else \
groupadd --system --gid "${DOCKER_GID}" docker; \
fi \
&& useradd --system --create-home --uid 1001 --gid "${DOCKER_GID}" --shell /sbin/nologin app \
&& chown -R app:"${DOCKER_GID}" /app
# Bring in the deploy bundle (package.json, prod node_modules) and compiled JS.
COPY --from=builder --chown=app:${DOCKER_GID} /deploy/package.json ./package.json
COPY --from=builder --chown=app:${DOCKER_GID} /deploy/node_modules ./node_modules
COPY --from=builder --chown=app:${DOCKER_GID} /app/backend/dist ./dist
ENV NODE_ENV=production
ENV PORT=4004
EXPOSE 4004
# Switch to non-root only when explicitly opted in via build arg. If the
# arg is `app`, the next two layers actually drop privileges; if `root`,
# they're a no-op.
USER ${BACKEND_USER}
CMD ["node", "dist/server.js"]
Reference in New Issue View Git Blame Copy Permalink