Merge 616ec0b7fb into 09be5d45d5
This commit is contained in:
ga-it
GitHub
commit
c52e6a3164
114
Dockerfile
114
Dockerfile
@ -1,39 +1,109 @@
|
|||||||
FROM node:22-bookworm
|
FROM node:22-bookworm
|
||||||
|
|
||||||
# Install Bun (required for build scripts)
|
# ----------------------------
|
||||||
RUN curl -fsSL https://bun.sh/install | bash
|
# System dependencies
|
||||||
ENV PATH="/root/.bun/bin:${PATH}"
|
# ----------------------------
|
||||||
|
# Note: no golang-go here; Debian's Go is often behind and breaks go.mod "go 1.24.0"
|
||||||
|
RUN apt-get update && \
|
||||||
|
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
|
||||||
|
ca-certificates curl git bash build-essential procps file xz-utils && \
|
||||||
|
apt-get clean && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
RUN corepack enable
|
# ----------------------------
|
||||||
|
# Go (upstream) - pinned, arch-aware
|
||||||
|
# ----------------------------
|
||||||
|
# Keep this pinned for reproducible builds.
|
||||||
|
ARG GO_VERSION=1.24.0
|
||||||
|
RUN set -eux; \
|
||||||
|
arch="$(dpkg --print-architecture)"; \
|
||||||
|
case "$arch" in \
|
||||||
|
amd64) goarch="amd64" ;; \
|
||||||
|
arm64) goarch="arm64" ;; \
|
||||||
|
*) echo "Unsupported architecture: $arch" >&2; exit 1 ;; \
|
||||||
|
esac; \
|
||||||
|
curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-${goarch}.tar.gz" -o /tmp/go.tgz; \
|
||||||
|
rm -rf /usr/local/go; \
|
||||||
|
tar -C /usr/local -xzf /tmp/go.tgz; \
|
||||||
|
rm -f /tmp/go.tgz; \
|
||||||
|
/usr/local/go/bin/go version
|
||||||
|
ENV PATH="/usr/local/go/bin:${PATH}"
|
||||||
|
|
||||||
|
# ----------------------------
|
||||||
|
# Workspace ownership for non-root installs/builds
|
||||||
|
# ----------------------------
|
||||||
|
RUN mkdir -p /app && chown -R node:node /app
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
ARG OPENCLAW_DOCKER_APT_PACKAGES=""
|
# ----------------------------
|
||||||
RUN if [ -n "$OPENCLAW_DOCKER_APT_PACKAGES" ]; then \
|
# pnpm via corepack (must be root to link into /usr/local/bin)
|
||||||
apt-get update && \
|
# ----------------------------
|
||||||
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends $OPENCLAW_DOCKER_APT_PACKAGES && \
|
RUN corepack enable && corepack prepare pnpm@latest --activate
|
||||||
apt-get clean && \
|
|
||||||
rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*; \
|
|
||||||
fi
|
|
||||||
|
|
||||||
COPY package.json pnpm-lock.yaml pnpm-workspace.yaml .npmrc ./
|
# ----------------------------
|
||||||
COPY ui/package.json ./ui/package.json
|
# Bun to stable prefix + shims (/usr/local/bin) for PATH-sanitised subprocesses
|
||||||
COPY patches ./patches
|
# ----------------------------
|
||||||
COPY scripts ./scripts
|
RUN mkdir -p /opt/bun && chown -R node:node /opt/bun
|
||||||
|
USER node
|
||||||
|
ENV HOME=/home/node
|
||||||
|
ENV BUN_INSTALL=/opt/bun
|
||||||
|
RUN curl -fsSL https://bun.sh/install | bash
|
||||||
|
|
||||||
|
USER root
|
||||||
|
RUN ln -sf /opt/bun/bin/bun /usr/local/bin/bun && \
|
||||||
|
ln -sf /opt/bun/bin/bunx /usr/local/bin/bunx
|
||||||
|
|
||||||
|
# ----------------------------
|
||||||
|
# Homebrew (Linux default prefix) + shims
|
||||||
|
# ----------------------------
|
||||||
|
RUN mkdir -p /home/linuxbrew/.linuxbrew && chown -R node:node /home/linuxbrew
|
||||||
|
USER node
|
||||||
|
ENV NONINTERACTIVE=1
|
||||||
|
ENV HOMEBREW_PREFIX=/home/linuxbrew/.linuxbrew
|
||||||
|
|
||||||
|
RUN set -eux; \
|
||||||
|
/bin/bash -lc "curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh | /bin/bash"; \
|
||||||
|
test -f "${HOMEBREW_PREFIX}/Homebrew/Library/Homebrew/brew.sh"; \
|
||||||
|
ln -sfn "${HOMEBREW_PREFIX}/Homebrew/Library" "${HOMEBREW_PREFIX}/Library"; \
|
||||||
|
"${HOMEBREW_PREFIX}/bin/brew" --version
|
||||||
|
|
||||||
|
USER root
|
||||||
|
RUN ln -sf /home/linuxbrew/.linuxbrew/bin/brew /usr/local/bin/brew && \
|
||||||
|
/usr/local/bin/brew --version
|
||||||
|
|
||||||
|
# Also expose brew on PATH (helpful for interactive shells; shims cover sanitised PATH)
|
||||||
|
ENV PATH="/home/linuxbrew/.linuxbrew/bin:/home/linuxbrew/.linuxbrew/sbin:${PATH}"
|
||||||
|
|
||||||
|
# ----------------------------
|
||||||
|
# pnpm global bin dir (stable)
|
||||||
|
# ----------------------------
|
||||||
|
ENV PNPM_HOME=/usr/local/share/pnpm
|
||||||
|
ENV PATH="${PNPM_HOME}:${PATH}"
|
||||||
|
RUN mkdir -p "${PNPM_HOME}" && chown -R node:node "${PNPM_HOME}"
|
||||||
|
|
||||||
|
USER node
|
||||||
|
RUN pnpm config set global-bin-dir "${PNPM_HOME}"
|
||||||
|
|
||||||
|
# ----------------------------
|
||||||
|
# Dependencies install (cache-friendly)
|
||||||
|
# ----------------------------
|
||||||
|
WORKDIR /app
|
||||||
|
COPY --chown=node:node package.json pnpm-lock.yaml pnpm-workspace.yaml .npmrc ./
|
||||||
|
COPY --chown=node:node ui/package.json ./ui/package.json
|
||||||
|
COPY --chown=node:node patches ./patches
|
||||||
|
COPY --chown=node:node scripts ./scripts
|
||||||
|
|
||||||
RUN pnpm install --frozen-lockfile
|
RUN pnpm install --frozen-lockfile
|
||||||
|
|
||||||
COPY . .
|
# ----------------------------
|
||||||
|
# Build
|
||||||
|
# ----------------------------
|
||||||
|
COPY --chown=node:node . .
|
||||||
RUN OPENCLAW_A2UI_SKIP_MISSING=1 pnpm build
|
RUN OPENCLAW_A2UI_SKIP_MISSING=1 pnpm build
|
||||||
# Force pnpm for UI build (Bun may fail on ARM/Synology architectures)
|
|
||||||
ENV OPENCLAW_PREFER_PNPM=1
|
ENV OPENCLAW_PREFER_PNPM=1
|
||||||
|
RUN pnpm ui:install
|
||||||
RUN pnpm ui:build
|
RUN pnpm ui:build
|
||||||
|
|
||||||
ENV NODE_ENV=production
|
ENV NODE_ENV=production
|
||||||
|
|
||||||
# Security hardening: Run as non-root user
|
|
||||||
# The node:22-bookworm image includes a 'node' user (uid 1000)
|
|
||||||
# This reduces the attack surface by preventing container escape via root privileges
|
|
||||||
USER node
|
|
||||||
|
|
||||||
CMD ["node", "dist/index.js"]
|
CMD ["node", "dist/index.js"]
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user