fix(PROJECT): update Dockerfile

.env.local

@@ -6,6 +6,6 @@ ENV_ACCOUNT_ID=000000000000
 # this will be the folder where the report tempates will be stored
 FS_STORE_AWS_S3_PERSISTENCE_PREFIX=testReports
 
-FS_AUTHENTICATION_ENABLED=true
-FS_AUTHENTICATION_ADMIN_USERNAME=admin
-FS_AUTHENCATION_ADMIN_PASSWORD=password
+AUTHENTICATION_ENABLED=true
+AUTHENTICATION_ADMIN_USERNAME=admin
+AUTHENCATION_ADMIN_PASSWORD=password

functions/ImageServer/Dockerfile

@@ -1,11 +1,107 @@
-FROM --platform=linux/amd64 node:lts-alpine
-
+FROM --platform=linux/amd64 node:18.20-alpine3.19
 EXPOSE 5488
+USER root
+ARG TARGETPLATFORM
+ARG UID=2500
+ARG GID=2500
+
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+  \
+  apk add --no-cache --virtual .gosu-deps \
+  ca-certificates \
+  dpkg \
+  gnupg \
+  ; \
+  \
+  dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+  wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+  wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+  \
+  # verify the signature
+  export GNUPGHOME="$(mktemp -d)"; \
+  gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+  gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+  command -v gpgconf && gpgconf --kill all || :; \
+  rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+  \
+  # clean up fetch dependencies
+  apk del --no-network .gosu-deps; \
+  \
+  chmod +x /usr/local/bin/gosu; \
+  # verify that the binary works
+  gosu --version; \
+  gosu nobody true
+
+RUN addgroup -g "${GID}" -S jsreport && adduser --shell /bin/bash -u "${UID}" -S -G jsreport jsreport
+
+# this condition is useful when the alpine registry contain different latest versions
+# per architecture, if the versions match then just use the same version number on both paths
+RUN if [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
+  export CHROMIUM_TO_INSTALL_VERSION="124.0.6367.78-r0"; \
+  elif [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
+  export CHROMIUM_TO_INSTALL_VERSION="126.0.6478.61-r0"; \
+  fi && \
+  echo "Installing Chromium $CHROMIUM_TO_INSTALL_VERSION version.." && \
+  apk update --no-cache && \
+  echo @edge http://dl-cdn.alpinelinux.org/alpine/v3.19/community >> /etc/apk/repositories && \
+  echo @edge http://nl.alpinelinux.org/alpine/edge/community >> /etc/apk/repositories && \
+  echo @edge http://nl.alpinelinux.org/alpine/edge/main >> /etc/apk/repositories && \
+  apk add --no-cache \
+  libstdc++@edge \
+  chromium@edge=$CHROMIUM_TO_INSTALL_VERSION \
+  nss \
+  freetype \
+  harfbuzz \
+  ttf-freefont@edge \
+  # just for now as we npm install from git
+  libcurl@edge=8.8.0-r0 \
+  git@edge=2.45.2-r1 \
+  # so user can docker exec -it test /bin/bash
+  bash
+
+RUN rm -rf /var/cache/apk/* /tmp/*
+
+RUN mkdir -p /app
+
+# we need to create the volume and give it expected owner
+# before the VOLUME step in order for the volume to be created with non-root user
+RUN mkdir /jsreport
+RUN chown jsreport:jsreport /jsreport
+RUN chmod g+s /jsreport
 
-WORKDIR /srv
+VOLUME ["/jsreport"]
 
-COPY . /srv
+ENV NPM_CONFIG_PREFIX /home/jsreport/.npm-global
+ENV PATH $PATH:/home/jsreport/.npm-global/bin
 
+WORKDIR /app
+
+ENV PUPPETEER_SKIP_DOWNLOAD true
+
+RUN npm install -g npm
+# ====== COMMENT THIS WHEN CHECKING trivy audit ======
+RUN npm i -g @jsreport/jsreport-cli
+RUN jsreport init
+# =====================================================
+
+# ====== UNCOMMENT THIS WHEN CHECKING trivy audit ======
+# trivy checks should be done with this image default/Dockerfile,
+# because it does not add the whole yarn workspace
+# (which makes it report vulnerabilities for other packages in the workspace that are not relevant here)
+# (we need to build with latest package.json in workspace)
+COPY . .
 RUN npm install
+# =====================================================
+
+RUN npm cache clean -f && rm -rf /tmp/*
+
+RUN chown -R jsreport:jsreport /app
+USER jsreport:jsreport
+
+ENV chrome_launchOptions_executablePath /usr/lib/chromium/chrome
+ENV chrome_launchOptions_args --no-sandbox,--disable-dev-shm-usage
+
+RUN ls
 
-CMD [ "node", "server.js" ]
+CMD ["bash", "run.sh"]