rede5/saveinmed
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: optimize Dockerfiles with multi-stage builds and caching

Browse source 
- Backend (Go): Use scratch image (~5MB), add build cache for modules
- Backoffice (NestJS): Add pnpm cache, alpine image, fix Prisma client copy
- BFF (Python): Add multi-stage with virtualenv, pip cache, optimized env vars
- All: Add non-root users for security
This commit is contained in:
Tiago Yamamoto 2025-12-18 17:28:52 -03:00
parent a1a65ab831
commit 851dd4f265
3 changed files with 99 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
backend/Dockerfile
View file

@ -1,18 +1,41 @@
# syntax=docker/dockerfile:1 # syntax=docker/dockerfile:1
FROM golang:1.24 AS builder
WORKDIR /app
# ===== STAGE 1: Build =====
FROM golang:1.24-alpine AS builder
# Instala certificados SSL para HTTPS
RUN apk add --no-cache ca-certificates tzdata
WORKDIR /build
# Cache de dependências - só rebuild se go.mod/go.sum mudar
COPY go.mod go.sum ./ COPY go.mod go.sum ./
RUN go mod download RUN --mount=type=cache,target=/go/pkg/mod \
go mod download && go mod verify
# Copia código fonte
COPY . . COPY . .
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "-s -w" -o /out/performance-core ./cmd/api # Build otimizado com cache
RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
go build -trimpath -ldflags="-s -w -extldflags '-static'" \
-o /app/server ./cmd/api
FROM gcr.io/distroless/base-debian12:nonroot # ===== STAGE 2: Runtime (scratch - imagem mínima ~5MB) =====
WORKDIR /app FROM scratch
COPY --from=builder /out/performance-core /app/performance-core # Certificados SSL e timezone
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
# Binary
COPY --from=builder /app/server /server
# Usuário não-root (UID 65534 = nobody)
USER 65534:65534
EXPOSE 8080 EXPOSE 8080
ENTRYPOINT ["/app/performance-core"]
ENTRYPOINT ["/server"]

44
backoffice/Dockerfile
View file

@ -1,22 +1,44 @@
FROM node:iron-slim AS base # syntax=docker/dockerfile:1
RUN corepack enable
# ===== STAGE 1: Base =====
FROM node:22-alpine AS base
RUN corepack enable && corepack prepare pnpm@latest --activate
WORKDIR /app WORKDIR /app
# ===== STAGE 2: Dependencies =====
FROM base AS deps FROM base AS deps
COPY package.json pnpm-lock.yaml ./ COPY package.json pnpm-lock.yaml ./
RUN pnpm install --frozen-lockfile
# Cache do pnpm store para builds mais rápidas
RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
pnpm install --frozen-lockfile
# ===== STAGE 3: Build =====
FROM deps AS build FROM deps AS build
COPY . . COPY . .
RUN pnpm prisma:generate RUN pnpm prisma:generate && pnpm build
RUN pnpm build
# ===== STAGE 4: Production =====
FROM node:22-alpine AS production
# Cria usuário não-root
RUN addgroup --system --gid 1001 nodejs && \
adduser --system --uid 1001 nestjs
FROM base AS production
ENV NODE_ENV=production
WORKDIR /app WORKDIR /app
COPY package.json pnpm-lock.yaml ./
RUN pnpm install --prod --frozen-lockfile # Copia apenas o necessário para produção
COPY --from=build /app/dist ./dist COPY --from=build --chown=nestjs:nodejs /app/dist ./dist
COPY --from=build /app/prisma ./prisma COPY --from=build --chown=nestjs:nodejs /app/prisma ./prisma
COPY --from=build --chown=nestjs:nodejs /app/node_modules/.prisma ./node_modules/.prisma
COPY --from=build --chown=nestjs:nodejs /app/node_modules/@prisma ./node_modules/@prisma
COPY --from=deps --chown=nestjs:nodejs /app/node_modules ./node_modules
COPY --chown=nestjs:nodejs package.json ./
ENV NODE_ENV=production
USER nestjs
EXPOSE 3000 EXPOSE 3000
CMD ["node", "dist/main.js"] CMD ["node", "dist/main.js"]

43
saveinmed-bff/Dockerfile
View file

@ -1,17 +1,44 @@
FROM python:3.12-slim # syntax=docker/dockerfile:1
# ===== STAGE 1: Builder =====
FROM python:3.12-slim AS builder
WORKDIR /build
# Instala dependências em virtualenv isolado
RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
COPY requirements.txt .
# Cache de pip para builds mais rápidas
RUN --mount=type=cache,target=/root/.cache/pip \
pip install --upgrade pip && \
pip install -r requirements.txt
# ===== STAGE 2: Production =====
FROM python:3.12-slim AS production
# Variáveis de ambiente Python otimizadas
ENV PYTHONDONTWRITEBYTECODE=1 \
PYTHONUNBUFFERED=1 \
PATH="/opt/venv/bin:$PATH"
WORKDIR /app WORKDIR /app
COPY requirements.txt /app/requirements.txt # Copia virtualenv do builder
RUN pip install --no-cache-dir -r requirements.txt COPY --from=builder /opt/venv /opt/venv
COPY src /app/src # Copia código fonte
COPY src ./src
# Cria usuário não-root
RUN useradd --system --no-create-home --uid 1001 appuser && \
chown -R appuser:appuser /app
# Opcional: user não-root
RUN useradd -m appuser
USER appuser USER appuser
EXPOSE 8000 EXPOSE 8000
# ✅ apontar para o entrypoint correto # Uvicorn com workers otimizados
CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8000"] CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8000", "--workers", "1"]