πŸ‘· Node.js production container pro tips: CNDO #43

πŸ‘· Node.js production container pro tips: CNDO #43

Newsletter

A production quality and security checklist for using Node.js in containers with Docker and Kubernetes.

😍
Thanks to today's sponsor, CAST AI! CAST AI is an all-in-one Kubernetes cost optimization and automation platform that achieves over 60% average compute cost savings without months of onboarding. You get lightning fast autoscaling, downscaling, spot VM support and more with no hit to performance.

Use the link below and optimize your first cluster for FREE. cast.ai/bretfisher

πŸ—“οΈ What's new this week

πŸ”΄ Live show: Cloud Native DevOps Q&A (Ep 244)

We're doing 100% ask-me-anything this week! Nirmal and I will focus on your cloud native DevOps questions. Containerization, orchestration, automation, infrastructure, and more.

Cloud Native DevOps: Live Q&A (Ep 244)
We’re doing 100% ask-me-anything this week! Nirmal and I will focus on your cloud native DevOps questions. Containerization, orchestration, automation, infra…
YouTube

πŸ‘¨β€πŸ’» Node.js production container best practices, a checklist βœ…βœ…βœ…

This list is based on my DockerCon talks of Node.js, which can be applied to any language/framework image.

After more than a decade of production Node.js use, and most of that using it with Docker, I have some suggestions for you. These are also detailed throughout the repo README at github.com/BretFisher/nodejs-rocks-in-docker

🐳 Dockerfile

  • If using the official image, only use slim. Be careful of alpine, it's only experimental. Chainguard images are great and my new go-to
  • .dockerignore includes all .gitignore + node_modules
  • USER node (USER <ID> is better for K8s)
  • ENTRYPOINT tini
  • CMD node directly, don't use npm/pm2/forever here
  • HEALTHCHECK if Docker Engine is used, even in dev
  • RUN npm ci --omit dev so you don't include dev dependencies

πŸ‘©β€πŸ’» Source code

  • Capture SIGTERM and SIGINT
  • Track HTTP connections, send FIN on shutdown
  • If file I/O is needed, check for correct dir/file perms on startup
  • If listening on HTTP, provide a common health endpoint
  • If no listening port, write health to file. Status sidecar optional

⎈ Kubernetes Pod

  • Start with my podspec github.com/bretfisher/podspec
  • Include readiness and (maybe) liveness probes
    • Be sure to use tini with exec probes
  • Set terminationGracePeriodSeconds for HTTP listeners
  • Disable allowPrivilegeEscalation and privileged
  • Enable runAsUser, runAsGroup, and runAsNonRoot
  • Set seccompProfile to type: RuntimeDefault

πŸ‘€ In case you missed last week's newsletter

Did you miss last week's newsletter? Read it here.

💌 Subscribe to Bret Fisher

Join a growing community of 4.5k+ friendly DevOps readers. Every week I share what cloud native content I'm creating, upcoming guests on my show, and important DevOps insights I've discovered, directly to your inbox.

Thank you for subscribing!
Please check your inbox for a link to confirm your email address.

© Bret Fisher 2024. Published with Ghost.