π· Node.js production container pro tips: CNDO #43
π
Thanks to today's sponsor, CAST AI! CAST AI is an all-in-one Kubernetes cost optimization and automation platform that achieves over 60% average compute cost savings without months of onboarding. You get lightning fast autoscaling, downscaling, spot VM support and more with no hit to performance.
Use the link below and optimize your first cluster for FREE. cast.ai/bretfisher
Use the link below and optimize your first cluster for FREE. cast.ai/bretfisher
Get CNDO Weekly
Cloud Native DevOps education. Bestselling courses, live streams, and podcasts on DevOps and containers, from a Docker Captain.
Email sent! Check your inbox to complete your signup.
No spam. Unsubscribe anytime.
ποΈ What's new this week
π΄ Live show: Cloud Native DevOps Q&A (Ep 244)
We're doing 100% ask-me-anything this week! Nirmal and I will focus on your cloud native DevOps questions. Containerization, orchestration, automation, infrastructure, and more.
π¨βπ» Node.js production container best practices, a checklist β β β
This list is based on my DockerCon talks of Node.js, which can be applied to any language/framework image.
After more than a decade of production Node.js use, and most of that using it with Docker, I have some suggestions for you. These are also detailed throughout the repo README at github.com/BretFisher/nodejs-rocks-in-docker
π³ Dockerfile
- If using the official image, only use slim. Be careful of alpine, it's only experimental. Chainguard images are great and my new go-to
.dockerignore
includes all.gitignore
+node_modules
USER node
(USER <ID>
is better for K8s)ENTRYPOINT
tiniCMD
node directly, don't use npm/pm2/forever hereHEALTHCHECK
if Docker Engine is used, even in devRUN npm ci --omit dev
so you don't include dev dependencies
π©βπ» Source code
- Capture
SIGTERM
andSIGINT
- Track HTTP connections, send FIN on shutdown
- If file I/O is needed, check for correct dir/file perms on startup
- If listening on HTTP, provide a common health endpoint
- If no listening port, write health to file. Status sidecar optional
β Kubernetes Pod
- Start with my podspec github.com/bretfisher/podspec
- Include readiness and (maybe) liveness probes
- Be sure to use tini with exec probes
- Set
terminationGracePeriodSeconds
for HTTP listeners - Disable
allowPrivilegeEscalation
andprivileged
- Enable
runAsUser
,runAsGroup
, andrunAsNonRoot
- Set
seccompProfile
totype: RuntimeDefault
π In case you missed last week's newsletter
Did you miss last week's newsletter? Read it here.