Add dockerfile for automated mentoring support

[depsir]

I created a first draft of dockerfile, inspired by the go-analyzer, having in mind the guidelines of automated-mentoring-support.
This pr is intended to fix #7

Some info about the choices made:

• node version: lts
• decided to run the analyzer as an unprivileged user
• apk update to make the build with the latest dependencies and security fixes
• two phase build, copying node_modules after yarn install --prod, to keep only runtime needed dependencies
• Added certificates because it couldn't be bad
• I changed /bin/bash to /bin/sh in the analyze.sh file since bash is not present in linux-alpine, probably it could be #!/usr/bin/env sh

[SleeplessByte]

node version

LTS please 💯

go version had certificates, user and stuff. are they needed for something?

@tehsphinx might have more on that, but in general it is probably a good thing to add a special user (such as deploy or analyzer-user) that will have execution rights to node and whatsnot. The certificates I think is to make sure the certificates are in sync given:

COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
COPY --from=builder /etc/passwd /etc/passwd

should I apk update?

Let's ask @ErikSchierboom and @tehsphinx

the two phase build should help keeping the final image small, so I wanted to copy only bin and dist. I had to copy node_modules too since the shell script needs the module esm. This could be fixed by copying only that module, or by creating an ad hoc package.json just to setup the final image (or we can just keep the build image as final image)

You may vendor package esm. Preferably by:

• add it to devDependencies and NOT dependencies
• copy it from node_modules during build / package

I changed /bin/bash to /bin/sh in the analyze.sh file since bash is not present in linux-alpine

Fine with me!

[ErikSchierboom]

Let's ask @ErikSchierboom

What exactly is the question? (sorry for not understanding)

[NobbZ]

What exactly is the question? (sorry for not understanding)

I think it is whether one should do an apk update in the containers.

Personally I do not hink its necessary. We can and should assume that FROM alpine:latest produces already a base image that us current (enough), honestly, it contains so little of base packages, that there usually is not much to update…

The index, which was the main reason for doing apk update in the "old days", is nowadays updated inmen when doing apk add --no-cache.

Doing apk update wrong might cause additional diskspace needed by the image.

[SleeplessByte]

@NobbZ thank you for your elaborate answer and yes @ErikSchierboom what he said was the question!

[ZapAnton]

Since the WORKDIR command is used later, the RUN mkdir can be removed - WORKDIR creates the directory if it does not exist

[ZapAnton]

To make the script more cross-platform, perhaps the #!/usr/bin/env sh could be used here?

[SleeplessByte]

Will that not conflict when using multiple arguments (https://stackoverflow.com/a/16365367)?

[ZapAnton]

Checked on my machine, no problems with passing several arguments to the script - $1 and $2 work as intended

[ZapAnton]

Plus I am using the #!/usr/bin/env sh in my Docker image, and it works there as well

[ZapAnton]

Since the git commands are not used in the Dockerfile, it would make sense to add the .git directory here.
This way the Docker cache will not be invalidated when the git commands are run on the developer machine

[ZapAnton]

If storing executable scripts is OK for you, the chmod could be run on the repository file.
Docker saves the file permissions when they are copied.
Then this line can be removed.

[SleeplessByte]

This can be removed @depsir . This was fixed (#1)

[ZapAnton]

This can be simplified to the COPY . .. You are already in the javascript-analyzer directory, because of the previous WORKDIR command.

[tehsphinx]

About the certificates and the user:
I'm not a docker security expert but every time I see some example about a secure Go container from scratch it creates a user and adds certificates. So basically it is about running as a pretty much unprivileged user.

[tehsphinx]

About apk update: Probably both is fine:

• Doing apk update AND using a 2 step build for the container (then it does not affect image size)
• Leaving apk update out

Again: security. If we leave it out the builds are dependent on the underlying container to bring in security updates regularly.

[SleeplessByte]

I personally prefer to do the apk update then, @depsir

[ErikSchierboom]

Regarding the apk update, I'm generally in favor of updating all dependencies where possible.

[SleeplessByte]

About the certificates and the user:
I'm not a docker security expert but every time I see some example about a secure Go container from scratch it creates a user and adds certificates. So basically it is about running as a pretty much unprivileged user.

@depsir per this, can we also add the certificates :) ?

[SleeplessByte]

I've added suggestion inline which I'll apply -- let's see if this flies. Amazing work @depsir 🚀 🚀 🚀