Run apps inside Docker containers #377
Description
Is your feature request related to a problem? Please describe.
Running the apps without proper isolation could lead to security issues and data leaks. Currently, the apps are managed using pm2 and they are executed without any isolation.
Describe the solution you'd like
Run each domain app in a separate Docker container, achieving file system and network isolation.
This can be done by running Docker commands on a shell using exec or with a library like dockerode which uses the Docker API.
What's needed:
- Install and setup docker in
setup.sh(is this needed?). - Start the apps using a Docker container instead of
pm2when the user pushes a new commit.- Bind the correct port for the domain to the container.
- Pass the domain port as a environment variable to the container.
- Bind the domain directory to a folder inside the container.
- Start the app inside the container (running with
node ., needs to setmaininsidepackage.json).
- Get the logs (stdout and stderr) from the container (redirect to a file or get through Docker API when requested?).
- Get existing containers list and status (running or stopped).
- Stop and delete the container when domain is deleted.
Describe alternatives you've considered
Running each app as a different user with specific permissions only for the domain directory.
- this could lead towards more confusion involving user and permissions management in the server.
- this would start a new
pm2daemon for each user, which is not efficient.
References
Docker Installation Guide on Ubuntu
Docker Engine API Reference
Docker and Node.js Best Practices