perf(Docker images): production images are based on distroless (#899)

- perf(server, webhook-service): production images are based on distroless

Reduces image file size by >40% for images which can use distroless base image.  As
well as improving boot-up & restart time (via smaller download & load size), Distroless reduces the
attack surface area by removing almost all binaries & packages (e.g. shell, chown) that are not
necessary to run node.

- ensures distroless node images run tini
- removes fonts-dejavu-core and fontconfig from speckle-server
- Remove man and doc files if they exist
- args hoisted to top of Dockerfile and consolidated
- env vars consolidated to prevent additional layers

address https://github.com/specklesystems/speckle-server/issues/883

packages/fileimport-service/Dockerfile

@@ -1,33 +1,55 @@
-FROM node:16.15-bullseye-slim as node
-
-RUN apt-get update && \
-  DEBIAN_FRONTEND=noninteractive apt-get install -y \
-  --no-install-recommends \
-  python3=3.9.2-3 \
-  python3-pip=20.3.4-4+deb11u1 \
-  tini=0.19.0-1 \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
-
-ADD https://github.com/ufoscout/docker-compose-wait/releases/download/2.8.0/wait /wait
-RUN chmod +x /wait
-
 ARG NODE_ENV=production
-ENV NODE_ENV=${NODE_ENV}
+
+FROM node:16.15-bullseye-slim as build-stage
 
 WORKDIR /speckle-server
 
+# add wait
+ENV WAIT_VERSION 2.8.0
+ADD https://github.com/ufoscout/docker-compose-wait/releases/download/${WAIT_VERSION}/wait ./wait
+RUN chmod +x ./wait
+
+# Add tini
+ENV TINI_VERSION v0.19.0
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini ./tini
+RUN chmod +x ./tini
+
+# Add python virtual env
+WORKDIR /venv
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install \
+    --no-install-suggests --no-install-recommends --yes \
+    python3-venv=3.9.2-3 && \
+    python3 -m venv /venv
+
+# pip install
+COPY packages/fileimport-service/requirements.txt /requirements.txt
+RUN /venv/bin/pip install --disable-pip-version-check --requirement /requirements.txt
+
+# yarn install
+WORKDIR /speckle-server
+ENV NODE_ENV=${NODE_ENV}
 COPY .yarnrc.yml .
 COPY .yarn ./.yarn
 COPY package.json yarn.lock ./
 
 WORKDIR /speckle-server/packages/fileimport-service
-COPY packages/fileimport-service/package.json ./
+COPY packages/fileimport-service/package.json .
 RUN yarn workspaces focus --production
 
-COPY packages/fileimport-service/requirements.txt ./
-RUN pip install --no-cache-dir -r requirements.txt
+FROM gcr.io/distroless/nodejs:16 as production-stage
 
+WORKDIR /speckle-server/packages/fileimport-service
 COPY packages/fileimport-service .
+COPY --from=build-stage /speckle-server/wait /wait
+COPY --from=build-stage /speckle-server/tini /tini
+COPY --from=build-stage /venv /venv
+COPY --from=build-stage /speckle-server/node_modules/ ./node_modules/
 
-CMD ["yarn", "node", "src/daemon.js"]
+# Prefixing PATH with our virtual environment should seek required binaries
+# from virtual environment first.
+# Unsetting python home
+ENV PATH=/venv/bin:${PATH}, \
+    PYTHONHOME=
+
+ENTRYPOINT ["/tini", "--", "/nodejs/bin/node", "src/daemon.js"]

packages/frontend/Dockerfile

@@ -1,10 +1,9 @@
 # NOTE: Docker context should be set to git root directory, to include the viewer
+ARG SPECKLE_SERVER_VERSION=custom
 
 # build stage
 FROM node:16.15-bullseye-slim as build-stage
-ARG SPECKLE_SERVER_VERSION=custom
  
-
 WORKDIR /speckle-server
 COPY .yarnrc.yml .
 COPY .yarn ./.yarn

packages/preview-service/Dockerfile

@@ -1,19 +1,23 @@
 # NOTE: Docker context should be set to git root directory, to include the viewer
-
+ARG NODE_ENV=production
 
 # build stage
 FROM node:16.15-buster-slim as build-stage
 
-ARG NODE_ENV=production
 ENV NODE_ENV=${NODE_ENV}
 
-
 WORKDIR /speckle-server
+
+# install wait
+ENV WAIT_VERSION 2.8.0
+ADD https://github.com/ufoscout/docker-compose-wait/releases/download/${WAIT_VERSION}/wait ./wait
+RUN chmod +x ./wait
+
 COPY .yarnrc.yml .
 COPY .yarn ./.yarn
 COPY package.json yarn.lock ./
 
-# Onyl copy in the relevant package.json files for the dependencies
+# Only copy in the relevant package.json files for the dependencies
 COPY packages/preview-service/package.json ./packages/preview-service/
 COPY packages/viewer/package.json ./packages/viewer/
 COPY packages/objectloader/package.json ./packages/objectloader/
@@ -28,8 +32,6 @@ COPY packages/preview-service ./packages/preview-service/
 # This way the foreach only builds the frontend and its deps
 RUN yarn workspaces foreach -pt run build
 
-
-
 FROM node:16.15-bullseye-slim as node
 
 RUN apt-get update && \
@@ -66,10 +68,8 @@ RUN apt-get update && \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/*
 
-ADD https://github.com/ufoscout/docker-compose-wait/releases/download/2.8.0/wait /wait
-RUN chmod +x /wait
+COPY --from=build-stage /speckle-server/wait /wait
 
-ARG NODE_ENV=production
 ENV NODE_ENV=${NODE_ENV}
 
 WORKDIR /speckle-server
@@ -89,5 +89,4 @@ COPY --from=build-stage /speckle-server/packages/preview-service ./preview-servi
 WORKDIR /speckle-server/packages/preview-service
 RUN yarn workspaces focus --production
 
-ENTRYPOINT [ "tini", "--" ]
-CMD ["yarn", "node", "bin/www"]
+ENTRYPOINT [ "tini", "--", "node", "bin/www" ]

packages/server/Dockerfile

@@ -1,18 +1,23 @@
-FROM node:16.15-bullseye-slim as build-stage
 ARG NODE_ENV=production
 ARG SPECKLE_SERVER_VERSION=custom
+ARG FILE_SIZE_LIMIT_MB=100
+ARG NODE_ENV=production
 
-RUN apt-get update && \
-  DEBIAN_FRONTEND=noninteractive apt-get install -y \
-  --no-install-recommends \
-  tini=0.19.0-1 \
-  fonts-dejavu-core=2.37-2 \
-  fontconfig=2.13.1-4.2 \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
+FROM node:16.15-bullseye-slim as build-stage
 
 WORKDIR /speckle-server
 
+# install wait
+ENV WAIT_VERSION 2.8.0
+ADD https://github.com/ufoscout/docker-compose-wait/releases/download/${WAIT_VERSION}/wait ./wait
+RUN chmod +x ./wait
+
+# install tini
+ENV TINI_VERSION v0.19.0
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini ./tini
+RUN chmod +x ./tini
+
+# install node packages
 COPY .yarnrc.yml .
 COPY .yarn ./.yarn
 COPY package.json yarn.lock ./
@@ -25,27 +30,20 @@ COPY packages/server .
 
 RUN yarn build && yarn workspaces focus --production
 
-FROM node:16.15-bullseye-slim as production-stage
-ARG NODE_ENV=production
-ENV NODE_ENV=${NODE_ENV}
-ARG SPECKLE_SERVER_VERSION=custom
+FROM gcr.io/distroless/nodejs:16 as production-stage
 
-ADD https://github.com/ufoscout/docker-compose-wait/releases/download/2.8.0/wait /wait
-RUN chmod +x /wait
+ENV FILE_SIZE_LIMIT_MB=${FILE_SIZE_LIMIT_MB}, \
+    NODE_ENV=${NODE_ENV}, \
+    SPECKLE_SERVER_VERSION=${SPECKLE_SERVER_VERSION}
 
 WORKDIR /speckle-server
-
-COPY --from=build-stage /speckle-server/.yarnrc.yml .
-COPY --from=build-stage /speckle-server/.yarn ./.yarn
-COPY --from=build-stage /speckle-server/package.json /speckle-server/yarn.lock ./
+COPY --from=build-stage /speckle-server/wait /wait
+COPY --from=build-stage /speckle-server/tini /tini
 COPY --from=build-stage /speckle-server/node_modules ./node_modules
 
 WORKDIR /speckle-server/packages/server
-
 COPY --from=build-stage /speckle-server/packages/server/dist ./dist
 COPY --from=build-stage /speckle-server/packages/server/assets ./assets
 COPY --from=build-stage /speckle-server/packages/server/bin ./bin
 
-ENV FILE_SIZE_LIMIT_MB=100
-ENV SPECKLE_SERVER_VERSION=${SPECKLE_SERVER_VERSION}
-CMD ["yarn", "node", "bin/www"]
+ENTRYPOINT ["/tini", "--", "/nodejs/bin/node", "./bin/www"]

packages/webhook-service/Dockerfile

@@ -1,20 +1,20 @@
-FROM node:16.15-bullseye-slim as node
-
-RUN apt-get update && \
-  DEBIAN_FRONTEND=noninteractive apt-get install -y \
-  --no-install-recommends \
-  tini=0.19.0-1 \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
-
-ADD https://github.com/ufoscout/docker-compose-wait/releases/download/2.8.0/wait /wait
-RUN chmod +x /wait
-
 ARG NODE_ENV=production
-ENV NODE_ENV=${NODE_ENV}
+
+FROM node:16.15-bullseye-slim as build-stage
 
 WORKDIR /speckle-server
 
+ENV WAIT_VERSION 2.8.0
+ADD https://github.com/ufoscout/docker-compose-wait/releases/download/${WAIT_VERSION}/wait ./wait
+RUN chmod +x ./wait
+
+ENV TINI_VERSION v0.19.0
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini ./tini
+RUN chmod +x ./tini
+
+# yarn install
+ENV NODE_ENV=${NODE_ENV}
+
 COPY .yarnrc.yml .
 COPY .yarn ./.yarn
 COPY package.json yarn.lock ./
@@ -23,6 +23,12 @@ WORKDIR /speckle-server/packages/webhook-service
 COPY packages/webhook-service/package.json .
 RUN yarn workspaces focus --production
 
-COPY packages/webhook-service/src .
+FROM gcr.io/distroless/nodejs:16 as production-stage
 
-CMD ["yarn", "node", "main.js"]
+WORKDIR /speckle-server/packages/webhook-service
+COPY packages/webhook-service/src .
+COPY --from=build-stage /speckle-server/wait /wait
+COPY --from=build-stage /speckle-server/tini /tini
+COPY --from=build-stage /speckle-server/node_modules ./node_modules
+
+ENTRYPOINT ["/tini", "--", "/nodejs/bin/node", "main.js"]

utils/monitor-deployment/Dockerfile

@@ -1,14 +1,33 @@
-FROM python:3.8-slim
+ARG PG_CONNECTION_STRING
+ARG NODE_EXTRA_CA_CERTS
 
+FROM debian:11-slim AS build-stage
+
+WORKDIR /build
 # Add Tini
 ENV TINI_VERSION v0.19.0
-ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
-RUN chmod +x /tini
-ENTRYPOINT ["/tini", "--"]
+ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini ./tini
+RUN chmod +x ./tini
 
+# Add python virtual env
+WORKDIR /venv
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install \
+    --no-install-suggests --no-install-recommends --yes \
+    python3-venv=3.9.2-3 && \
+    python3 -m venv /venv
+
+COPY utils/monitor-deployment/requirements.txt /requirements.txt
+RUN /venv/bin/pip install --disable-pip-version-check --requirement /requirements.txt
+
+FROM gcr.io/distroless/python3-debian11:nonroot as production-stage
+
+ENV PG_CONNECTION_STRING=${PG_CONNECTION_STRING}, \
+    NODE_EXTRA_CA_CERTS=${NODE_EXTRA_CA_CERTS}
+
+COPY --from=build-stage /venv /venv
 WORKDIR /app
+COPY --from=build-stage /build/tini ./tini
 COPY utils/monitor-deployment .
-RUN pip install --no-cache-dir -r requirements.txt
 
-
-CMD ["python", "-u", "src/run.py"]
+ENTRYPOINT [ "./tini", "--", "/venv/bin/python3", "-u", "src/run.py"]

utils/test-deployment/Dockerfile

@@ -1,7 +1,22 @@
-FROM python:3.8-slim
+ARG SPECKLE_SERVER
+ARG SPECKLE_VERSION
 
-WORKDIR /speckle
-COPY utils/test-deployment .
-RUN pip install --no-cache-dir -r requirements.txt
+FROM debian:11-slim AS build-stage
+WORKDIR /venv
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install \
+    --no-install-suggests --no-install-recommends --yes \
+    python3-venv=3.9.2-3 && \
+    python3 -m venv /venv
 
-CMD [ "./run_tests.py" ]
+COPY utils/test-deployment/requirements.txt /requirements.txt
+RUN /venv/bin/pip install --disable-pip-version-check --requirement /requirements.txt
+
+FROM gcr.io/distroless/python3-debian11:nonroot as production-stage
+
+ENV SPECKLE_SERVER=${SPECKLE_SERVER}, \
+    SPECKLE_SERVER=${SPECKLE_VERSION}
+COPY --from=build-stage /venv /venv
+COPY utils/test-deployment /app
+WORKDIR /app
+ENTRYPOINT [ "/venv/bin/python3", "-u", "./run_tests.py" ]