Add yarn/npm about symfony-docker HOT 18 CLOSED

You can add this in your Dockerfile

before php stage

ARG NODE_VERSION=14

# node "stage"
FROM node:${NODE_VERSION}-alpine AS symfony_assets_builder

WORKDIR /srv/app

RUN mkdir public

COPY package.json yarn.lock ./

RUN yarn install

COPY assets assets/
COPY webpack.config.js ./

RUN yarn build

And this in the php stage

COPY --from=symfony_assets_builder /srv/app/public/build public/build

from symfony-docker.

@dunglas Genuine question : why would it be a security matter to have yarn/npm in production ?

If i'm not mistaken, when you install webpack encore, the node_modules and public/build directories are added to .gitignore. So when i deploy my symfony apps to prod, on a "classic" server, i always run yarn install (in case i installed a new package) && yarn encore prod in my automatic deploy script from gitlab (along other commands like composer install, migrations etc...).

If you don't have the yarn package on your docker container on prod, does it mean that you exclude node_modules and public/build from .gitgnore and commit them in your repo ? Or maybe I'm missing something, which is probably the right answer 😅 And if it's the case, is it really a good practice ?

I'm trying to improve in docker and generally in devops operation, so thank you if you can enlighten me on those subjects. you're repo is great, I'm actually using it for local development and add yarn in it, but I'm willing to follow generally accepted good practices.

from symfony-docker.

Mostly for security reasons. You don't want something useless in prod in your images.

from symfony-docker.

Another alternative is to serve these assets outside the production image and publish it to static storage (like S3 or a CDN).

You can build the assets as part of the CI process and sync the built files to the static storage/CDN of your choice with this Encore configuration:
https://symfony.com/doc/current/frontend/encore/cdn.html

from symfony-docker.

In my experience, you don't want development 'artifacts' in your production environment if they aren't needed. At a minimum, it bloats your containers but from a security POV, its more tools to allow for an attacker to utilize to 'live off the land'. I use a step in the container build to do the yarn install/yarn run encore prod bits and then copy the resulting public/build directories to the resulting image. This reduces the end container size and keeps dev tools from the resulting build.

from symfony-docker.

Hello, can we use something like this in the docker-compose.override.yaml file ?

encore:
        command: ["yarn", "dev-server", "--host=0.0.0.0"]
        container_name: encore
        image: node:10-alpine
        ports:
            - "${DEV_SERVER_PORT:-8080}:8080"
        volumes:
            - .:/srv/app

And use this command to generate assets :

docker-compose run encore yarn --cwd /srv/app watch

With the current configuration, this will be used only in dev right ?

from symfony-docker.

You could create a docker-compose.dev.yml and add the node.js image with yarn there.

Then you could run this command.

docker-compose up -f docker-compose.yml -f docker-compose.dev.yml

How is it ?

from symfony-docker.

@HidouriAnis sry I did not read the error message correctly.

file not found in build context or excluded by .dockerignore: stat package.json: file does not exist

Your package.json is missing or excluded by .dockerignore

from symfony-docker.

You can add this in your Dockerfile

before php stage

ARG NODE_VERSION=14

# node "stage"
FROM node:${NODE_VERSION}-alpine AS symfony_assets_builder

WORKDIR /srv/app

RUN mkdir public

COPY package.json yarn.lock ./

RUN yarn install

COPY assets assets/
COPY webpack.config.js ./

RUN yarn build

And this in the php stage

COPY --from=symfony_assets_builder /srv/app/public/build public/build

I'm a big fan of this approach though I'm definitely interested in other suggestions. I definitely want the assets to rebuilt as part of the build process, not just leveraging whatever is on the developers system at the time. On the same token, I don't want/need stuff like node_modules bloating up my resulting image. This approach builds them in a repeatable manner and only gives me the end result that I need.

from symfony-docker.

It's not a good idea in production. We need to find a way to have them in dev but not in prod.

from symfony-docker.

It's not a good idea in production. We need to find a way to have them in dev but not in prod.

Why it is not a good idea in production ? Is it for build time reasons ?

from symfony-docker.

maybe a little off topic but, isn't it a good practice that services in containers are not executed as root ?

from symfony-docker.

With the current configuration, this will be used only in dev right ?

Yes the dev server is only for dev ;) For prod you can use my example.

from symfony-docker.

@torbenbr does this work for you? i think the order for your steps is not good,
i have this when i apply your changes:

Step 7/42 : COPY package.json yarn.lock ./
ERROR: Service 'php' failed to build: COPY failed: file not found in build context or excluded by .dockerignore: stat package.json: file does not exist

from symfony-docker.

@HidouriAnis I think, in your case you don't have a yarn.lock file. Is that right? For ease of use you can change the copy step to copy. .

from symfony-docker.

@torbenbr thanks for your response but i already have a yarn.lock

from symfony-docker.

@dunglas Genuine question : why would it be a security matter to have yarn/npm in production ?

If i'm not mistaken, when you install webpack encore, the node_modules and public/build directories are added to .gitignore. So when i deploy my symfony apps to prod, on a "classic" server, i always run yarn install (in case i installed a new package) && yarn encore prod in my automatic deploy script from gitlab (along other commands like composer install, migrations etc...).

If you don't have the yarn package on your docker container on prod, does it mean that you exclude node_modules and public/build from .gitgnore and commit them in your repo ? Or maybe I'm missing something, which is probably the right answer 😅 And if it's the case, is it really a good practice ?

I'm trying to improve in docker and generally in devops operation, so thank you if you can enlighten me on those subjects. you're repo is great, I'm actually using it for local development and add yarn in it, but I'm willing to follow generally accepted good practices.

Good question actually. The way I set it up before I used Gitlab with a runner on my prod server (Having yarn installed on my prod server outside the docker instance, you can also use a seperate container for a runner with yarn installed in it).

But also wondering what would be a best practice.

from symfony-docker.

Let's close it in favor of PR #186

from symfony-docker.