get prod dockerfile working properly

[timothy-spencer]

🛠 Summary of changes

• Ensure that image is mostly read-only to the app user
• make sure keys are readable by the app user
• Make it so that build-essentials is not installed (smaller image, less tooling for attackers to work with)
• Make sure puma knows what xff header to use
• Ensure that service_providers.yml and related files are copied into the image

This image is running on https://idp.tstest.identitysandbox.gov/

[mitchellhenke]

We probably want to keep the ordering here for the same reasons discussed in https://gitlab.login.gov/lg/identity-dashboard/-/merge_requests/42

[timothy-spencer]

On this one, I'm going to stand firm, because this is not inline with development, but is aimed at production, and thus the image size reduction is important.

[mitchellhenke]

Yeah, I wholeheartedly agree that the slimmer image is worthwhile, but we should probably do a multi-stage build since it allows us to maximize the benefits of both caching and smaller builds. The size difference doesn't seem that significant at this point (~5-6%) for a potentially significant increase in build times.

Is it possible to try a multi-stage build?

[timothy-spencer]

I don't believe the build time is relevant here, though. It takes 8 minutes to build the prod image. 6 minutes to build the regular image. The overall pipeline with tests takes 16 minutes because of tests. The image builds are started at the start of the pipeline, and nothing depends on the prod image, so nothing has to wait for it to complete before it can run, and they run in parallel in a different runner pool, so don't even take up any test slots.

I will dig into the multi-stage builds to see if there's a better way to do it than when I last looked at this, but again, I think that this is not really needed.

[timothy-spencer]

How's that? I added a multi-stage build for you! :-)

[mitchellhenke]

Suggested change

RUN yarn install --production=true --frozen-lockfile --cache-folder .yarn-cache

[timothy-spencer]

Don't you want a yarn install? This command adds 408MB to the image, so it's doing something.

[mitchellhenke]

Probably mostly a bunch of node_modules which we could copy to avoid installing twice.

[mitchellhenke]

Though if we copy the compiled assets, we don't need to do that either.

[mitchellhenke]

can we move this up into the big install block?

We could also move asset compilation into the build stage as well and not install any yarn/javascript I think.

[timothy-spencer]

We can, though it won't make any significant difference.

I didn't move the asset compilation up, because I don't know where all the assets get put. It looked like there were a lot of assets directories in there. Is there a single one that I can copy back over?

[mitchellhenke]

I think it should just be the public/ folder

[timothy-spencer]

@mitchellhenke , I rearranged stuff a bit so that almost everything is built in the builder, and then everything in the app dir is copied over. The image is about 1gb smaller in size now. Fun!

The image is running over in https://idp.tstest.identitysandbox.gov/

Let me know what you think.

[timothy-spencer]

@mitchellhenke , any reason why we can't get this approved?

[timothy-spencer]

@mitchellhenke OK. I think it's ready for review again at last. :-)