Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Node.js Rocks in Docker for Dev and Ops

Bret Fisher
May 01, 2019
Technology
2
470

Node.js Rocks in Docker for Dev and Ops

From DockerCon 2019. Learn the best practices of managing Node and JavaScript projects when developing, testing, and operating containers from Docker Captain Bret Fisher, who's been building and deploying Node apps in containers since the early days of the Docker project.
This session will take you on a journey, starting with local development of Node and js-specific projects and how to optimize your Docker Desktop and Compose configs for "the best of both worlds" with js and Docker. You'll see examples of cutting edge features like macOS mind-mount performance enhancements, and multi-stage image targeting.
Then Bret will walk you through examples of optimizing your builds, testing, and CI/CD of Node with new features like test stages in multi-stage builds.
Finally, you'll get some examples around Node in production orchestration, and how you can optimize your cluster updates for zero-downtime scenarios on Kubernetes and Swarm using Node connection management techniques.
Node apps rock in containers, so come join Bret for a fun ride through the best parts and learn solutions for the problems that you'll need to solve along the way.

Bret Fisher

May 01, 2019
Tweet

More Decks by Bret Fisher

See All by Bret Fisher
Building Your Docker Swarm Tech Stack
bretfisher
1
97
Container Orchestration with Docker and Swarm
bretfisher
0
63
Building Your Docker Tech Stack
bretfisher
1
220
Why Docker, Why Now?
bretfisher
0
34
Going Production with Docker and Swarm
bretfisher
2
1.1k
Road to Docker Production: What You Need To Know and Decide
bretfisher
2
440
Journey to Docker Production
bretfisher
1
220
Your President Wants You To Hack: Civic Hacking for Fun, Profit, and Good Karma
bretfisher
1
150

Other Decks in Technology

See All in Technology
ユーザーストーリーマッピング
kawaguti
PRO
4
580
OpenAI社のWhisper APIを使ってみた! / ChatGPT研究会 第7弾 (ALGYAN)
you
0
250
点群SegmentationのためのTransformerサーベイ
takmin
1
460
心理的安全性に対して個人とチームで取り組んできたこと
hiro_torii
1
310
ほーるちーむあぷろーち for babies #scrumniigata #SigSQA / Whole-Team Approach (WhTA) for babies
caori_t
1
420
Spring I/O 2023 - Barcelona
bnasslahsen
0
120
User Story Mapping - Scrum Niigata
kawaguti
PRO
5
2.3k
C# の async/await は実際にどうやって動いているか
nenonaninu
1
7.5k
周りが強すぎて現実逃避でOSS活動始めた結果
bun913
0
460
Datadogで実現するセキュリティ オブザーバビリティ
taka2noda
1
120
Nx CloudでCIを爆速にした話
puku0x
0
330
Save the state
keithyokoma
0
140

Featured

See All Featured
Optimising Largest Contentful Paint
csswizardry
2
770
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.4k
Reflections from 52 weeks, 52 projects
jeffersonlam
341
18k
How to train your dragon (web standard)
notwaldorf
68
4.4k
Testing 201, or: Great Expectations
jmmastey
26
5.9k
Visualization
eitanlees
130
12k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
110
17k
Design by the Numbers
sachag
272
18k
The Power of CSS Pseudo Elements
geoffreycrofte
54
4.5k
Unsuck your backbone
ammeep
660
56k
What's new in Ruby 2.0
geeforr
336
30k
Fireside Chat
paigeccino
18
2.1k

Transcript

  1. Bret Fisher
    Docker Captain, DevOps Dude
    bretfisher.com/docker
    Node.js Rocks in Docker

    View Slide

  2. Who's This Session For?
    •You know some Node
    •You know some Docker
    •You want more Node+Docker awesomesauce

    View Slide

  3. What We Gonna' Learn Bret?
    •Node Dockerfile Best Practices
    •Make a real-world multi-stage Dockefile
    •Build with auditing and sec scans
    •Proper Node shutdown
    •Node HTTP connection management

    View Slide

  4. Node Dockerfiles

    View Slide

  5. Every Node Sample Dockerfile

    View Slide

  6. Node Base Image Guidelines
    •Stick to even numbered major releases
    •Don't use :latest tag
    •Start with Debian if migrating
    •Use stretch (default) not jessie
    •Try slim first
    •Move to Alpine later, maybe

    View Slide

  7. When to use Alpine Images
    •Alpine is "small" and "sec focused"
    •But Debian/Ubuntu are smaller now too
    •~100MB space savings isn't significant
    •Alpine has its own issues
    •Alpine CVE scanning fails
    •Enterprises may require CentOS or
    Ubuntu/Debian

    View Slide

  8. Image Sizes for node/slim/alpine

    View Slide

  9. Image Sizes for node/slim/alpine

    View Slide

  10. node_modules in Images
    •Problem: we shouldn't build images with
    node_modules from host
    •Example: node-gyp
    •Solution: add node_modules\
    to .dockerignore
    •copy .gitignore?

    View Slide

  11. Least Privilege: Using node User
    •Official node images have a node user
    •But it’s not used until you USER node
    •Do this after apt/apk and npm i -g
    •Do this before npm i
    •May cause permissions issues with write
    access
    •May require chown node:node

    View Slide

  12. 0.Dockerfile

    View Slide

  13. 1.Dockerfile

    View Slide

  14. Process
    Management and
    Shutdown

    View Slide

  15. Node Process Management In Containers
    •No need for nodemon, forever, or pm2 on server
    •We'll use nodemon in dev for file watch later
    •Docker manages app start, stop, restart,
    healthcheck
    •Node multi-thread: Docker manages multiple
    “replicas”
    •One npm/node problem: They don’t listen for
    proper shutdown signal by default

    View Slide

  16. The Truth About The PID 1 Problem
    •PID 1 (Process Identifier) is the first
    process in a system (or container) (AKA init)
    •Init process in a container has two jobs:
    • reap zombie processes
    • pass signals to sub-processes
    •Zombie not a big Node issue
    •Focus on proper Node shutdown

    View Slide

  17. Proper CMD for Healthy Shutdown
    •Docker uses Linux signals to stop app
    (SIGINIT/SIGTERM/SIGKILL)
    •SIGINIT/SIGTERM allow graceful stop
    •npm doesn't respond to SIGINIT/SIGTERM
    •node doesn't respond by default, but can with
    code
    •Docker provides a init PID 1 replacement
    option

    View Slide

  18. Proper Node Shutdown Options
    •Temp: Use --init to fix ctrl-c for now
    •Workaround: add tini to your image
    •Production: your app captures SIGINIT
    for proper exit

    View Slide

  19. Example init command
    •Run any node app with --init to handle
    signals (temp solution)
    >docker run --init -d nodeapp

    View Slide

  20. Example tini Dockerfile
    •Add tini to your Dockerfile, then use
    it in CMD (permanent workaround)
    >RUN apk add --no-cache tini
    >ENTRYPOINT ["/sbin/tini", "--"]
    >CMD ["node", "./bin/www"]

    View Slide

  21. 1.Dockerfile

    View Slide

  22. 2.Dockerfile

    View Slide

  23. Example SIGINIT Capture

    View Slide

  24. View Slide

  25. •Used to track HTTP connections and send
    them FIN packets when Node shuts down
    >https://github.com/hunterloftis/stoppable
    Better: Connection Tracking

    View Slide

  26. Multi-stage Builds
    •Build multiple images from one file
    •Those images can FROM each other
    •COPY files between them
    •Space + security benefits
    •Great for "artifact only"
    •Great for dev + test + prod

    View Slide

  27. Avoiding devDependencies In Prod
    •Multi-stage can solve this
    •prod stages: npm i --only=production
    •Dev stage: npm i --only=development
    •Optional: Use npm ci to speed up builds
    •Ensure NODE_ENV is set

    View Slide

  28. 2.Dockerfile

    View Slide

  29. 3.Dockerfile

    View Slide

  30. Building A Specific Stage
    •To build dev image from dev (last) stage
    >docker build -t myapp .
    •To build prod image from prod stage
    >docker build -t myapp:prod --target prod .

    View Slide

  31. More Multi-stage: test
    •Add a test stage that runs npm test
    •Have CI build --target test stage
    before building prod
    •Don’t COPY code into dev stage
    •Keep it DRY (for COPY and RUN)

    View Slide

  32. 3.Dockerfile

    View Slide

  33. 4.Dockerfile

    View Slide

  34. 4.Dockerfile

    View Slide

  35. Security Scanning and Audit
    •Create audit stage for optional build
    •Consider RUN npm audit
    •Consider CVE scanner
    •Only report at first, no failing (most
    images have at least one CVE vuln)

    View Slide

  36. 4.Dockerfile

    View Slide

  37. 4.Dockerfile

    View Slide

  38. 5.Dockerfile

    View Slide

  39. Got Compose?

    View Slide

  40. Compose YAML v2 vs v3
    •Myth busting: v3 does not replace v2
    •v2 focus: single-node dev/test
    •v3 focus: multi-node orchestration
    •If not using Swarm/Kubernetes, stick to
    v2

    View Slide

  41. Every Node Sample Compose

    View Slide

  42. node_modules in Bind-Mounts
    •Problem: we can't just bind-mount
    node_modules content from host on
    macOS/Windows (different arch)
    •Two Potential Solutions

    View Slide

  43. node_modules in Bind-Mounts
    •Solution 1, common but less flexible:
    •Bind-mount /app which includes modules
    •You can't docker-compose up until
    you've used docker-compose run
    •node_modules on host is now only
    usable from container
    •Never npm install from host

    View Slide

  44. node_modules in Bind-Mounts
    •Solution 2, more complex but flexible:
    •Move node_modules up a directory in
    Dockerfile
    •Use empty volume to hide node_modules
    on bind-mount
    •node_modules on host doesn't conflict

    View Slide

  45. Bind-Mounting: Performance
    •On Linux, bind-mounts are native
    •On macOS add delegated write mode
    •Slower in Windows, mounting across
    Samba/SMB
    •Consider file sync if it gets real bad
    •Or WSL + Docker

    View Slide

  46. 0.docker-compose.yml

    View Slide

  47. 1.docker-compose.yml

    View Slide

  48. File Monitoring and Node Auto Restarts
    •Use nodemon for compose file monitoring
    •webpack-dev-server, etc. work the same
    •If Windows, enable polling
    •Create a nodemon.json for advanced
    workflows (bower, webpack, parcel)

    View Slide

  49. Startup Order and Dependencies
    •Problem: Multi-service apps start out
    of order, node might exit or cycle
    •Multi-container dependencies need:
    •Name resolution (DNS)
    •Connection failure handling

    View Slide

  50. Dependency Awareness
    •depends_on: service A needs service B
    •Fixes name resolution issues with
    "can't resolve "
    •Only for compose, not Orch
    •compose YAML v2: works with
    healthchecks like a "wait for script"

    View Slide

  51. 1.docker-compose.yml

    View Slide

  52. 2.docker-compose.yml

    View Slide

  53. Production Checklist
    •CMD node directly
    •Build with .dockerignore
    •capture SIGTERM, properly shutdown
    •npm ci or npm i --only=production
    •Scan/audit/test during builds
    •Healthchecks (readiness/liveness)

    View Slide

  54. Thanks!
    bretfisher.com/docker
    @Bretfisher
    bretfisher.com/node
    New Docker for Node.js course

    View Slide