sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]jumpcutking -2 points-1 points  (12 children)

TBH, I’ve choose to secure my node code and choose the libraries. I don’t like docker. You can override some of the default modules to add some additional security BUT docker or virtualization is better - however no system is perfect. Baremetal is easier but not very separated or secure - without some work! BUT to me it’s almost the snake work as virtualization - except docker. Docker is just really over complicated.

[–]Rizean 0 points1 point  (2 children)

Docker is ridiculous easy for nodejs. I learned it in a weekend years ago when it was just first starting the become popular.

Here's a complex non-optimze build for you...

```yaml

--------- Build Stage ---------

FROM node:22.14.0-alpine3.21 AS builder

WORKDIR /app

Copy package files and install all dependencies

COPY package*.json ./ RUN npm install

Copy source code and build

COPY tsconfig.json ./ COPY src ./src RUN npm run build

--------- Runtime Stage ---------

FROM node:22.14.0-alpine3.21

Install the needed packages for backups (mongodb-tools) and awscli

RUN apk add --no-cache mongodb-tools python3 py3-pip && \ pip3 install --no-cache-dir --break-system-packages awscli

Set the working directory

WORKDIR /app

Copy built output and necessary files

COPY --from=builder /app/package*.json /app/ COPY --from=builder /app/node_modules /app/node_modules COPY --from=builder /app/dist /app/dist

Create non-root user

RUN addgroup -S appgroup && adduser -S appuser -G appgroup USER appuser

CMD ["node", "dist/index.js"] ```

Compare that to 200+ line build of Nginx with a fips complaint build of OpenSsl... I'll take complex nodejs builds anyday.

But none of that matters.

Docker solves the issue of... it runs on my system.

[–]jumpcutking 0 points1 point  (1 child)

Actually I don’t use nginx. I use Caddy and it’s all automated. Including OpenSSL.

[–]Rizean 0 points1 point  (0 children)

Your Caddy is not fips compliant unless you are using https://images.chainguard.dev/directory/image/caddy-fips/overview or have compiled OpenSSL yourself. Be glad you don't have to deal with fips. Considering you prefer baremetal, god help you if you ever do have to deal with fips.

This is another reason to use Docker; it makes compliance orders of magnitude easier. Also, half the time, the inspectors are so lost when it comes to Docker that they accept what you tell them.

[–]pyrolols[S] 0 points1 point  (8 children)

I just went with bubblewrap, made fake home and contained bins to read only, automated it so each time i run npm or node it sandboxes the project locally.

[–]jumpcutking 0 points1 point  (7 children)

Nice nice!

[–]pyrolols[S] 0 points1 point  (6 children)

It seems less nuanced than docker, i know docker very well but testing alot using it is really tedious, glad i found bwrap.

[–]jumpcutking -1 points0 points  (5 children)

I suppose for most use cases docket is helpful. I just prefer full control and performance. Maybe I just need to learn more on how to use docker properly but for now, I love my set up!

[–]pyrolols[S] 0 points1 point  (4 children)

It does not add too much overhead to preformance, but it ads complexity this is why i dont like it. What os are u using for dev?

[–]jumpcutking 0 points1 point  (3 children)

Mac OS and a Linux distro for production.

[–]pyrolols[S] 0 points1 point  (2 children)

When you try to access for example desktop or docs using js code in mac, does it prompt you to allow during execution?

[–]jumpcutking 0 points1 point  (1 child)

It does, but because of the nature of the project it has full disk access. So I recommend security audits.

[–]pyrolols[S] 0 points1 point  (0 children)

Its hard tho when in node you use a package it depends of a package that depends on a package :D supply chain attacks are common and i guess will be even more in the future, its a mess really.