Improve Docker image

[dacamposol]

• Add tag for build
• Add tag with digest for deterministic deployment image
• Add multi-stage build (just in case we include dependencies in the future which require to be compiled)
• Force NODE_ENV production so dependencies understand that they have to work on production mode
• Add dumb-init for correct handling of kernel signals (See: https://github.com/nodejs/docker-node/blob/main/docs/BestPractices.md#handling-kernel-signals)
• Current image with exactly zero security vulnerabilities

---

Related to:

• https://github.com/Pyrrha-Platform/Pyrrha-MQTT-Client/issues/18

[dacamposol]

Thank you @dacamposol. Wondering if UBI image was another option to keep consistent with rules-decision?

Thank you adding links to best practices and other docs for all your changes.

Actually I though about adding the RedHat image as well, but I'm not very happy on the fact that they only have the "fat" images with a ton of unnecessary libraries.

I'd prefer to just have a fixed slim version and to build in a previous stage with the fat version if required. Since the fat version will be deleted on the build process, there isn't neither a need to use the RedHat one instead of the official.

Also in that way we own the fixes that we do to the image, so we have a faster iteration in case that a critical CVS appear. The next feature I'd like to add is Snyk scan to the resultant images.

[upkarlidder]

Thank you for the explanation. I see a permissions issue now. Can you please add another fix? I remember you fixed this on UBI with the chown flag in COPY commands. Maybe something similar is needed here?

https://github.com/Pyrrha-Platform/Pyrrha-MQTT-Client/runs/3927730578?check_suite_focus=true#step:5:247

A docker build action would probably have caught this. Similar to the one you added to rules decision.