Add Dockerfile information

[cjoecker]

Problem Statement

I'm using @sentry/remix with Remix and deploying it with a docker container to AWS. I couldn't find in the documentation that I need to add the ARG SENTRY_AUTH_TOKEN during the docker build to make Sentry work during npm run build.

Solution Brainstorm

It would be nice to have a small example on how to run the npm run build inside of a docker file safely in order to build the app authenticating Sentry.

For example:

Build on docker

If your are using docker to deploy your application, you will need to authenticate Sentry during npm run build. For that, you need to do the following:

1. Add ARG SENTRY_AUTH_TOKEN at the beginning of your file Dockerfile
2. Add ENV SENTRY_AUTH_TOKEN=${SENTRY_AUTH_TOKEN} before the RUN npm run build command in your Dockerfile
3. Add your sentry token to your pipeline secrets and on the build step.

[AbhiPrasad]

Hey @cjoecker - you're right that we need to improve onboarding here and provide more docs. I'm going to move this to the docs repo and backlog, but PRs are welcome if you would like to help contribute!

[getsantry[bot]]

Assigning to @getsentry/support for routing ⏲️

[getsantry[bot]]

Routing to @getsentry/product-owners-sdks-web-frontend for triage ⏲️

[yuvi-pc]

Setting SENTRY_AUTH_TOKEN like this in the docker file will mean that the docker image will contain this token. is this not a security risk? I am trying to add sentry io with next js app and deploying as container into aws.

[lforst]

@yuvi-pc Correct. I would advise against using the any build arguments for auth tokens as that will bake the auth tokens into the image. Instead I recommend using build secrets: https://docs.docker.com/build/building/secrets/

[yuvi-pc]

Thank you for the reply on my previous question.

Here is my docker file which runs on Azure pipeline however I keep getting 401 when mounting the secret. If i hardcode the SENTRY_AUTH_TOKEN, it works okay. The SENTRY_AUTH_TOKEN is an organisation token.

# 1. Install dependencies only when needed
FROM node:20-alpine AS base

# 2. Rebuild the source code only when needed
FROM base AS builder
WORKDIR /app
COPY . .
RUN yarn install --frozen-lockfile

ENV NODE_ENV=production
ENV NEXT_PUBLIC_SENTRY_DSN="{{NEXT_PUBLIC_SENTRY_DSN}}"
ENV NEXT_PUBLIC_SENTRY_LOGGING_ENABLED="{{NEXT_PUBLIC_SENTRY_LOGGING_ENABLED}}"
ENV SENTRY_LOG_LEVEL=debug

RUN --mount=type=secret,id=SENTRY_AUTH_TOKEN \
    SENTRY_AUTH_TOKEN=$(cat /run/secrets/SENTRY_AUTH_TOKEN) \
    yarn build

# 3. Production image, copy all the files and run next
FROM base AS runner

WORKDIR /app

ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1
ENV USE_HTTPS=true

RUN addgroup -g 1001 -S nodejs
RUN adduser -S nextjs -u 1001

COPY --from=builder /app/public ./public
COPY --from=builder /app/package.json ./package.json

# Automatically leverage output traces to reduce image size
# https://nextjs.org/docs/advanced-features/output-file-tracing
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
COPY --from=builder --chown=nextjs:nodejs /app/entrypoint.sh ./entrypoint.sh
COPY --from=builder --chown=nextjs:nodejs /app/next.config.js ./next.config.js
COPY --from=builder --chown=nextjs:nodejs /app/next-i18next.config.js ./next-i18next.config.js

RUN ["chmod", "755", "/app/entrypoint.sh"]

USER nextjs

EXPOSE 3000

ENV PORT 3000

ENTRYPOINT ["/app/entrypoint.sh"]

CMD ["node", "server.js"]

Am i right here thinking it is ideal to upload source maps during the build process?

Here is the error logs from the build machine

#16 77.71   DEBUG   2024-04-23 17:59:00.270711658 +00:00 using token authentication
#16 77.71   DEBUG   2024-04-23 17:59:00.270730345 +00:00 json body: {"version":"19z3UtQp22XhGVbJCRu6V","projects":["nfap-ui"],"dateStarted":"2024-04-23T17:59:00.270660373Z"}
#16 77.71   DEBUG   2024-04-23 17:59:00.270738264 +00:00 retry number 0, max retries: 0
#16 77.71   DEBUG   2024-04-23 17:59:00.294474220 +00:00 > POST /api/0/projects/novafori-v9/nfap-ui/releases/ HTTP/1.1
#16 77.71   DEBUG   2024-04-23 17:59:00.294510133 +00:00 > Host: sentry.io
#16 77.71   DEBUG   2024-04-23 17:59:00.294517157 +00:00 > Accept: */*
#16 77.71   DEBUG   2024-04-23 17:59:00.294523945 +00:00 > Connection: TE
#16 77.71   DEBUG   2024-04-23 17:59:00.294530206 +00:00 > TE: gzip
#16 77.71   DEBUG   2024-04-23 17:59:00.294536180 +00:00 > User-Agent: sentry-cli/1.77.3 webpack-plugin/1.21.0
#16 77.71   DEBUG   2024-04-23 17:59:00.294888985 +00:00 > Authorization: Bearer SENTRY_A***
#16 77.71   DEBUG   2024-04-23 17:59:00.294902315 +00:00 > Content-Type: application/json
#16 77.71   DEBUG   2024-04-23 17:59:00.294909283 +00:00 > Content-Length: 105
#16 77.71   DEBUG   2024-04-23 17:59:00.450901513 +00:00 < HTTP/1.1 401 Unauthorized
#16 77.71   DEBUG   2024-04-23 17:59:00.450938129 +00:00 < server: nginx
#16 77.71   DEBUG   2024-04-23 17:59:00.450948638 +00:00 < date: Tue, 23 Apr 2024 17:59:00 GMT
#16 77.71   DEBUG   2024-04-23 17:59:00.450957937 +00:00 < content-type: application/json
#16 77.71   DEBUG   2024-04-23 17:59:00.450967269 +00:00 < www-authenticate: xBasic realm="api"
#16 77.71   DEBUG   2024-04-23 17:59:00.450975021 +00:00 < allow: GET, POST, HEAD, OPTIONS
#16 77.71   DEBUG   2024-04-23 17:59:00.450982174 +00:00 < access-control-allow-methods: GET, POST, HEAD, OPTIONS
#16 77.71   DEBUG   2024-04-23 17:59:00.450992266 +00:00 < access-control-allow-headers: X-Sentry-Auth, X-Requested-With, Origin, Accept, Content-Type, Authentication, Authorization, Content-Encoding, sentry-trace, baggage, X-CSRFToken
#16 77.71   DEBUG   2024-04-23 17:59:00.451000423 +00:00 < access-control-expose-headers: X-Sentry-Error, X-Sentry-Direct-Hit, X-Hits, X-Max-Hits, Endpoint, Retry-After, Link
#16 77.71   DEBUG   2024-04-23 17:59:00.451010166 +00:00 < access-control-allow-origin: *
#16 77.71   DEBUG   2024-04-23 17:59:00.451018188 +00:00 < x-sentry-rate-limit-remaining: 39
#16 77.71   DEBUG   2024-04-23 17:59:00.451025263 +00:00 < x-sentry-rate-limit-limit: 40
#16 77.71   DEBUG   2024-04-23 17:59:00.451031924 +00:00 < x-sentry-rate-limit-reset: 1713895141
#16 77.71   DEBUG   2024-04-23 17:59:00.451038667 +00:00 < x-sentry-rate-limit-concurrentremaining: 24
#16 77.71   DEBUG   2024-04-23 17:59:00.451045270 +00:00 < x-sentry-rate-limit-concurrentlimit: 25
#16 77.71   DEBUG   2024-04-23 17:59:00.451052233 +00:00 < vary: Accept-Language, Cookie
#16 77.71   DEBUG   2024-04-23 17:59:00.451059401 +00:00 < content-language: en
#16 77.71   DEBUG   2024-04-23 17:59:00.451066543 +00:00 < x-frame-options: deny
#16 77.71   DEBUG   2024-04-23 17:59:00.451074576 +00:00 < x-content-type-options: nosniff
#16 77.71   DEBUG   2024-04-23 17:59:00.451081749 +00:00 < x-xss-protection: 1; mode=block
#16 77.71   DEBUG   2024-04-23 17:59:00.451089507 +00:00 < content-security-policy: object-src 'none'; frame-ancestors 'self' *.sentry.io; connect-src 'self' *.algolia.net *.algolianet.com *.algolia.io sentry.io *.sentry.io s1.sentry-cdn.com o1.ingest.sentry.io api2.amplitude.com app.pendo.io data.pendo.io reload.getsentry.net t687h3m0nh65.statuspage.io sentry.zendesk.com ekr.zdassets.com maps.googleapis.com; base-uri 'none'; default-src 'none'; style-src * 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'report-sample' s1.sentry-cdn.com js.sentry-cdn.com browser.sentry-cdn.com statuspage-production.s3.amazonaws.com static.zdassets.com aui-cdn.atlassian.com connect-cdn.atl-paas.net js.stripe.com 'strict-dynamic' cdn.pendo.io data.pendo.io pendo-io-static.storage.googleapis.com pendo-static-5634074999128064.storage.googleapis.com; font-src * data:; frame-src app.pendo.io demo.arcade.software js.stripe.com sentry.io; media-src *; img-src * blob: data:; worker-src blob:; report-uri https://o1.ingest.sentry.io/api/54785/security/?sentry_key=f724a8a027db45f5b21507e7142ff78e&sentry_release=734d397e49f3f0ca40c955cc879da88d5f99b6f6
#16 77.71   DEBUG   2024-04-23 17:59:00.451098598 +00:00 < x-envoy-attempt-count: 1
#16 77.71   DEBUG   2024-04-23 17:59:00.451105380 +00:00 < x-envoy-upstream-service-time: 42
#16 77.71   DEBUG   2024-04-23 17:59:00.451112038 +00:00 < x-served-by: getsentry-web-rpc-production-canary-599cfb48c4-6sxc5
#16 77.71   DEBUG   2024-04-23 17:59:00.451119014 +00:00 < x-sentry-proxy-url: http://10.2.0.67:8999/api/0/projects/novafori-v9/nfap-ui/releases/
#16 77.71   DEBUG   2024-04-23 17:59:00.451125738 +00:00 < x-served-by: getsentry-control-web-default-common-production-65c45ff7f475vqz
#16 77.71   DEBUG   2024-04-23 17:59:00.451132881 +00:00 < x-served-by: frontend-default-57fc75c5c4-7qkkn
#16 77.71   DEBUG   2024-04-23 17:59:00.451140719 +00:00 < strict-transport-security: max-age=31536000; includeSubDomains; preload
#16 77.71   DEBUG   2024-04-23 17:59:00.451147637 +00:00 < via: 1.1 google
#16 77.71   DEBUG   2024-04-23 17:59:00.451154638 +00:00 < Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
#16 77.71   DEBUG   2024-04-23 17:59:00.451161878 +00:00 < Transfer-Encoding: chunked
#16 77.71   DEBUG   2024-04-23 17:59:00.453177061 +00:00 response status: 401
#16 77.71   DEBUG   2024-04-23 17:59:00.453199651 +00:00 body: {"detail":"Invalid token"}
#16 77.71 error: API request failed
#16 77.71   caused by: sentry reported an error: Invalid token (http status: 401)
#16 77.71   DEBUG   2024-04-23 17:59:00.453266820 +00:00 skipping update nagger because session is not attended
#16 77.71 

[lforst]

Can you check that the token file you're writing is not containing any sort of other characters like newlines or smth? "Invalid token" makes me think that the token got messed up in some way. Maybe also print it out and look at it delimited by some characters for good measure?

[yuvi-pc]

It was azure pipeline issue. Once that is resolved, my source map is being uploaded to the sentry release

[Lms24]

@yuvi-pc does this mean we can close the issue?

[yuvi-pc]

@Lms24 I am not the original author for this issue. But you can use my docker file example in your documentation or I can raise a PR if you could point where i need to set it.