marcel/familienarchiv
1
0
Fork 0
Code Issues 118 Pull Requests 2 Actions 4 Packages Projects Releases Wiki Activity

Build production-ready multi-stage Dockerfile for the backend #134

New Issue
Open
opened 2026-03-28 08:51:38 +01:00 by marcel · 0 comments
marcel commented 2026-03-28 08:51:38 +01:00
Owner
Copy Link

Why

backend/Dockerfile currently runs ./mvnw spring-boot:run against a bind-mounted source tree. This means:

  • The container cannot run without the host filesystem — it is not a self-contained image.
  • It uses a full JDK at runtime (eclipse-temurin:21-jdk, ~600 MB) rather than a minimal JRE.
  • Maven downloads dependencies at container startup, making cold starts slow and fragile.
  • It is unsuitable for any deployment beyond local dev.

What to do

Replace backend/Dockerfile with a two-stage build:

Stage 1 — Build (JDK + Maven): compile the source, resolve all dependencies, produce the fat JAR.

Stage 2 — Runtime (JRE only): copy the JAR from stage 1, nothing else. No Maven, no source, no JDK tools.

# Stage 1: build
FROM eclipse-temurin:21-jdk AS build
WORKDIR /app
COPY .mvn/ .mvn/
COPY mvnw pom.xml ./
RUN ./mvnw dependency:resolve -q   # cache layer — only re-runs if pom.xml changes
COPY src ./src
RUN ./mvnw clean package -DskipTests

# Stage 2: runtime
FROM eclipse-temurin:21-jre AS runtime
WORKDIR /app
COPY --from=build /app/target/*.jar app.jar
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]

Additional hardening

  • Add a non-root user in the runtime stage (RUN addgroup --system app && adduser --system --ingroup app app, then USER app).
  • Pass JVM tuning flags via JAVA_OPTS environment variable so they can be overridden at deploy time without rebuilding the image.
  • The ENTRYPOINT should use exec form (JSON array) to ensure signals (SIGTERM) are passed directly to the JVM, enabling graceful shutdown.

CI impact

The e2e-tests job in ci.yml currently builds the JAR with mvnw clean package -DskipTests and runs it directly with java -jar. That job does not use Docker for the backend — so no CI changes are needed for the backend Dockerfile immediately.

However, once a production image build + push step is added to CI (future), this Dockerfile will be the one used.

Acceptance criteria

  • docker build -t familienarchiv-backend . from backend/ produces an image with no Maven or JDK tooling in the final layer.
  • docker run --env-file .env familienarchiv-backend starts successfully and /actuator/health returns UP.
  • Final image size is under 350 MB.
## Why `backend/Dockerfile` currently runs `./mvnw spring-boot:run` against a bind-mounted source tree. This means: - The container **cannot run without the host filesystem** — it is not a self-contained image. - It uses a full **JDK** at runtime (eclipse-temurin:21-jdk, ~600 MB) rather than a minimal JRE. - Maven downloads dependencies at container startup, making cold starts slow and fragile. - It is **unsuitable for any deployment** beyond local dev. ## What to do Replace `backend/Dockerfile` with a two-stage build: **Stage 1 — Build** (JDK + Maven): compile the source, resolve all dependencies, produce the fat JAR. **Stage 2 — Runtime** (JRE only): copy the JAR from stage 1, nothing else. No Maven, no source, no JDK tools. ```dockerfile # Stage 1: build FROM eclipse-temurin:21-jdk AS build WORKDIR /app COPY .mvn/ .mvn/ COPY mvnw pom.xml ./ RUN ./mvnw dependency:resolve -q # cache layer — only re-runs if pom.xml changes COPY src ./src RUN ./mvnw clean package -DskipTests # Stage 2: runtime FROM eclipse-temurin:21-jre AS runtime WORKDIR /app COPY --from=build /app/target/*.jar app.jar EXPOSE 8080 ENTRYPOINT ["java", "-jar", "app.jar"] ``` ## Additional hardening - Add a non-root user in the runtime stage (`RUN addgroup --system app && adduser --system --ingroup app app`, then `USER app`). - Pass JVM tuning flags via `JAVA_OPTS` environment variable so they can be overridden at deploy time without rebuilding the image. - The `ENTRYPOINT` should use exec form (JSON array) to ensure signals (SIGTERM) are passed directly to the JVM, enabling graceful shutdown. ## CI impact The `e2e-tests` job in `ci.yml` currently builds the JAR with `mvnw clean package -DskipTests` and runs it directly with `java -jar`. That job does **not** use Docker for the backend — so no CI changes are needed for the backend Dockerfile immediately. However, once a production image build + push step is added to CI (future), this Dockerfile will be the one used. ## Acceptance criteria - `docker build -t familienarchiv-backend .` from `backend/` produces an image with no Maven or JDK tooling in the final layer. - `docker run --env-file .env familienarchiv-backend` starts successfully and `/actuator/health` returns `UP`. - Final image size is under 350 MB.
marcel added the devopsphase-2: container-images labels 2026-03-28 10:46:40 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P0-critical
Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.
 P1-high
Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.
 P2-medium
Noticeable improvement; doesn't block anything; schedule opportunistically.
 P3-later
Cosmetic or parking-lot work; fine to stay open indefinitely.
 audit
Read-only audit / assessment work; produces a report rather than changing code
 bug
Something isn't working
 cleanup
Removal of dead code, vague comments, naming violations, and scratch artifacts
 collaboration
We want to extend the family archive to have more collaboration tools
 conversation
descoped
We will do that later
 devops
documentation
README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs
 epic
Marker for epic-level issues that group multiple child issues
 feature
file-upload
legibility
Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction
 notification
person
phase-1: security
Security hygiene — must be done first
 phase-2: container-images
Production-ready multi-stage Docker images
 phase-3: prod-compose
Production compose overlay + Caddy reverse proxy
 phase-4: spring-prod-profile
Spring Boot production configuration profile
 phase-5: backups
Database and object storage backup strategy
 phase-6: deployment-docs
.env.example, DEPLOYMENT.md, runbook
 phase-7: monitoring
Prometheus, Loki, Grafana, Alertmanager
 refactor
Code restructuring without behaviour change
 security
test
ui
UI/UX and accessibility issues
 user
No Label devops phase-2: container-images
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Jens marcel
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marcel/familienarchiv#134
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?