Consolidate tool Dockerfiles into a single multi-stage Dockerfile#111
Consolidate tool Dockerfiles into a single multi-stage Dockerfile#111
Conversation
Co-authored-by: szschaler <7057319+szschaler@users.noreply.github.com> Agent-Logs-Url: https://github.com/mdenet/platformtools/sessions/b6ab5268-aa41-46be-9015-ddb9c14527a4
Dockerfile
Outdated
|
|
||
| # Copy built tool and sources | ||
| COPY --from=mavenbuilder /root/.m2 /root/.m2 | ||
| COPY --from=mavenbuilder /usr/src/toolfunctions /toolservice |
There was a problem hiding this comment.
This line, and the corresponding ones in the other service build stages, needs to only copy the folders actually needed by each tool. Check out the maven build in the respective bespoke Dockerfiles to work out which folders these are.
There was a problem hiding this comment.
Done in f1b6062. Each tool service stage now copies only its required module folders, matching the Maven profiles from the original per-tool Dockerfiles:
- emf:
core,emf,emffunction - emfatic:
core,emf,emfatic,emfaticfunction - ocl:
core,eclipseocl,eclipseoclfunction - conversion:
core,emf,epsilon,epsilonfunction - xtext:
core,emf,xtext,xtextfunction
Co-authored-by: szschaler <7057319+szschaler@users.noreply.github.com> Agent-Logs-Url: https://github.com/mdenet/platformtools/sessions/e691f0eb-fb24-4c42-8fd9-8ba24d1e203f
There was a problem hiding this comment.
Pull request overview
This PR introduces a single root-level multi-stage Dockerfile that centralizes the Maven build for all tool services and then produces separate final images per tool by targeting different stages.
Changes:
- Adds a root
Dockerfilewith a sharedmavenbuilderstage that builds all tool modules with-Pall. - Adds per-tool frontend build stages (EMF, Emfatic, OCL, Conversion, Xtext) and per-tool final service stages.
- Updates service stages to copy only the Maven module folders needed for each tool (mirroring the original per-tool profile module sets).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| FROM node:19-bullseye AS staticbuild-emf | ||
|
|
||
| WORKDIR /usr/src/mdenet-tool | ||
|
|
||
| COPY static.emf/package*.json ./ | ||
| COPY static.emf . | ||
|
|
||
| RUN npm install; npm run build; chmod -R 755 dist/ | ||
|
|
||
|
|
||
| # --------------------------------------------------------------------------- | ||
| # Stage 2b – Static frontend build for Emfatic | ||
| # --------------------------------------------------------------------------- | ||
| FROM node:19-bullseye AS staticbuild-emfatic | ||
|
|
||
| WORKDIR /usr/src/mdenet-tool | ||
|
|
||
| COPY static.emfatic/package*.json ./ | ||
| COPY static.emfatic . | ||
|
|
||
| RUN npm install; npm run build; chmod -R 755 dist/ |
There was a problem hiding this comment.
This stage uses node:19-bullseye. Node 19 is long EOL, so continuing to build on it increases security risk and may break future dependency installs. Please switch these frontend build stages to a supported LTS base image (and keep it consistent with the Node version used in the Xtext service stage).
| COPY static.conversion/package*.json ./ | ||
| COPY static.conversion . | ||
|
|
||
| RUN npm install; npm run build; chmod -R 755 dist/ |
There was a problem hiding this comment.
Same issue here: npm install; npm run build; ... should use && to avoid masking failures, and npm ci is preferred for reproducible builds when package-lock.json exists.
| COPY xtext/static.xtext/package*.json ./ | ||
| COPY xtext/static.xtext . | ||
|
|
||
| RUN npm install; npm run build; chmod -R 755 dist/ |
There was a problem hiding this comment.
Same issue here: npm install; npm run build; ... should use && to ensure failures fail the build, and prefer npm ci for lockfile installs.
| && if [ "$ARCH" = "arm64" ] || [ "$ARCH" = "aarch64" ]; then NODE_ARCH="linux-arm64"; else NODE_ARCH="linux-x64"; fi \ | ||
| && NODE_RELEASE="node-v${NODE_VERSION}-${NODE_ARCH}" \ | ||
| && echo "Installing ${NODE_RELEASE}" \ | ||
| && curl --output ${NODE_RELEASE}.tar.xz https://nodejs.org/download/release/v${NODE_VERSION}/${NODE_RELEASE}.tar.xz \ |
There was a problem hiding this comment.
The Xtext service installs Node by downloading a tarball via curl without any integrity verification (checksum/signature). This is a supply-chain risk; prefer installing Node from a trusted distribution mechanism (OS packages/Nodesource) or verify the download using published SHASUMS before extracting.
| && curl --output ${NODE_RELEASE}.tar.xz https://nodejs.org/download/release/v${NODE_VERSION}/${NODE_RELEASE}.tar.xz \ | |
| && curl -fsSL -o ${NODE_RELEASE}.tar.xz https://nodejs.org/download/release/v${NODE_VERSION}/${NODE_RELEASE}.tar.xz \ | |
| && curl -fsSL -o SHASUMS256.txt https://nodejs.org/download/release/v${NODE_VERSION}/SHASUMS256.txt \ | |
| && grep " ${NODE_RELEASE}.tar.xz\$" SHASUMS256.txt > SHASUMS256.txt.node \ | |
| && sha256sum -c SHASUMS256.txt.node \ |
| # The release of node to install | ||
| ENV NODE_VERSION=19.9.0 |
There was a problem hiding this comment.
NODE_VERSION=19.9.0 is an EOL Node release. Please switch to a currently supported LTS version to reduce CVE exposure and keep npm dependency installs working over time.
| COPY static.emfatic/package*.json ./ | ||
| COPY static.emfatic . | ||
|
|
||
| RUN npm install; npm run build; chmod -R 755 dist/ |
There was a problem hiding this comment.
Same as the EMF static build: npm install; npm run build; ... should be changed to use && (to avoid masking failures) and preferably npm ci for reproducible installs when package-lock.json is present.
| COPY static.ocl/package*.json ./ | ||
| COPY static.ocl . | ||
|
|
||
| RUN npm install; npm run build; chmod -R 755 dist/ |
There was a problem hiding this comment.
Same issue here: using ; between npm commands can allow the Docker build to succeed even if npm install/npm run build fails (depending on the last command). Use && chaining and consider npm ci for lockfile-based installs.
| RUN apt-get update && apt-get install -y --no-install-recommends unzip zip xz-utils maven cron psmisc | ||
|
|
There was a problem hiding this comment.
apt-get update && apt-get install ... in this stage doesn't clean /var/lib/apt/lists/*, which leaves package index files in the image and increases size. Consider adding the standard cleanup (and similarly remove any temporary artifacts created during Node installation) to keep the final image leaner.
| COPY services /usr/src/toolfunctions | ||
|
|
||
| WORKDIR /usr/src/toolfunctions | ||
|
|
There was a problem hiding this comment.
The Maven build stage copies the entire services/ tree before running mvn, which means any change anywhere under services/ will invalidate the Docker cache for dependency download/build. To better leverage caching, copy services/pom.xml (and any other Maven metadata) first and run a dependency prefetch (or mvn -Pall -DskipTests ... as appropriate), then copy the rest of the sources and run the full build.
| COPY services /usr/src/toolfunctions | |
| WORKDIR /usr/src/toolfunctions | |
| WORKDIR /usr/src/toolfunctions | |
| # Copy Maven metadata first to leverage Docker layer caching for dependencies | |
| COPY services/pom.xml /usr/src/toolfunctions/pom.xml | |
| # Prefetch Maven dependencies without running tests or doing a full build | |
| RUN mvn -Pall -DskipTests dependency:go-offline | |
| # Now copy the full source tree and perform the actual build | |
| COPY services /usr/src/toolfunctions |
| COPY static.emf/package*.json ./ | ||
| COPY static.emf . | ||
|
|
||
| RUN npm install; npm run build; chmod -R 755 dist/ |
There was a problem hiding this comment.
Dependency caching for this frontend stage is reduced because npm install runs after copying the full source tree. Consider copying only package*.json, running npm ci, then copying the rest of the sources and running the build (also use && instead of ; to avoid masking failures).
Dockerfilewith:mavenbuilder) that builds ALL tools with-PallOriginal prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.