Webui Dockerfile: multi-stage build, upgrade to AlmaLinux 10 + Node.js 24#491
Webui Dockerfile: multi-stage build, upgrade to AlmaLinux 10 + Node.js 24#491maany wants to merge 2 commits intorucio:masterfrom
Conversation
Split the Dockerfile into a builder stage (git clone + npm install) and a runtime stage, removing git and its transitive dependencies from the final image. Pre-build the env-generator tool during the build stage so it no longer needs to compile at container startup. Replace wget with curl in the entrypoint since wget is no longer installed.
Replace AlmaLinux 9 with AlmaLinux 10, gaining Python 3.12 natively and removing the setuptools downgrade workaround. Upgrade Node.js from 20 to 24 LTS (supported until April 2028) via nodejs24/nodejs24-npm packages with /usr/local/bin symlinks for node/npm/npx compatibility.
| ARG TAG | ||
|
|
||
| LABEL stage=production | ||
| ENV NODE_ENV=production |
There was a problem hiding this comment.
NODE_ENV should probably be set to production, also in the builder image.
| COPY j2.py /usr/local/bin/ | ||
| RUN python3 -m pip install --no-cache-dir jinja2 && \ | ||
| ln -s j2.py /usr/local/bin/j2 |
There was a problem hiding this comment.
as far as I can tell, you do not need j2 in the builder image
webui/Dockerfile
Outdated
| RUN python3 -m pip install --no-cache-dir --upgrade pip && \ | ||
| python3 -m pip install --no-cache-dir --upgrade setuptools | ||
|
|
||
| COPY j2.py /usr/local/bin/ | ||
| RUN python3 -m pip install --no-cache-dir jinja2 && \ | ||
| ln -s j2.py /usr/local/bin/j2 |
There was a problem hiding this comment.
instead of installing pip and jinja2 via pip, you could use dnf to install python3 python3-jinja2 in the runtime image
|
|
||
| # Pre-build env-generator so it's ready at runtime | ||
| WORKDIR /opt/rucio/webui/tools/env-generator | ||
| RUN npm install && npx tsc --skipLibCheck && cp -rf src/templates dist/ |
There was a problem hiding this comment.
runs npm install with dev dependencies (see comment about NODE_ENV above)
|
|
||
| RUN python3 -m pip install --no-cache-dir --upgrade pip && \ | ||
| python3 -m pip install --no-cache-dir --upgrade setuptools | ||
| RUN python3 -m pip install --no-cache-dir --upgrade pip setuptools |
There was a problem hiding this comment.
do not merge pip and setuptools in one pip install --upgrade, this lead to pip not being able to resolve versions in the past. Same below.
| dnf -y module enable nodejs:20 && \ | ||
| dnf -y module install nodejs:20/common && \ | ||
| dnf -y install httpd mod_ssl python39 python-pip procps patch patchutils && \ | ||
| dnf -y install nodejs24 nodejs24-npm httpd mod_ssl python3-pip procps patch patchutils && \ |
There was a problem hiding this comment.
remove python3-pip and add python3 and python3-jinja2, so you can get rid of the pip commands below (as stated in the other comment)
| ln -s /usr/bin/node-24 /usr/local/bin/node && \ | ||
| ln -s /usr/bin/npm-24 /usr/local/bin/npm && \ | ||
| ln -s /usr/bin/npx-24 /usr/local/bin/npx |
There was a problem hiding this comment.
Really surprised to see this. I saw the module system being dropped, but is there really no replacement?
Summary
python39package and the setuptools downgrade workaround. Node.js 24 LTS has active support until October 2026, full maintenance until April 2028.npm install --omit=devto exclude dev dependencies from production, reducing image size and attack surfacetools/env-generatorTypeScript tool at image build time instead of compiling at every container startup. The entrypoint falls back to building on-the-fly only if the pre-built artifact is missing (e.g. when patches replace it).wgetwithcurlin the entrypoint since wget is no longer installedSee #492 for the equivalent changes backported to release-38 webui containers.
Security scan results (Docker Scout)
Scanned with webui tag
39.3.5:Remaining vulnerabilities
9 HIGH — all vendored inside Next.js (
next/dist/compiled/):tar@7.5.1next/dist/compiled/tar/minimatch@10.0.3next/dist/compiled/minimatch@9.0.5next/dist/compiled/glob@10.4.5next/dist/compiled/glob/glob@11.0.3next/dist/compiled/glob/@isaacs/brace-expansion@5.0.0next/dist/compiled/These are pre-compiled into the Next.js package itself and cannot be fixed via npm overrides. Requires a Next.js version upgrade in the webui repo.
2 MEDIUM —
pip@23.3.2(CVE-2023-5752, CVE-2025-8869). System pip on AlmaLinux 10.3 LOW —
diff@8.0.2,pm2@6.0.14,pip@23.3.2. No fixes available for pm2/diff.