docs initial
This commit is contained in:
Daniil
@@ -0,0 +1,18 @@
|
||||
# Docker Infrastructure Audit Findings
|
||||
|
||||
**Applies when:** implementing any Docker fixes, setting up CI/CD, preparing for production deployment, or reviewing PRs that touch Dockerfiles or compose files.
|
||||
|
||||
- Backend `.dockerignore` is missing `.env` exclusion -- security risk for future `COPY . .` changes.
|
||||
- Backend `.gitignore` is missing `.env` exclusion -- latent secret leak risk.
|
||||
- MinIO image is unpinned (`minio/minio` with no tag) -- all others are pinned.
|
||||
- No resource limits on any service. Remotion needs 4GB+ for Chromium/FFmpeg renders.
|
||||
- Health checks exist only on `db` and `redis`. Missing on `minio`, `api`, `worker`, `remotion`.
|
||||
- API health check requires a `GET /api/health/` endpoint (may not exist yet -- needs backend team).
|
||||
- No restart policies on any service.
|
||||
- Both Dockerfiles run as root -- non-root user should be added to `prod` stages (dev stage has bind-mount permission complications).
|
||||
- `build-essential` is in the `base` stage, bloating the prod image by ~200MB. Move to `deps` stage only.
|
||||
- Remotion Dockerfile missing BuildKit apt cache mounts (backend has them, remotion does not).
|
||||
- Environment variables duplicated between `api` and `worker` (14 identical vars) -- use `x-backend-env` YAML anchor.
|
||||
- Worker is missing `JWT_SECRET_KEY` that API has.
|
||||
- No CI/CD pipeline exists at all -- zero automation.
|
||||
- No frontend Dockerfile -- needs `output: 'standalone'` in next.config.mjs first.
|
||||
Reference in New Issue
Block a user