Daniil
19 lines
1.4 KiB
Markdown
19 lines
1.4 KiB
Markdown
# Docker Infrastructure Audit Findings
|
|
|
|
**Applies when:** implementing any Docker fixes, setting up CI/CD, preparing for production deployment, or reviewing PRs that touch Dockerfiles or compose files.
|
|
|
|
- Backend `.dockerignore` is missing `.env` exclusion -- security risk for future `COPY . .` changes.
|
|
- Backend `.gitignore` is missing `.env` exclusion -- latent secret leak risk.
|
|
- MinIO image is unpinned (`minio/minio` with no tag) -- all others are pinned.
|
|
- No resource limits on any service. Remotion needs 4GB+ for Chromium/FFmpeg renders.
|
|
- Health checks exist only on `db` and `redis`. Missing on `minio`, `api`, `worker`, `remotion`.
|
|
- API health check requires a `GET /api/health/` endpoint (may not exist yet -- needs backend team).
|
|
- No restart policies on any service.
|
|
- Both Dockerfiles run as root -- non-root user should be added to `prod` stages (dev stage has bind-mount permission complications).
|
|
- `build-essential` is in the `base` stage, bloating the prod image by ~200MB. Move to `deps` stage only.
|
|
- Remotion Dockerfile missing BuildKit apt cache mounts (backend has them, remotion does not).
|
|
- Environment variables duplicated between `api` and `worker` (14 identical vars) -- use `x-backend-env` YAML anchor.
|
|
- Worker is missing `JWT_SECRET_KEY` that API has.
|
|
- No CI/CD pipeline exists at all -- zero automation.
|
|
- No frontend Dockerfile -- needs `output: 'standalone'` in next.config.mjs first.
|