From 18e5f6312b15f2e5098cafb9d1d711a35f85b821 Mon Sep 17 00:00:00 2001 From: Jason Woltje Date: Mon, 16 Feb 2026 20:21:44 -0600 Subject: [PATCH] fix: reduce Kaniko disk usage in Node.js Dockerfiles - Combine production stage RUN commands into single layers (each RUN triggers a full Kaniko filesystem snapshot) - Remove BuildKit --mount=type=cache for pnpm store (Kaniko builds are ephemeral in CI, cache is never reused) - Remove syntax=docker/dockerfile:1 directive (no longer needed without BuildKit cache mounts) Co-Authored-By: Claude Opus 4.6 --- apps/api/Dockerfile | 18 ++++++------------ apps/orchestrator/Dockerfile | 18 ++++++------------ apps/web/Dockerfile | 22 +++++++--------------- 3 files changed, 19 insertions(+), 39 deletions(-) diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile index 45245ec..cdd1d81 100644 --- a/apps/api/Dockerfile +++ b/apps/api/Dockerfile @@ -1,6 +1,3 @@ -# syntax=docker/dockerfile:1 -# Enable BuildKit features for cache mounts - # Base image for all stages # Uses Debian slim (glibc) instead of Alpine (musl) because native Node.js addons # (matrix-sdk-crypto-nodejs, Prisma engines) require glibc-compatible binaries. @@ -27,9 +24,8 @@ COPY packages/ui/package.json ./packages/ui/ COPY packages/config/package.json ./packages/config/ COPY apps/api/package.json ./apps/api/ -# Install dependencies with pnpm store cache -RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \ - pnpm install --frozen-lockfile +# Install dependencies (no cache mount — Kaniko builds are ephemeral in CI) +RUN pnpm install --frozen-lockfile # ====================== # Builder stage @@ -57,16 +53,14 @@ RUN pnpm turbo build --filter=@mosaic/api --force # ====================== FROM node:24-slim AS production -# Remove npm (unused in production — we use pnpm) to reduce attack surface -RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx - # Install dumb-init for proper signal handling (static binary from GitHub, # avoids apt-get which fails under Kaniko with bookworm GPG signature errors) ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init -RUN chmod 755 /usr/local/bin/dumb-init -# Create non-root user -RUN groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs +# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot) +RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \ + && chmod 755 /usr/local/bin/dumb-init \ + && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs WORKDIR /app diff --git a/apps/orchestrator/Dockerfile b/apps/orchestrator/Dockerfile index a22a5e7..4d0a979 100644 --- a/apps/orchestrator/Dockerfile +++ b/apps/orchestrator/Dockerfile @@ -1,6 +1,3 @@ -# syntax=docker/dockerfile:1 -# Enable BuildKit features for cache mounts - # Base image for all stages # Uses Debian slim (glibc) instead of Alpine (musl) for native addon compatibility. FROM node:24-slim AS base @@ -26,9 +23,8 @@ COPY packages/config/package.json ./packages/config/ COPY apps/orchestrator/package.json ./apps/orchestrator/ # Install ALL dependencies (not just production) -# This ensures NestJS packages and other required deps are available -RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \ - pnpm install --frozen-lockfile +# No cache mount — Kaniko builds are ephemeral in CI +RUN pnpm install --frozen-lockfile # ====================== # Builder stage @@ -69,16 +65,14 @@ LABEL org.opencontainers.image.vendor="Mosaic Stack" LABEL org.opencontainers.image.title="Mosaic Orchestrator" LABEL org.opencontainers.image.description="Agent orchestration service for Mosaic Stack" -# Remove npm (unused in production — we use pnpm) to reduce attack surface -RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx - # Install dumb-init for proper signal handling (static binary from GitHub, # avoids apt-get which fails under Kaniko with bookworm GPG signature errors) ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init -RUN chmod 755 /usr/local/bin/dumb-init -# Create non-root user -RUN groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs +# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot) +RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \ + && chmod 755 /usr/local/bin/dumb-init \ + && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs WORKDIR /app diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile index 2e3f822..06a3299 100644 --- a/apps/web/Dockerfile +++ b/apps/web/Dockerfile @@ -1,6 +1,3 @@ -# syntax=docker/dockerfile:1 -# Enable BuildKit features for cache mounts - # Base image for all stages # Uses Debian slim (glibc) for consistency with API/orchestrator and to prevent # future native addon compatibility issues with Alpine's musl libc. @@ -27,9 +24,8 @@ COPY packages/ui/package.json ./packages/ui/ COPY packages/config/package.json ./packages/config/ COPY apps/web/package.json ./apps/web/ -# Install dependencies with pnpm store cache -RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \ - pnpm install --frozen-lockfile +# Install dependencies (no cache mount — Kaniko builds are ephemeral in CI) +RUN pnpm install --frozen-lockfile # ====================== # Builder stage @@ -79,19 +75,15 @@ RUN mkdir -p ./apps/web/public # ====================== FROM node:24-slim AS production -# Remove npm (unused in production — we use pnpm) to reduce attack surface -RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx - -# Install pnpm (needed for pnpm start command) -RUN corepack enable && corepack prepare pnpm@10.27.0 --activate - # Install dumb-init for proper signal handling (static binary from GitHub, # avoids apt-get which fails under Kaniko with bookworm GPG signature errors) ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init -RUN chmod 755 /usr/local/bin/dumb-init -# Create non-root user -RUN groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nextjs +# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot) +RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \ + && corepack enable && corepack prepare pnpm@10.27.0 --activate \ + && chmod 755 /usr/local/bin/dumb-init \ + && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nextjs WORKDIR /app