Run with NODE_ENV set to production. This is the way you would pass in secrets and other runtime configurations to your application as well.
-e "NODE_ENV=production"
By default, Docker runs container as root which inside of the container can pose as a security issue. You would want to run the container as an unprivileged user wherever possible. The node images (with the exception of the onbuild variant) provide the node user for such purpose. The Docker Image can than be run with the node user in the following way:
-u "node"
When using the onbuild variant, add the user like so:
FROM node:4.1.2-onbuild
# Add our user and group first to make sure their IDs get assigned consistently
RUN groupadd -r node && useradd -r -g node nodeBy default, any Docker Container may consume as much of the hardware such as CPU and RAM. If you are running multiple containers on the same host you should limit how much memory they can consume.
-m "300M" --memory-swap "1G"
When creating an image, you can bypass the package.json's start command and bake it directly into the image itself. This reduces the number of processes running inside of your container.
CMD ["node","index.js"]Here is an example of how you would run a default Node.JS Docker Containerized application:
$ docker run \
-e "NODE_ENV=production" \
-u "node" \
-m "300M" --memory-swap "1G" \
-w "/home/node/app" \
--name "my-nodejs-app" \
node [script]
The Docker team has provided a tool to analyze your running containers for potential security issues. You can download and run this tool from here: https://github.com/docker/docker-bench-security