Update Dockerfile

QAbot-zh · web-flow · commit 73ba0a5806f4 · 2025-10-15T19:54:09.000+08:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,35 +1,46 @@
-# 阶段1：基础镜像准备
+# ========= base =========
 FROM node:20-alpine AS base
-
-# 设置工作目录
 WORKDIR /app
 
-# # 配置国内镜像源
-# RUN npm config set registry https://registry.npmmirror.com/
-
-# 安装必要的系统依赖（例如 CA 证书）
-RUN apk add --no-cache ca-certificates openssl && update-ca-certificates
+# 1) 系统 CA 与 openssl
+RUN apk add --no-cache ca-certificates openssl tzdata curl && update-ca-certificates
 
+# 2) 让 Node 在构建/运行都用系统 CA（同时告知底层库）
 ENV NODE_OPTIONS="--dns-result-order=ipv4first --use-openssl-ca"
 ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
 ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
 
-# 阶段2：构建应用程序
-FROM base AS builder
+# 3) 让 yarn/npm 也指向系统 CA（yarn v1 会读取 npm_*）
+ENV npm_config_strict_ssl=true
+ENV npm_config_cafile=/etc/ssl/certs/ca-certificates.crt
 
+# ========= builder =========
+FROM base AS builder
 WORKDIR /app
 
-# 复制依赖文件
 COPY package.json yarn.lock ./
 
-# 配置镜像源
-ARG REGISTRY_LIST="https://registry.npmmirror.com/ https://registry.npmjs.org/ https://registry.yarnpkg.com/"
-ARG YARN_NETWORK_TIMEOUT="300000"
+# 显式告诉 yarn 使用系统 CA（双保险）
+RUN yarn config set cafile /etc/ssl/certs/ca-certificates.crt
 
+# --- 探针 A：时间是否正常 ---
+RUN date -u
 
-RUN yarn config set cafile /etc/ssl/certs/ca-certificates.crt
+# --- 探针 B：OpenSSL 能否信任 npmjs 证书链（会打印 notBefore/notAfter）---
+RUN openssl s_client -connect registry.npmjs.org:443 -servername registry.npmjs.org </dev/null 2>/dev/null \
+    | openssl x509 -noout -subject -issuer -dates
+
+# --- 探针 C：Node https 是否能连通 npm registry（不经 yarn）---
+RUN node -e "require('https').get('https://registry.npmjs.org',r=>{console.log('node https ok',r.statusCode);r.resume()}).on('error',e=>{console.error('node https FAIL:',e.message);process.exit(1)})"
 
-# 多镜像源回退安装：开发依赖 + 构建所需
+# 可选 sanity：curl 试一下（系统 CA 路径）
+RUN curl -I https://registry.npmjs.org
+
+# 多镜像源 + 缓存挂载（避免 EBUSY，不再在挂载目录里 yarn cache clean）
+ARG REGISTRY_LIST="https://registry.npmmirror.com/ https://registry.npmjs.org/ https://registry.yarnpkg.com/"
+ARG YARN_NETWORK_TIMEOUT="300000"
+
+# 开发依赖
 RUN --mount=type=cache,id=yarn-cache,target=/usr/local/share/.cache/yarn \
     set -eux; success=0; \
     for registry in $REGISTRY_LIST; do \
@@ -38,27 +49,19 @@ RUN --mount=type=cache,id=yarn-cache,target=/usr/local/share/.cache/yarn \
       if yarn install --frozen-lockfile --network-timeout "$YARN_NETWORK_TIMEOUT"; then \
         echo "成功使用镜像源: $registry"; success=1; break; \
       else \
-        echo "镜像源 $registry 失败，清缓存并尝试下一个..."; yarn cache clean || true; \
+        echo "镜像源 $registry 失败，尝试下一个（不在挂载目录里清缓存以避免 EBUSY）"; \
+        rm -rf /tmp/yarn-cache || true; \
       fi; \
     done; test "$success" -eq 1
 
-# # 安装所有依赖，包括开发依赖
-# RUN yarn install
-
-# 复制项目源代码
+# 构建
 COPY . .
-
-# 构建应用程序
 RUN yarn build
 
-# 删除 node_modules 目录
+# 清理再装生产依赖
 RUN rm -rf node_modules
-
-# 设置 NODE_ENV 为 production
 ENV NODE_ENV=production
 
-# 安装生产依赖
-# RUN yarn install --production --ignore-scripts --prefer-offline
 RUN --mount=type=cache,id=yarn-cache,target=/usr/local/share/.cache/yarn \
     set -eux; success=0; \
     for registry in $REGISTRY_LIST; do \
@@ -67,49 +70,35 @@ RUN --mount=type=cache,id=yarn-cache,target=/usr/local/share/.cache/yarn \
       if yarn install --frozen-lockfile --production --ignore-scripts --network-timeout "$YARN_NETWORK_TIMEOUT"; then \
         echo "成功使用镜像源(生产依赖): $registry"; success=1; break; \
       else \
-        echo "镜像源 $registry 失败，清缓存并尝试下一个..."; yarn cache clean || true; \
+        echo "镜像源 $registry 失败，尝试下一个"; \
       fi; \
     done; test "$success" -eq 1
 
-# 清理 yarn 缓存
-RUN yarn cache clean --all || true
-
-# 阶段3：构建最终的生产镜像
+# ========= runtime =========
 FROM node:20-alpine
-
-# 设置工作目录
 WORKDIR /app
-
-# 运行时同样装 CA 证书（以防某些运行时场景需要出网）
 RUN apk add --no-cache ca-certificates && update-ca-certificates
 
-# 创建非 root 用户
-RUN addgroup -g 1001 appgroup && \
-    adduser -D -u 1001 -G appgroup appuser
+ENV NODE_ENV=production
+ENV HOSTNAME=0.0.0.0
+ENV PORT=13000
 
-# 复制应用程序文件
+# 运行期也保持一致
+ENV NODE_OPTIONS="--dns-result-order=ipv4first --use-openssl-ca"
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
+
+# 非 root
+RUN addgroup -g 1001 appgroup && adduser -D -u 1001 -G appgroup appuser
+
+# 拷贝产物
 COPY --from=builder /app/server.js /app/server.js
 COPY --from=builder /app/dist /app/dist
 COPY --from=builder /app/api /app/api
 COPY --from=builder /app/node_modules /app/node_modules
 COPY --from=builder /app/package.json /app/package.json
 
-# 修改文件权限，使 appuser 拥有所有权
 RUN chown -R appuser:appgroup /app
-
-# 设置环境变量
-ENV NODE_ENV=production
-ENV HOSTNAME="0.0.0.0"
-ENV PORT=13000
-ENV NODE_OPTIONS="--dns-result-order=ipv4first --use-openssl-ca"
-ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
-ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
-
-# 暴露端口
 EXPOSE 13000
-
-# 使用非 root 用户
 USER appuser
-
-# 启动命令
 CMD ["node", "server.js"]
