Securely Running Third-Party Node.js Apps with Docker Compose

Why You Should Isolate Third-Party Applications

When you clone a repository from an untrusted source, you're not just getting the application's code; you're also getting all of its dependencies. These dependencies can contain malicious scripts that could potentially access your file system, steal your environment variables, or perform other unwanted actions.

By running the application inside a container, you create a sandboxed environment. This means the application's access to your local machine's filesystem and network is restricted, significantly reducing the potential damage from a malicious package. Think of it as a "cage" for the application, where it can only interact with what you explicitly allow.

GitHub Gist

Getting Started: The Setup

Let's assume you've just cloned a Node.js application into a directory named app:

Now, in the root of your project (outside the app directory), create the following two files: docker-compose.yml and Dockerfile.

The Dockerfile

This file contains the instructions to build the Docker image for our application. It specifies the base image, sets up the working directory, copies the application code, and installs the dependencies.

A quick breakdown:

• FROM node:alpine: We're using the official node image with the alpine tag. Alpine Linux is a lightweight Linux distribution, which results in smaller and more secure images.
• WORKDIR /usr/src: This sets the working directory inside the container. All subsequent commands will be run from this path.
• COPY app .: We copy the contents of our local app directory into the current working directory of the container (/usr/src).
• RUN npm install: This executes the npm install command inside the container to fetch the application's dependencies.
• CMD ["npm", "run", "start"]: This specifies the default command to run when the container starts. We use the CMD instruction here as it can be easily overridden from the docker-compose.yml file if needed.

The docker-compose.yml

This file is where we define and configure the services that make up our application. In this case, we have a single service for our Node.js app.

Let's look at what's happening:

• build: .: This tells Docker Compose to build the image from the Dockerfile in the current directory.
• ports: This maps ports from the host machine to the container.
  • "3000:3000": Maps port 3000 on your local machine to port 3000 inside the container. This is typically the port where the Node.js application will be running.
  • "9229:9229": Maps port 9229, which is the default port for the Node.js inspector, allowing you to debug your application.
• develop.watch: This is where the magic of hot-reloading happens. The watch feature, part of Docker Compose, monitors your local files for changes.
  • action: sync+restart: When a change is detected in the specified path, Docker Compose will first sync the changes to the target directory inside the container and then restart the service. This means you don't have to manually rebuild and restart your container every time you make a change.
  • path: ./app: The local directory to watch for changes.
  • target: /usr/src: The directory inside the container where the changes should be synced.

Running the Application

With your Dockerfile and docker-compose.yml in place, you can now start the application with a single command:

Let's break down the flags:

• --build: This forces Docker Compose to build the image before starting the containers, ensuring you have the latest version of your code.
• --watch: This enables the watch mode, which will automatically sync file changes and restart the service as configured in your docker-compose.yml.

Now, if you open your browser and navigate to http://localhost:3000, you should see the application running. Any changes you make to the code inside the app directory will trigger an automatic restart of the application within the container.

By following these steps, you've created a secure and efficient development environment for any third-party Node.js application. You've isolated it from your host machine, minimizing security risks, while also leveraging the power of Docker Compose's watch mode for a seamless hot-reloading experience. This approach allows you to explore and work with new codebases with greater confidence and productivity.