Docker 和私有模块

要在 Docker 容器中安装私有 npm 包，你需要使用 Docker 构建密钥。

¥To install private npm packages in a Docker container, you will need to use Docker build secrets.

背景：运行时变量

¥Background: runtime variables

你不能仅使用运行时变量在 Docker 容器中安装私有 npm 包。考虑以下 Dockerfile：

¥You cannot install private npm packages in a Docker container using only runtime variables. Consider the following Dockerfile:

FROM node

COPY package.json package.json
RUN npm install

# Add your source files
COPY . .
CMD npm start

它将使用官方的 Node.js 镜像，将 package.json 复制到我们的容器中，安装依赖，复制源文件并运行 package.json 中指定的启动命令。

¥Which will use the official Node.js image, copy the package.json into our container, installs dependencies, copies the source files and runs the start command as specified in the package.json.

为了安装私有包，你可能认为我们可以在运行 npm install 之前添加一行，使用 ENV 参数：

¥In order to install private packages, you may think that we could just add a line before we run npm install, using the ENV parameter:

ENV NPM_TOKEN=00000000-0000-0000-0000-000000000000

但是，这并不像你期望的那样工作，因为你希望在运行 docker build 时发生 npm install，并且在这种情况下，不使用 ENV 变量，它们仅设置为运行时。

¥However, this doesn't work as you would expect, because you want the npm install to occur when you run docker build, and in this instance, ENV variables aren't used, they are set for runtime only.

你必须使用 Docker build secrets 而不是运行时变量。

¥Instead of run-time variables, you must use Docker build secrets.

更新 Dockerfile

¥Update the Dockerfile

利用这一点的 Dockerfile 比前面的示例多了几行，允许我们使用你的全局 .npmrc 和运行 npm login 命令时创建的访问令牌（如果你尚未运行它 - 请在继续之前执行此操作） ）。

¥The Dockerfile that takes advantage of this has a few more lines in it than the earlier example that allows us to use your global .npmrc and the access token created when running npm login command (if you haven't run it already - do so before moving on).

# https://npm.nodejs.cn/docker-and-private-modules
FROM node:18

ENV APP_HOME="/app"

WORKDIR ${APP_HOME}

COPY package*.json ${APP_HOME}/

RUN --mount=type=secret,id=npmrc,target=/root/.npmrc npm install

COPY . ${APP_HOME}/

CMD npm start

这会将你的 Dockerfile 配置为通过构建秘密接收 .npmrc 文件，在完成 npm 依赖安装后不会留下任何痕迹。

¥This will configure your Dockerfile to receive .npmrc file via build secrets, that will leave no trace after npm dependency installation is done.

构建 Docker 镜像

¥Build the Docker image

要使用上述 Dockerfile 和 npm 身份验证令牌构建映像，你可以运行以下命令。注意末尾的 . 以将当前目录作为参数提供给 docker build。

¥To build the image using the above Dockerfile and the npm authentication token, you can run the following command. Note the . at the end to give docker build the current directory as an argument.

docker build . -t secure-app-secrets:1.0 --secret id=npmrc,src=$HOME/.npmrc

这将使用来自通过构建秘密接收的全局 .npmrc 文件的访问令牌构建 Docker 映像，因此你可以作为当前登录用户在容器内运行 npm install。

¥This will build the Docker image with the access token coming from your global .npmrc file received via build secrets, so you can run npm install inside your container as the current logged-in user.