fix: drop HandBrake from default image, add :handbrake variant
Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg7 7.x, doubling the ffmpeg CVE surface. HandBrake is optional (ffmpeg handles encoding by default), so remove it from the default image. - Dockerfile: ffmpeg + openssh-client only (removes ffmpeg7 family) - Dockerfile.handbrake: new variant for users who need HandBrake presets or forced-subtitle burn-in; carries the known higher CVE count Docker Hub tags: pyr0ball/discarr:latest / 0.1.2 — lean, ffmpeg only pyr0ball/discarr:handbrake — includes HandBrake (more CVEs)
This commit is contained in:
parent
e475d3433c
commit
9a1f0e0d39
2 changed files with 33 additions and 8 deletions
17
Dockerfile
17
Dockerfile
|
|
@ -1,22 +1,23 @@
|
||||||
# Discarr: disc scanning and encoding queue
|
# Discarr: disc scanning and encoding queue
|
||||||
# ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and local encode dispatch
|
# ffmpeg/ffprobe: VIDEO_TS/BDMV metadata scanning and HEVC encode dispatch
|
||||||
# HandBrake: optional HEVC encoder (ffmpeg is the fallback)
|
|
||||||
# openssh-client: remote encode dispatch to SSH transcode workers
|
# openssh-client: remote encode dispatch to SSH transcode workers
|
||||||
|
#
|
||||||
|
# HandBrake is NOT included in this image — ffmpeg handles encoding by default.
|
||||||
|
# If you need HandBrake (preset system, forced-subtitle burn-in), use the
|
||||||
|
# handbrake variant: pyr0ball/discarr:handbrake
|
||||||
|
# Or install HandBrake natively via: sudo bash install.sh
|
||||||
|
|
||||||
# Node 22 is the current LTS (Node 20 reached EOL 2026-04-30)
|
# Node 22 is the current LTS (Node 20 reached EOL 2026-04-30)
|
||||||
FROM node:22-alpine
|
FROM node:22-alpine
|
||||||
|
|
||||||
# Upgrade all base packages to pick up security patches from Alpine before
|
# Upgrade all base packages first to pick up Alpine security patches,
|
||||||
# adding our own deps. Combining upgrade + add in one RUN avoids an extra
|
# then add runtime dependencies in the same layer.
|
||||||
# layer and ensures the package index stays consistent.
|
|
||||||
RUN apk upgrade --no-cache && \
|
RUN apk upgrade --no-cache && \
|
||||||
apk add --no-cache \
|
apk add --no-cache \
|
||||||
ffmpeg \
|
ffmpeg \
|
||||||
handbrake \
|
|
||||||
openssh-client
|
openssh-client
|
||||||
|
|
||||||
# npm's bundled deps (tar, minimatch) carry their own CVE surface.
|
# Update npm to patch bundled tar/minimatch CVEs
|
||||||
# Updating to latest npm gets the patched versions.
|
|
||||||
RUN npm install -g npm@latest && npm cache clean --force
|
RUN npm install -g npm@latest && npm cache clean --force
|
||||||
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
|
||||||
24
Dockerfile.handbrake
Normal file
24
Dockerfile.handbrake
Normal file
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Discarr — HandBrake variant
|
||||||
|
# Includes HandBrake for preset-based encoding and forced-subtitle burn-in.
|
||||||
|
# NOTE: Alpine's HandBrake package depends on both ffmpeg 8.x AND ffmpeg 7.x,
|
||||||
|
# which increases the CVE surface area compared to the default image.
|
||||||
|
# Use this variant only if you specifically need HandBrake features.
|
||||||
|
#
|
||||||
|
# Build: docker build -f Dockerfile.handbrake -t pyr0ball/discarr:handbrake .
|
||||||
|
|
||||||
|
FROM node:22-alpine
|
||||||
|
|
||||||
|
RUN apk upgrade --no-cache && \
|
||||||
|
apk add --no-cache \
|
||||||
|
ffmpeg \
|
||||||
|
handbrake \
|
||||||
|
openssh-client
|
||||||
|
|
||||||
|
RUN npm install -g npm@latest && npm cache clean --force
|
||||||
|
|
||||||
|
WORKDIR /app
|
||||||
|
COPY server.js scanner.js ./
|
||||||
|
COPY public/ ./public/
|
||||||
|
|
||||||
|
EXPOSE 8603
|
||||||
|
CMD ["node", "server.js"]
|
||||||
Loading…
Reference in a new issue