There are multiple improvements we could do to the current Dockerfile that runs coder server.

1. Drop privileges from root (e.g. nobody, or a system user)
2. Move cache directory from /tmp to a VOLUME (CODER_CACHE_DIRECTORY, note Cache directory env variable for coder server is missing CODER_ prefix #2199)
3. Put coder in PATH (e.g. /opt => /usr{/local,}/bin)
4. Mount tmpfs onto /tmp to avoid issues if container is run with read-only filesystem
   • This change would most likely only be done in our docker-compose.yaml
5. Change ENTRYPOINT to ["coder"] (only) and add CMD ["server"] (alternatively CMD ["coder", "server"] only)
6. Considering installing Terraform on the system level

Drop privileges from root (e.g. nobody, or a system user)

It's best practice to run with as few permissions as possible. If we need to perform some initialization as root, we should consider dropping privileges afterwards e.g. via gosu, su-exec, or similar.

Move cache directory from /tmp to a VOLUME (CODER_CACHE_DIRECTORY, note #2199)

It'd make sense for the cache directory to persist across server restarts (the assumption for /tmp should always be that it does not persist). Without this change, a server restart is not guaranteed to be successful if there are network issues or a problem downloading TF.

Put coder in PATH (e.g. /opt => /usr{/local,}/bin)

We probably want users to be able to use the coder binary in the image, this is now slightly awkward (esp. with need to modify entrypoint as well):

docker run -it --rm -v /home/user/.config/coderv2:/home/user/.config/coderv2 --entrypoint /opt/coder ghcr.io/coder/coder:v0.6.4-amd64 login https://...

Mount tmpfs onto /tmp to avoid issues if container is run with read-only filesystem

Best practice to not write onto non-volumes on container filesystem, for security reasons users may choose to have it read-only.

Change ENTRYPOINT to ["coder"] (only) and add CMD ["server"] (alternatively CMD ["coder", "server"] only)

Makes it easier to user coder from within the Docker image:

docker run -it --rm --entrypoint /bin/sh ghcr.io/coder/coder:v0.6.4-amd64
# coder login https://...

Considering installing Terraform on the system level

This allows us to better tie Coder releases to Terraform versions. The idea behind Docker images is that once they're built, they always work and are immutable. This is not the case when we rely on network and downloading binaries at runtime.