Docker
Docker is a leading containerization platform for building, shipping, and running applications. Follow these best practices to ensure secure, efficient, and maintainable Docker images and workflows.
Best Practices for Docker Development
1. Use Official Base Images
Start from trusted, minimal images (e.g.,
alpine
,ubuntu
,node:slim
).Example:
FROM python:3.11-slim
2. Minimize Image Size
Remove unnecessary packages and files.
Use multi-stage builds to keep images lean.
Example:
FROM node:20 AS build WORKDIR /app COPY . . RUN npm ci && npm run build FROM nginx:alpine COPY --from=build /app/dist /usr/share/nginx/html
3. Leverage .dockerignore
Exclude files and directories not needed in the image (e.g.,
.git
,node_modules
,tests
).Example:
node_modules .git tests *.md
4. Use Non-Root Users
Avoid running containers as root for security.
Example:
RUN adduser --disabled-password appuser USER appuser
5. Pin Versions
Specify exact versions for base images and dependencies to ensure reproducibility.
Example:
FROM nginx:1.25.3-alpine
6. Layer Caching
Order Dockerfile instructions to maximize build cache efficiency (install dependencies before copying source code).
7. Health Checks
Add
HEALTHCHECK
instructions to monitor container health.Example:
HEALTHCHECK CMD curl --fail http://localhost:8080/health || exit 1
8. Multi-Arch Builds
Use
docker buildx
for building images for multiple architectures (amd64, arm64).Example:
docker buildx build --platform linux/amd64,linux/arm64 -t myapp:latest .
9. Scan Images for Vulnerabilities
Use tools like
docker scan
, Trivy, or Snyk to check for vulnerabilities.Example:
trivy image myapp:latest
10. Use Environment Variables for Configuration
Avoid hardcoding secrets or config in images. Use environment variables and secret managers.
Real-Life Example: Secure, Lean Dockerfile
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
USER node
EXPOSE 3000
CMD ["node", "server.js"]
Best Practices for Docker Usage
Use Docker Compose for local development and multi-container apps.
Tag images with semantic versions (e.g.,
myapp:1.2.3
) and avoid usinglatest
in production.Clean up unused images and containers regularly (
docker system prune
).Store Dockerfiles and Compose files in version control (Git).
Use CI/CD pipelines (GitHub Actions, Azure Pipelines, GitLab CI) to automate builds, tests, and pushes to registries.
Push images to secure registries (Docker Hub, AWS ECR, Azure ACR, GCP Artifact Registry).
Common Pitfalls
Building large images with unnecessary files
Running containers as root
Not scanning images for vulnerabilities
Hardcoding secrets in Dockerfiles
Using unpinned or outdated base images
References
Last updated