Dockerfile Best Practices
Multi-Stage Builds
Why: Reduce image size and improve build performance.
How: Define multiple stages in your Dockerfile, each with its own set of instructions. This allows you to use different base images for different stages, and only include the final output of the build in the resulting image.
Example:
# Stage 1: Build
FROM golang:1.18-alpine AS build
# Copy the source code into the container
COPY . /app
# Build the application
RUN go build -o main /app
# Stage 2: Runtime
FROM alpine:latest
# Copy the built application from the build stage
COPY --from=build /app/main /app/main
# Expose the port the application runs on
EXPOSE 8080
# Run the application
CMD ["/app/main"]
Source: https://docs.docker.com/build/multi-stage-builds/
Image Size Optimization
Why: Smaller images mean faster downloads and deployment, lower storage costs, and faster builds.
How:
- Use smaller base images: Choose base images that only include the necessary dependencies for your application.
- Minimize the number of layers: Use the
COPYinstruction to copy multiple files in a single layer. - Remove unnecessary files: Use the
RUNinstruction to remove temporary files after they are no longer needed.
Example:
FROM alpine:latest
COPY . /app
RUN apk add --no-cache git
RUN git clone https://github.com/golang/go /go
ENV PATH=$PATH:/go/bin
RUN go mod download
RUN go build -o /app/main /app
CMD ["/app/main"]
Source: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
Build Cache Optimization
Why: Reduce build time by leveraging the build cache.
How:
- Arrange commands in the Dockerfile to maximize cache hits: Place commands that are likely to change less frequently earlier in the Dockerfile.
- Use build arguments to control cache behavior: Use build arguments to conditionally execute commands and avoid unnecessary cache invalidation.
- Use
--cache-fromflag with Buildx: Specify a previous image to use as a cache source for the current build.
Example:
FROM golang:1.18-alpine AS build
ARG BUILD_TYPE=release
# Copy the source code into the container
COPY . /app
# Build the application
RUN if [ "$BUILD_TYPE" = "release" ]; then go build -o main /app; fi
# Stage 2: Runtime
FROM alpine:latest
# Copy the built application from the build stage
COPY --from=build /app/main /app/main
# Expose the port the application runs on
EXPOSE 8080
# Run the application
CMD ["/app/main"]
Source: https://docs.docker.com/build/buildx/working-with-buildx/
Security Considerations
Why: Protect your application and data from vulnerabilities.
How:
- Use official base images: Choose base images from trusted sources like Docker Hub.
- Update dependencies regularly: Keep your dependencies updated to the latest versions to benefit from security fixes.
- Minimize privileges: Run containers with the least amount of privileges necessary.
- Scan for vulnerabilities: Use tools like Docker Bench for Security to scan your images for vulnerabilities.
Example:
FROM golang:1.18-alpine AS build
# Copy the source code into the container
COPY . /app
# Build the application
RUN go build -o main /app
# Stage 2: Runtime
FROM alpine:latest
# Copy the built application from the build stage
COPY --from=build /app/main /app/main
# Expose the port the application runs on
EXPOSE 8080
# Run the application as a non-root user
USER appuser
# Create a user and set the permissions
RUN adduser -D -u 1000 appuser && chown -R appuser:appuser /app
# Run the application
CMD ["/app/main"]
Source: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
Using Buildx
Why: Buildx extends the Docker build process with features like remote building, caching, and multi-platform support.
How:
- Use Buildx to build your images: Use the
docker buildx buildcommand to build images with Buildx. - Leverage Buildx features: Use Buildx features like caching, multi-platform builds, and remote building to improve your workflow.
Example:
docker buildx build --platform linux/amd64,linux/arm64 -t my-app:latest .
