Intro Guide to Dockerfile Best Practices

436 点作者 rubinelli将近 6 年前

16 条评论

itamarst将近 6 年前

As is the case with the Docker's best practices for Dockerfiles in the official documentation, they're leaving out some really important details.Specifically, they don't really express how Docker packaging is a process integrating the way you build, where you build, and how you build, not just the Dockerfile.1. Caching is great... but it can also lead to insecure images because you don't get system package updates if you're only ever building off a cached image. Solution: rebuild once a week from scratch. (<a href="https://pythonspeed.com/articles/docker-cache-insecure-images/" rel="nofollow">https://pythonspeed.com/articles/docker-cache-insecure-image...</a>)2. Multi-stage builds give you smaller images, but if you don't use them right they result in breaking caching completely, destroying all the speed and size benefits you get from layer caching. Solution: you need to tag and push the build-stage images too, and then pull them before the build, if you want caching to work. (Long version, this is a bit tricky to get right: <a href="https://pythonspeed.com/articles/faster-multi-stage-builds/" rel="nofollow">https://pythonspeed.com/articles/faster-multi-stage-builds/</a>)

评论 #20382215 未加载

评论 #20382966 未加载

评论 #20382024 未加载

评论 #20382033 未加载

评论 #20388574 未加载

评论 #20382380 未加载

评论 #20382612 未加载

AnthonBerg将近 6 年前

Use the experimental BuildKit Dockerfile frontend for much improved build time mounting: <a href="https://github.com/moby/buildkit/blob/master/frontend/dockerfile/docs/experimental.md" rel="nofollow">https://github.com/moby/buildkit/blob/master/frontend/docker...</a>* You can mount build-time secrets in safely with `--mount-type=secret`, instead of passing them in. (Multistage builds do alleviate the problems with passing secrets in, but not completely.)* Buildkit automatically parallelizes build stages. (Of course!)* Mount apt-cache dirs in at build time with `--mount-type bind` so that you don't have to apt-get update every single time, and you don't have to clear apt-caches either.And lots more.Notice that this mostly involves capabilities that Docker already has to build time.

评论 #20381712 未加载

nisa将近 6 年前

If you use multi-stage builds be aware that COPY --from also can do a chown and save image size - doing a RUN chown -R that is sometimes necassary to run stuff as a regular user duplicates the image size because changed metadata equals a copy for Docker.Also if you dare to enable user-namespaces for Docker because, well also security - multi-stage builds fail (<a href="https://github.com/moby/moby/issues/34645" rel="nofollow">https://github.com/moby/moby/issues/34645</a>)

评论 #20381668 未加载

glckr将近 6 年前

Tip #6 (Use official images when possible) is certainly convenient when you're just spinning up something (I use them in local docker-composes all the time), but it's surely opening yet another security hole when it comes to prod. We're not lacking examples where packages are hijacked (feels like it happens constantly on npm, rubygems had it just the other day...), and docker hub has already had one security breach.Perhaps worth a mention in this blogpost?

评论 #20381852 未加载

denisstepanov将近 6 年前

For Java it’s better to use Jib Gradle/Maven plugin from Google. It produces docker image directly and creates layers with dependencies and class files.

avip将近 6 年前

I've read several "Dockerfile best practices" would-be tutorials, and this one stands out as both correct, concise, well explained, and ordered from simple and important to more nuanced. To the author - great job.

gorn将近 6 年前

Could someone explain why tip#9 is a good idea? To me it makes more sense to build the application in the CI pipeline and use Dockerfile only to package the app.The post is focused on Java apps but, for example, there is a distinction on runtime and SDK images in .NET Core. If you want to build in Docker, you have to pull the heavier SDK image. If you copy the built binaries to image, you can use the runtime image. I guess there could be similar situations in other platforms too.Other than that, it looks like a decent guide. Thanks to the author.

评论 #20381909 未加载

评论 #20381879 未加载

评论 #20383347 未加载

评论 #20381872 未加载

sjmulder将近 6 年前

I thought about using Docker for a reproducible build environment but, in that context, found it problematic that every time a Dockerfile is built you may end up with new base images and different package versions. That's hardly reproducible.Perhaps I'm coming at this from a wrong angle.

评论 #20383828 未加载

评论 #20381834 未加载

barrkel将近 6 年前

Dockerfiles are a mostly adequate prototyping tool but are not great for generating production builds. Lack of modularity, cascading versioning / dependency management, reproducible builds, ... every time I've used Dockerfiles in anger I've cobbled together another 60% of a build system out of bash scripts.I wish Dockerfiles would just fade away into the background, and be replaced by something more similar to an archiver but with better integration with repositories and versioning metadata.

评论 #20382162 未加载

pulse7将近 6 年前

Dockerfile = docker run + docker commit + MANY unneeded limitations

评论 #20381735 未加载

评论 #20381647 未加载

评论 #20382307 未加载

mothsonasloth将近 6 年前

Order of copying is especially important with Java (Maven/Gradle) builds and NPM, it saves time.Its also good to speed up builds with configuring them to cache artifacts in a separate layer before the build happens or you can get them to use the host machines cached .m2 /.npm folders as a volume, however that might not work with pipelines etc. that build the docker containers.

zimbatm将近 6 年前

COPY caching doesn't work between computers.This was surprising to me. I thought I could `docker pull` the layers from the registry and only re-build what had changed on my machine. But no, this doesn't work.The reason is that the docker client archives the source files, including all the file attributes like uid,gid,mtime, ... Between two computers those are bound to be different.

评论 #20388589 未加载

zapita将近 6 年前

I highly recommend checking out <a href="https://github.com/docker/buildx" rel="nofollow">https://github.com/docker/buildx</a> . It’s still in tech preview but it’s an exciting look at the future of docker-build.

oliveralbertini将近 6 年前

What about changing the default USER in the dockerfile?

评论 #20384765 未加载

liveoneggs将近 6 年前

so if you want a vi in your image (the article has a vim line) you can get one (because they are occasionally useful) for a low cost by installing nvi instead of vim. It's great and only a few K.

评论 #20382990 未加载

musicale将近 6 年前

My personal best practice is to never use docker.