Docker Best Practices

1---2name: docker-best-practices3description: Comprehensive Docker best practices for images, containers, and production deployments. PROACTIVELY activate for: (1) writing production-ready Dockerfiles, (2) multi-stage builds for lean images, (3) base image selection (distroless, alpine, scratch, slim), (4) layer caching and ordering, (5) .dockerignore hygiene, (6) HEALTHCHECK and graceful shutdown, (7) non-root user and least-privilege patterns, (8) ENV vs ARG and secret handling, (9) tag/digest pinning and reproducibility, (10) Compose for local development. Provides: Dockerfile templates by language, image-size optimization checklist, .dockerignore template, HEALTHCHECK patterns, and Compose dev-stack examples.4---5 6## 🚨 CRITICAL GUIDELINES7 8### Windows File Path Requirements9 10**MANDATORY: Always Use Backslashes on Windows for File Paths**11 12When using Edit or Write tools on Windows, you MUST use backslashes (`\`) in file paths, NOT forward slashes (`/`).13 14**Examples:**15- ❌ WRONG: `D:/repos/project/file.tsx`16- ✅ CORRECT: `D:\repos\project\file.tsx`17 18This applies to:19- Edit tool file_path parameter20- Write tool file_path parameter21- All file operations on Windows systems22 23 24### Documentation Guidelines25 26**NEVER create new documentation files unless explicitly requested by the user.**27 28- **Priority**: Update existing README.md files rather than creating new documentation29- **Repository cleanliness**: Keep repository root clean - only README.md unless user requests otherwise30- **Style**: Documentation should be concise, direct, and professional - avoid AI-generated tone31- **User preference**: Only create additional .md files when user specifically asks for documentation32 33 34---35 36# Docker Best Practices37 38This skill provides current Docker best practices across all aspects of container development, deployment, and operation.39 40## Image Best Practices41 42### Base Image Selection43 44**2025 Recommended Hierarchy:**451. **Wolfi/Chainguard** (`cgr.dev/chainguard/*`) - Zero-CVE goal, SBOM included462. **Alpine** (`alpine:3.19`) - ~7MB, minimal attack surface473. **Distroless** (`gcr.io/distroless/*`) - ~2MB, no shell484. **Slim variants** (`node:20-slim`) - ~70MB, balanced49 50**Key rules:**51- Always specify exact version tags: `node:20.11.0-alpine3.19`52- Never use `latest` (unpredictable, breaks reproducibility)53- Use official images from trusted registries54- Match base image to actual needs55 56### Dockerfile Structure57 58**Optimal layer ordering** (least to most frequently changing):59```dockerfile601. Base image and system dependencies612. Application dependencies (package.json, requirements.txt, etc.)623. Application code634. Configuration and metadata64```65 66**Rationale:** Docker caches layers. If code changes but dependencies don't, cached dependency layers are reused, speeding up builds.67 68**Example:**69```dockerfile70FROM python:3.12-slim71 72# 1. System packages (rarely change)73RUN apt-get update && apt-get install -y --no-install-recommends \74    gcc \75    && rm -rf /var/lib/apt/lists/*76 77# 2. Dependencies (change occasionally)78COPY requirements.txt .79RUN pip install --no-cache-dir -r requirements.txt80 81# 3. Application code (changes frequently)82COPY . /app83WORKDIR /app84 85CMD ["python", "app.py"]86```87 88### Multi-Stage Builds89 90Use multi-stage builds to separate build dependencies from runtime:91 92```dockerfile93# Build stage94FROM node:20-alpine AS builder95WORKDIR /app96COPY package*.json ./97RUN npm ci98COPY . .99RUN npm run build100 101# Production stage102FROM node:20-alpine AS runtime103WORKDIR /app104# Only copy what's needed for runtime105COPY --from=builder /app/dist ./dist106COPY --from=builder /app/node_modules ./node_modules107USER node108CMD ["node", "dist/server.js"]109```110 111**Benefits:**112- Smaller final images (no build tools)113- Better security (fewer attack vectors)114- Faster deployment (smaller upload/download)115 116### Layer Optimization117 118**Combine commands** to reduce layers and image size:119 120```dockerfile121# Bad - 3 layers, cleanup doesn't reduce size122RUN apt-get update123RUN apt-get install -y curl124RUN rm -rf /var/lib/apt/lists/*125 126# Good - 1 layer, cleanup effective127RUN apt-get update && \128    apt-get install -y --no-install-recommends curl && \129    rm -rf /var/lib/apt/lists/*130```131 132### .dockerignore133 134Always create `.dockerignore` to exclude unnecessary files:135 136```137# Version control138.git139.gitignore140 141# Dependencies142node_modules143__pycache__144*.pyc145 146# IDE147.vscode148.idea149 150# OS151.DS_Store152Thumbs.db153 154# Logs155*.log156logs/157 158# Testing159coverage/160.nyc_output161*.test.js162 163# Documentation164README.md165docs/166 167# Environment168.env169.env.local170*.local171```172 173## Container Runtime Best Practices174 175### Security176 177```bash178docker run \179  # Run as non-root180  --user 1000:1000 \181  # Drop all capabilities, add only needed ones182  --cap-drop=ALL \183  --cap-add=NET_BIND_SERVICE \184  # Read-only filesystem185  --read-only \186  # Temporary writable filesystems187  --tmpfs /tmp:noexec,nosuid \188  # No new privileges189  --security-opt="no-new-privileges:true" \190  # Resource limits191  --memory="512m" \192  --cpus="1.0" \193  my-image194```195 196### Resource Management197 198Always set resource limits in production:199 200```yaml201# docker-compose.yml202services:203  app:204    deploy:205      resources:206        limits:207          cpus: '2.0'208          memory: 1G209        reservations:210          cpus: '1.0'211          memory: 512M212```213 214### Health Checks215 216Implement health checks for all long-running containers:217 218```dockerfile219HEALTHCHECK --interval=30s --timeout=3s --retries=3 --start-period=40s \220  CMD curl -f http://localhost:3000/health || exit 1221```222 223Or in compose:224```yaml225services:226  app:227    healthcheck:228      test: ["CMD", "curl", "-f", "http://localhost/health"]229      interval: 30s230      timeout: 3s231      retries: 3232      start_period: 40s233```234 235### Logging236 237Configure proper logging to prevent disk fill-up:238 239```yaml240services:241  app:242    logging:243      driver: "json-file"244      options:245        max-size: "10m"246        max-file: "3"247```248 249Or system-wide in `/etc/docker/daemon.json`:250```json251{252  "log-driver": "json-file",253  "log-opts": {254    "max-size": "10m",255    "max-file": "3"256  }257}258```259 260### Restart Policies261 262```yaml263services:264  app:265    # For development266    restart: "no"267 268    # For production269    restart: unless-stopped270 271    # Or with fine-grained control (Swarm mode)272    deploy:273      restart_policy:274        condition: on-failure275        delay: 5s276        max_attempts: 3277        window: 120s278```279 280## Docker Compose Best Practices281 282### File Structure283 284```yaml285# No version field needed (Compose v2.40.3+)286 287services:288  # Service definitions289  web:290    # ...291  api:292    # ...293  database:294    # ...295 296networks:297  # Custom networks (preferred)298  frontend:299  backend:300    internal: true301 302volumes:303  # Named volumes (preferred for persistence)304  db-data:305  app-data:306 307configs:308  # Configuration files (Swarm mode)309  app-config:310    file: ./config/app.conf311 312secrets:313  # Secrets (Swarm mode)314  db-password:315    file: ./secrets/db_pass.txt316```317 318### Network Isolation319 320```yaml321networks:322  frontend:323    driver: bridge324  backend:325    driver: bridge326    internal: true  # No external access327 328services:329  web:330    networks:331      - frontend332 333  api:334    networks:335      - frontend336      - backend337 338  database:339    networks:340      - backend  # Not accessible from frontend341```342 343### Environment Variables344 345```yaml346services:347  app:348    # Load from file (preferred for non-secrets)349    env_file:350      - .env351 352    # Inline for service-specific vars353    environment:354      - NODE_ENV=production355      - LOG_LEVEL=info356 357    # For Swarm mode secrets358    secrets:359      - db_password360```361 362**Important:**363- Add `.env` to `.gitignore`364- Provide `.env.example` as template365- Never commit secrets to version control366 367### Dependency Management368 369```yaml370services:371  api:372    depends_on:373      database:374        condition: service_healthy  # Wait for health check375      redis:376        condition: service_started   # Just wait for start377```378 379## Production Best Practices380 381### Image Tagging Strategy382 383```bash384# Use semantic versioning385my-app:1.2.3386my-app:1.2387my-app:1388my-app:latest389 390# Include git commit for traceability391my-app:1.2.3-abc123f392 393# Environment tags394my-app:1.2.3-production395my-app:1.2.3-staging396```397 398### Secrets Management399 400**Never do this:**401```dockerfile402# BAD - secret in layer history403ENV API_KEY=secret123404RUN echo "password" > /app/config405```406 407**Do this:**408```bash409# Use Docker secrets (Swarm) or external secret management410docker secret create db_password ./password.txt411 412# Or mount secrets at runtime413docker run -v /secure/secrets:/run/secrets:ro my-app414 415# Or use environment files (not in image)416docker run --env-file /secure/.env my-app417```418 419### Monitoring & Observability420 421```yaml422services:423  app:424    # Health checks425    healthcheck:426      test: ["CMD", "curl", "-f", "http://localhost/health"]427      interval: 30s428 429    # Labels for monitoring tools430    labels:431      - "prometheus.io/scrape=true"432      - "prometheus.io/port=9090"433      - "com.company.team=backend"434      - "com.company.version=1.2.3"435 436    # Logging437    logging:438      driver: "json-file"439      options:440        max-size: "10m"441        max-file: "3"442```443 444### Backup Strategy445 446```bash447# Backup named volume448docker run --rm \449  -v VOLUME_NAME:/data \450  -v $(pwd):/backup \451  alpine tar czf /backup/backup-$(date +%Y%m%d).tar.gz -C /data .452 453# Restore volume454docker run --rm \455  -v VOLUME_NAME:/data \456  -v $(pwd):/backup \457  alpine tar xzf /backup/backup.tar.gz -C /data458```459 460### Update Strategy461 462```yaml463services:464  app:465    # For Swarm mode - rolling updates466    deploy:467      replicas: 3468      update_config:469        parallelism: 1        # Update 1 at a time470        delay: 10s            # Wait 10s between updates471        failure_action: rollback472        monitor: 60s473      rollback_config:474        parallelism: 1475        delay: 5s476```477 478## Platform-Specific Best Practices479 480### Linux481 482- Use user namespace remapping for added security483- Leverage native performance advantages484- Use Alpine for smallest images485- Configure SELinux/AppArmor profiles486- Use systemd for Docker daemon management487 488```json489// /etc/docker/daemon.json490{491  "userns-remap": "default",492  "log-driver": "json-file",493  "log-opts": {494    "max-size": "10m",495    "max-file": "3"496  },497  "storage-driver": "overlay2",498  "live-restore": true499}500```501 502### macOS503 504- Allocate sufficient resources in Docker Desktop505- Use `:delegated` or `:cached` for bind mounts506- Consider multi-platform builds for ARM (M1/M2)507- Limit file sharing to necessary directories508 509```yaml510# Better volume performance on macOS511volumes:512  - ./src:/app/src:delegated  # Host writes are delayed513  - ./build:/app/build:cached  # Container writes are cached514```515 516### Windows517 518- Choose container type: Windows or Linux519- Use forward slashes in paths520- Ensure drives are shared in Docker Desktop521- Be aware of line ending differences (CRLF vs LF)522- Consider WSL2 backend for better performance523 524```yaml525# Windows-compatible paths526volumes:527  - C:/Users/name/app:/app  # Forward slashes work528  # or529  - C:\Users\name\app:/app  # Backslashes need escaping in YAML530```531 532## Performance Best Practices533 534### Build Performance535 536```bash537# Use BuildKit (faster, better caching)538export DOCKER_BUILDKIT=1539 540# Use cache mounts541RUN --mount=type=cache,target=/root/.cache/pip \542    pip install -r requirements.txt543 544# Use bind mounts for dependencies545RUN --mount=type=bind,source=package.json,target=package.json \546    --mount=type=bind,source=package-lock.json,target=package-lock.json \547    --mount=type=cache,target=/root/.npm \548    npm ci549```550 551### Image Size552 553- Use multi-stage builds554- Choose minimal base images555- Clean up in the same layer556- Use .dockerignore557- Remove build dependencies558 559```dockerfile560# Install and cleanup in one layer561RUN apt-get update && \562    apt-get install -y --no-install-recommends \563    package1 \564    package2 && \565    apt-get clean && \566    rm -rf /var/lib/apt/lists/*567```568 569### Runtime Performance570 571```dockerfile572# Use exec form (no shell overhead)573CMD ["node", "server.js"]  # Good574# vs575CMD node server.js         # Bad - spawns shell576 577# Optimize signals578STOPSIGNAL SIGTERM579 580# Run as non-root (slightly faster, much more secure)581USER appuser582```583 584## Security Best Practices Summary585 586**Image Security:**587- Use official, minimal base images588- Scan for vulnerabilities (Docker Scout, Trivy)589- Don't include secrets in layers590- Run as non-root user591- Keep images updated592 593**Runtime Security:**594- Drop capabilities595- Use read-only filesystem596- Set resource limits597- Enable security options598- Isolate networks599- Use secrets management600 601**Compliance:**602- Follow CIS Docker Benchmark603- Implement container scanning in CI/CD604- Use signed images (Docker Content Trust)605- Maintain audit logs606- Regular security reviews607 608## Common Anti-Patterns to Avoid609 610❌ **Don't:**611- Run as root612- Use `--privileged`613- Mount Docker socket614- Use `latest` tag615- Hardcode secrets616- Skip health checks617- Ignore resource limits618- Use huge base images619- Skip vulnerability scanning620- Expose unnecessary ports621- Use inefficient layer caching622- Commit secrets to Git623 624✅ **Do:**625- Run as non-root626- Use minimal capabilities627- Isolate containers628- Tag with versions629- Use secrets management630- Implement health checks631- Set resource limits632- Use minimal images633- Scan regularly634- Apply least privilege635- Optimize build cache636- Use .env.example templates637 638## Checklist for Production-Ready Images639 640- [ ] Based on official, versioned, minimal image641- [ ] Multi-stage build (if applicable)642- [ ] Runs as non-root user643- [ ] No secrets in layers644- [ ] .dockerignore configured645- [ ] Vulnerability scan passed646- [ ] Health check implemented647- [ ] Proper labeling (version, description, etc.)648- [ ] Efficient layer caching649- [ ] Resource limits defined650- [ ] Logging configured651- [ ] Signals handled correctly652- [ ] Security options set653- [ ] Documentation complete654- [ ] Tested on target platform(s)655 656This skill represents current Docker best practices. Always verify against official documentation for the latest recommendations, as Docker evolves continuously.