Well, this is the 3rd post in the same month, I didn't do that for a long time! But Q3 2021 has been super productive and many things have been done.
Yesterday, as part of the knowledge share and developer enablement at Camunda, I delivered a Docker Best Practices Workshop which was available for the whole engineering division at Camunda.
What I really liked about this workshop, that everyone told me that they learned something new, even though they have been working with Docker for a pretty long time!
If I have a single piece of advice out of this workshop, it will be ... use the Dockerfile linter, use hadolint! Use it via CLI or integrate it with your IDE (e.g. check VS Code hadolint extension) Also, make it part of your CI pipeline! By using hadolint, you will avoid at least 50% of the Docker issues with your eyes closed!
In this workshop, I've covered the following:
Essential Practices
- Use Dockerfile linter
- Check Docker language specific best practices
- Create a single application per Docker image
- Create configurable ephemeral containers
Image Practices
- Use optimal base image
- Pin versions everywhere
- Create image with the optimal size
- Use multi-stage whenever possible
- Avoid any unnecessary files
Security Practices
- Always use trusted images
- Never use untrusted resources
- Never store sensitive data in the image
- Use a non-root user
- Scan image vulnerabilities
Misc Practices
- Leverage Docker build cache
- Avoid system cache
- Create a unified image across envs
- Use ENTRYPOINT with CMD
Finally, here is the hands-on repo, where the best practices will be applied to a simple application: https://github.com/aabouzaid/docker-best-practices-workshop
That's it, enjoy :-)
