After using docker for last several years I’d like to share best practices that works in production.
In Cloud Native world infrastructure is disposable and immutable. As result, if your kubernetes pod is rescheduled to another node, new node need to pull docker image.
Small docker images provide the following benefits:
There are several techniques to reduce image size:
Dockerfile, which improves source code readability
Principle of least privilege should be used as much as possible. Within its cgroup docker container runs as root. If there is a new kernel vulnerability, malicious container might try to use it and escape to the host using
USER in the
Do not use
FROM. If you use
latest, you will pull latest base image. Downsides of it are the following:
FROM to specify exact version of the container you’re pulling. Digest is shown on tag page on docker hub or you can get it after running
$ docker pull alpine:3.12.0 3.12.0: Pulling from library/alpine df20fa9351a1: Pull complete Digest: sha256:185518070891758909c9f839cf4ca393ee977ac378609f700f60a771a2dfe321 Status: Downloaded newer image for alpine:3.12.0 docker.io/library/alpine:3.12.0
Dockerfile will looks like this:
FROM alpine@sha256:185518070891758909c9f839cf4ca393ee977ac378609f700f60a771a2dfe321 COPY ... # And so on.
docker.ioin production. If you run in kubernetes, use Open Policy Agent Gatekeeper or similar solution. docker.io contains a lot of images that are build both by well-known companies and by random people, not all of them have good intentions.
LABELwith information about image maintainer and other information that is relevant for your organization.
ARGto pass base IMAGE. This will allow you to configure base image outside and give you ability to manage base image at scale if you have large organization/have hundreds of different images.