1: History and Motivation
Examine the evolution of virtualization technologies from bare metal, virtual machines, and containers and the tradeoffs between them.
2: Technology Overview
Explores the three core Linux features that enable containers to function (cgroups, namespaces, and union filesystems), as well as the architecture of the Docker components.
3: Installation and Set Up
Install and configure Docker Desktop
4: Using 3rd Party Container Images
Use publicly available container images in your developer workflows and learn how about container data persistence.
5: Example Web Application
Building out a realistic microservice application to containerize.
6: Building Container Images
Write and optimize Dockerfiles and build container images for the components of the example web app.
β’NodeJS API
β’Golang API
β’React Client
7: Container Registries
Use container registries such as Dockerhub to share and distribute container images.
8: Running Containers
Use Docker and Docker Compose to run the containerized application from Module 5.
9: Container Security
Learn best practices for container image and container runtime security.
10: Interacting with Docker Objects
Explore how to use Docker to interact with containers, container images, volumes, and networks.
β’Images
β’Containers
β’Volumes
β’Networks
11: Development Workflow
Add tooling and configuration to enable improved developer experience when working with containers.
β’Developer Experience Wishlist
β’Debuggers
β’Tests
12: Deploying Containers
Deploy containerized applications to production using a variety of approaches.
Writing Good Dockerfiles
General Process
Dockerfiles generally have steps that are similar to those you would use to get your application running on a server.
1. Start with an Operating System
2. Install the language runtime
3. Install any application dependencies
4. Set up the execution environment
5. Run the application
Note: We can often jump right to #3 by choosing a base image that has the OS and language runtime preinstalled.
Useful Techniques:
Here are some of the techniques demonstrated in the Dockerfiles within this repo:
- Pinning a specific base image: By specifying an image tag, you can avoid nasty surprises where the base image
- Choosing a smaller base image: There are often a variety of base images we can choose from. Choosing a smaller base image will usually reduce the size of your final image.
- Choosing a more secure base image: Like image size, we should consider the number of vulnerabilities in our base images and the attack surface area. Chaingaurd publishes a number of hardened images (https://www.chainguard.dev/chainguard-images).
- Specifying a working directory: Many languages have a convention for how/where applications should be installed. Adhering to that convention will make it easier for developers to work with the container.
- Consider layer cache to improve build times: By undersanding the layered nature of container filesytems and choosing when to copy particular files we can make better use of the Docker caching system.
- Use COPY βlink where appropriate: The
--linkoption was added to theCOPYcommand in march 2022. It allows you to improve cache behavior in certain situations by copying files into an independent image layer not dependent on its predecessors. - Use a non-root user within the container: While containers can utilize a user namespace to differentiate between root inside the container and root on the host, this feature won't always be leveraged and by using a non-root user we improve the default safety of the container. When using Docker Desktop, the Virtual Machine it runs provides an isolation boundary between containers and the host, but if running Docker Engine it is useful to use a user namespace to ensure container isolation (more info here). This page also provides a good description for why to avoid running as root (container best practices).
- Specify the environment correctly: Only install production dependencies for a production image, and specify any necessary environment variables to configure the language runtime accordingly.
Impact of Applying These Techniques
In general, these techniques impact some combination of (1) build speed, (2) image security, and (3) developer clarity. The following summarizes these impacts:
Legend:
π Security
ποΈ Build Speed
ποΈ Clarity
- Pin specific versions [π ποΈ]
- Base images (either major+minor OR SHA256 hash) [π ποΈ]
- System Dependencies [π ποΈ]
- Application Dependencies [π ποΈ]
- Use small + secure base images [π ποΈ]
- Protect the layer cache [ποΈ ποΈ]
- Order commands by frequency of change [ποΈ]
- COPY dependency requirements file β install deps β copy remaining source code [ποΈ]
- Use cache mounts [ποΈ]
- Use COPY --link [ποΈ]
- Combine steps that are always linked (use heredocs to improve tidiness) [ποΈ ποΈ]
- Be explicit [π ποΈ]
- Set working directory with WORKDIR [ποΈ]
- Indicate standard port with EXPOSE [ποΈ]
- Set default environment variables with ENV [π ποΈ]
- Avoid unnecessary files [π ποΈ ποΈ]
- Use .dockerignore [π ποΈ ποΈ]
- COPY specific files [π ποΈ ποΈ]
- Use non-root USER [π]
- Install only production dependencies [π ποΈ ποΈ]
- Avoid leaking sensitive information [π]
- Leverage multi-stage builds [π ποΈ]