Writing Dockerfiles
Create production-grade Dockerfiles with multi-stage builds, security hardening, and language-specific optimizations.
When to Use This Skill
Invoke when:
- •"Write a Dockerfile for [Python/Node.js/Go/Rust] application"
- •"Optimize this Dockerfile to reduce image size"
- •"Use multi-stage build for..."
- •"Secure Dockerfile with non-root user"
- •"Use distroless base image"
- •"Add BuildKit cache mounts"
- •"Prevent secrets from leaking in Docker layers"
Quick Decision Framework
Ask three questions to determine the approach:
1. What language?
- •Python → See
references/python-dockerfiles.md - •Node.js → See
references/nodejs-dockerfiles.md - •Go → See
references/go-dockerfiles.md - •Rust → See
references/rust-dockerfiles.md - •Java → See
references/java-dockerfiles.md
2. Is security critical?
- •YES → Use distroless runtime images (see
references/security-hardening.md) - •NO → Use slim/alpine base images
3. Is image size critical?
- •YES (<50MB) → Multi-stage + distroless + static linking
- •NO (<500MB) → Multi-stage + slim base images
Core Concepts
Multi-Stage Builds
Separate build environment from runtime environment to minimize final image size.
Pattern:
# Stage 1: Build FROM build-image AS builder RUN compile application # Stage 2: Runtime FROM minimal-runtime-image COPY --from=builder /app/binary /app/ CMD ["/app/binary"]
Benefits:
- •80-95% smaller images (excludes build tools)
- •Improved security (no compilers in production)
- •Faster deployments
- •Better layer caching
Base Image Selection
Decision matrix:
| Language | Build Stage | Runtime Stage | Final Size |
|---|---|---|---|
| Go (static) | golang:1.22-alpine | gcr.io/distroless/static-debian12 | 10-30MB |
| Rust (static) | rust:1.75-alpine | scratch | 5-15MB |
| Python | python:3.12-slim | python:3.12-slim | 200-400MB |
| Node.js | node:20-alpine | node:20-alpine | 150-300MB |
| Java | maven:3.9-eclipse-temurin-21 | eclipse-temurin:21-jre-alpine | 200-350MB |
Distroless images (Google-maintained):
- •
gcr.io/distroless/static-debian12→ Static binaries (2MB) - •
gcr.io/distroless/base-debian12→ Dynamic binaries with libc (20MB) - •
gcr.io/distroless/python3-debian12→ Python runtime (60MB) - •
gcr.io/distroless/nodejs20-debian12→ Node.js runtime (150MB)
See references/base-image-selection.md for complete comparison.
BuildKit Features
Enable BuildKit for advanced caching and security:
export DOCKER_BUILDKIT=1 docker build . # OR docker buildx build .
Key features:
- •
--mount=type=cache→ Persistent package manager caches - •
--mount=type=secret→ Inject secrets without storing in layers - •
--mount=type=ssh→ SSH agent forwarding for private repos - •Parallel stage execution
- •Improved layer caching
See references/buildkit-features.md for detailed patterns.
Layer Optimization
Order Dockerfile instructions from least to most frequently changing:
# 1. Base image (rarely changes) FROM python:3.12-slim # 2. System packages (rarely changes) RUN apt-get update && apt-get install -y build-essential # 3. Dependencies manifest (changes occasionally) COPY requirements.txt . RUN pip install -r requirements.txt # 4. Application code (changes frequently) COPY . . # 5. Runtime configuration (rarely changes) CMD ["python", "app.py"]
BuildKit cache mounts:
RUN --mount=type=cache,target=/root/.cache/pip \
pip install -r requirements.txt
Cache persists across builds, eliminating redundant downloads.
Security Hardening
Essential security practices:
1. Non-root users
# Debian/Ubuntu RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app USER appuser # Alpine RUN adduser -D -u 1000 appuser && chown -R appuser:appuser /app USER appuser # Distroless (built-in) USER nonroot:nonroot
2. Secret management
# ❌ NEVER: Secret in layer history
RUN git clone https://${GITHUB_TOKEN}@github.com/private/repo.git
# ✅ ALWAYS: BuildKit secret mount
RUN --mount=type=secret,id=github_token \
TOKEN=$(cat /run/secrets/github_token) && \
git clone https://${TOKEN}@github.com/private/repo.git
Build with:
docker buildx build --secret id=github_token,src=./token.txt .
3. Vulnerability scanning
# Trivy (recommended) trivy image myimage:latest # Docker Scout docker scout cves myimage:latest
4. Health checks
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \ CMD wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1
See references/security-hardening.md for comprehensive hardening patterns.
.dockerignore Configuration
Create .dockerignore to exclude unnecessary files:
# Version control .git .gitignore # CI/CD .github .gitlab-ci.yml # IDE .vscode .idea # Testing tests/ coverage/ **/*_test.go **/*.test.js # Build artifacts node_modules/ dist/ build/ target/ __pycache__/ # Environment .env .env.local *.log
Reduces build context size and prevents leaking secrets.
Language-Specific Patterns
Python Quick Reference
Three approaches:
- •pip (simple) → Single-stage, requirements.txt
- •poetry (production) → Multi-stage, virtual environment
- •uv (fastest) → 10-100x faster than pip
Example: Poetry multi-stage
FROM python:3.12-slim AS builder
RUN --mount=type=cache,target=/root/.cache/pip \
pip install poetry==1.7.1
COPY pyproject.toml poetry.lock ./
RUN poetry export -f requirements.txt --output requirements.txt
RUN --mount=type=cache,target=/root/.cache/pip \
python -m venv /opt/venv && \
/opt/venv/bin/pip install -r requirements.txt
FROM python:3.12-slim
COPY --from=builder /opt/venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
USER 1000:1000
CMD ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0"]
See references/python-dockerfiles.md for complete patterns and examples/python-fastapi.Dockerfile.
Node.js Quick Reference
Key patterns:
- •Use
npm ci(notnpm install) for reproducible builds - •Multi-stage: Build stage → Production dependencies only
- •Built-in
nodeuser (UID 1000) - •Alpine variant smallest (~180MB vs 1GB)
Example: Express multi-stage
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN --mount=type=cache,target=/root/.npm \
npm ci
COPY . .
RUN npm run build
RUN npm prune --omit=dev
FROM node:20-alpine
WORKDIR /app
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/dist ./dist
USER node
CMD ["node", "dist/index.js"]
See references/nodejs-dockerfiles.md for npm/pnpm/yarn patterns and examples/nodejs-express.Dockerfile.
Go Quick Reference
Smallest possible images:
- •Static binary (CGO_ENABLED=0) + distroless = 10-30MB
- •Strip symbols with
-ldflags="-s -w" - •Cache both
/go/pkg/modand build cache
Example: Distroless static
FROM golang:1.22-alpine AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN --mount=type=cache,target=/go/pkg/mod \
go mod download
COPY . .
RUN --mount=type=cache,target=/go/pkg/mod \
--mount=type=cache,target=/root/.cache/go-build \
CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o main .
FROM gcr.io/distroless/static-debian12
COPY --from=builder /app/main /app/main
USER nonroot:nonroot
ENTRYPOINT ["/app/main"]
See references/go-dockerfiles.md and examples/go-microservice.Dockerfile.
Rust Quick Reference
Ultra-small static binaries:
- •musl static linking → No libc dependencies
- •scratch base image (0 bytes overhead)
- •Final image: 5-15MB
Example: Scratch base
FROM rust:1.75-alpine AS builder
RUN apk add --no-cache musl-dev
WORKDIR /app
# Cache dependencies
COPY Cargo.toml Cargo.lock ./
RUN --mount=type=cache,target=/usr/local/cargo/registry \
mkdir src && echo "fn main() {}" > src/main.rs && \
cargo build --release --target x86_64-unknown-linux-musl && \
rm -rf src
# Build application
COPY src ./src
RUN --mount=type=cache,target=/usr/local/cargo/registry \
cargo build --release --target x86_64-unknown-linux-musl
FROM scratch
COPY --from=builder /app/target/x86_64-unknown-linux-musl/release/app /app
USER 1000:1000
ENTRYPOINT ["/app"]
See references/rust-dockerfiles.md and examples/rust-actix.Dockerfile.
Package Manager Cache Mounts
BuildKit cache mount locations:
| Language | Package Manager | Cache Mount Target |
|---|---|---|
| Python | pip | --mount=type=cache,target=/root/.cache/pip |
| Python | poetry | --mount=type=cache,target=/root/.cache/pypoetry |
| Python | uv | --mount=type=cache,target=/root/.cache/uv |
| Node.js | npm | --mount=type=cache,target=/root/.npm |
| Node.js | pnpm | --mount=type=cache,target=/root/.local/share/pnpm/store |
| Go | go mod | --mount=type=cache,target=/go/pkg/mod |
| Rust | cargo | --mount=type=cache,target=/usr/local/cargo/registry |
Persistent caches eliminate redundant package downloads across builds.
Validation and Testing
Validate Dockerfile quality:
# Lint Dockerfile python scripts/validate_dockerfile.py Dockerfile # Scan for vulnerabilities trivy image myimage:latest # Analyze image size docker images myimage:latest docker history myimage:latest
Compare optimization results:
# Before optimization docker build -t myapp:before . # After optimization docker build -t myapp:after . # Compare bash scripts/analyze_image_size.sh myapp:before myapp:after
See scripts/validate_dockerfile.py for automated Dockerfile linting.
Integration with Related Skills
Upstream (provide input):
- •
testing-strategies→ Test application before containerizing - •
security-hardening→ Application-level security before Docker layer
Downstream (consume Dockerfiles):
- •
building-ci-pipelines→ Build and push Docker images in CI - •
kubernetes-operations→ Deploy containers to K8s clusters - •
infrastructure-as-code→ Deploy containers with Terraform/Pulumi
Parallel (related context):
- •
secret-management→ Inject runtime secrets (K8s secrets, vaults) - •
observability→ Container logging and metrics collection
Common Patterns Quick Reference
1. Static binary (Go/Rust) → Smallest image
- •Build: Language-specific builder image
- •Runtime:
gcr.io/distroless/static-debian12orscratch - •Size: 5-30MB
2. Interpreted language (Python/Node.js) → Production-optimized
- •Build: Install dependencies, build artifacts
- •Runtime: Same base, production dependencies only
- •Size: 150-400MB
3. JVM (Java) → Optimized runtime
- •Build: Maven/Gradle with full JDK
- •Runtime: JRE-only image (alpine variant)
- •Size: 200-350MB
4. Security-critical → Maximum hardening
- •Base: Distroless images
- •User: Non-root (nonroot:nonroot)
- •Secrets: BuildKit secret mounts
- •Scan: Trivy/Docker Scout in CI
5. Development → Fast iteration
- •Base: Full language image (not slim)
- •Volumes: Mount source code
- •Hot reload: Language-specific tools
- •Not covered in this skill (see Docker Compose docs)
Anti-Patterns to Avoid
❌ Never:
- •Use
latesttags (unpredictable builds) - •Run as root in production
- •Store secrets in ENV vars or layers
- •Install unnecessary packages
- •Combine unrelated RUN commands (breaks caching)
- •Skip .dockerignore (bloated build context)
✅ Always:
- •Pin exact image versions (
python:3.12.1-slim, notpython:3) - •Create and use non-root user
- •Use BuildKit secret mounts for credentials
- •Minimize layers and image size
- •Order commands from least to most frequently changing
- •Create .dockerignore file
Additional Resources
Base image registries:
- •Google Distroless:
gcr.io/distroless/* - •Docker Hub Official:
python:*,node:*,golang:* - •Red Hat UBI:
registry.access.redhat.com/ubi9/*
Vulnerability scanners:
- •Trivy (recommended):
trivy image myimage:latest - •Docker Scout:
docker scout cves myimage:latest - •Grype:
grype myimage:latest
Reference documentation:
- •
references/base-image-selection.md→ Complete base image comparison - •
references/buildkit-features.md→ Advanced BuildKit patterns - •
references/security-hardening.md→ Comprehensive security guide - •Language-specific references in
references/directory - •Working examples in
examples/directory