Docker Best Practices Skill
When to Use
Use this skill when:
- •Creating new Dockerfiles
- •Optimizing existing container images
- •Setting up docker-compose environments
- •Implementing health checks
- •Securing container deployments
- •Reducing image sizes
- •Configuring multi-stage builds
Dockerfile Patterns
1. Multi-Stage Build (Python)
dockerfile
# Stage 1: Builder
FROM python:3.12-slim AS builder
WORKDIR /app
# Install build dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential \
&& rm -rf /var/lib/apt/lists/*
# Install Python dependencies
COPY requirements.txt .
RUN pip wheel --no-cache-dir --wheel-dir /wheels -r requirements.txt
# Stage 2: Runtime
FROM python:3.12-slim AS runtime
WORKDIR /app
# Create non-root user
RUN groupadd -r appgroup && useradd -r -g appgroup appuser
# Copy wheels from builder
COPY --from=builder /wheels /wheels
RUN pip install --no-cache-dir /wheels/* && rm -rf /wheels
# Copy application
COPY --chown=appuser:appgroup . .
# Switch to non-root user
USER appuser
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8000/health || exit 1
EXPOSE 8000
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
2. Layer Caching Optimization
dockerfile
# ✅ Good: Dependencies first (cached if unchanged) COPY requirements.txt . RUN pip install -r requirements.txt COPY . . # ❌ Bad: Entire context first (cache invalidated on any change) COPY . . RUN pip install -r requirements.txt
3. Security Hardening
dockerfile
# ✅ Security checklist: # 1. Non-root user USER appuser # 2. Read-only filesystem # docker run --read-only ... # 3. No new privileges # docker run --security-opt=no-new-privileges ... # 4. Drop capabilities # docker run --cap-drop=ALL ... # 5. Minimal base image FROM python:3.12-alpine # or distroless # 6. No secrets in image # Use environment variables or secrets mount
4. Health Checks
dockerfile
# HTTP health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD curl -f http://localhost:8000/health || exit 1
# TCP health check (no curl)
HEALTHCHECK --interval=30s --timeout=10s --retries=3 \
CMD nc -z localhost 8000 || exit 1
# Script health check
HEALTHCHECK CMD ["/app/healthcheck.sh"]
Docker Compose Patterns
Development Environment
yaml
version: "3.9"
services:
app:
build:
context: .
dockerfile: Dockerfile.dev
volumes:
- .:/app:cached
- /app/__pycache__ # Exclude pycache
ports:
- "8000:8000"
environment:
- DEBUG=true
- DATABASE_URL=postgresql://...
depends_on:
db:
condition: service_healthy
db:
image: postgres:16-alpine
volumes:
- postgres_data:/var/lib/postgresql/data
environment:
- POSTGRES_DB=app
- POSTGRES_USER=app
- POSTGRES_PASSWORD=secret
healthcheck:
test: ["CMD-SHELL", "pg_isready -U app"]
interval: 5s
timeout: 5s
retries: 5
volumes:
postgres_data:
Production Environment
yaml
version: "3.9"
services:
app:
image: myapp:${VERSION:-latest}
deploy:
replicas: 3
resources:
limits:
cpus: '0.5'
memory: 512M
restart_policy:
condition: on-failure
max_attempts: 3
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
interval: 30s
timeout: 10s
retries: 3
networks:
- app-network
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
Image Size Optimization
code
✅ Size reduction techniques: 1. Use slim/alpine base images 2. Multi-stage builds 3. Combine RUN commands 4. Clean up apt cache: && rm -rf /var/lib/apt/lists/* 5. Use .dockerignore 6. Remove build dependencies after install 7. Use --no-cache-dir for pip
Output Format
markdown
## Docker Analysis Report ### Image Analysis - Base image: python:3.12-slim - Final size: 125MB - Layers: 12 - Security: ✅ Non-root user ### Optimization Suggestions 1. [Current] → [Optimized] - [Size saved] ### Security Findings - ✅ Non-root user configured - ⚠️ Health check missing - ❌ Running as root ### docker-compose Review - ✅ Health checks defined - ✅ Resource limits set - ⚠️ No restart policy
Example Usage
code
@docker Create optimized Dockerfile for FastAPI app @docker Review docker-compose.yml for production readiness @docker Reduce image size of the current Dockerfile @docker Add health checks to all services