Docker Patterns Skill
Purpose
Best practices for containerization with Docker and orchestration.
Auto-Invoke Triggers
- •Creating Dockerfiles
- •Setting up docker-compose
- •Optimizing container images
- •Configuring container security
Dockerfile Best Practices
Image Selection
| Language | Recommended Base |
|---|---|
| Python | python:3.12-slim |
| Node.js | node:20-alpine |
| Go | golang:1.21-alpine (build), scratch (runtime) |
Layer Optimization
- •Order commands from least to most frequently changing
- •Combine RUN commands to reduce layers
- •Copy dependency files before source code
- •Use
.dockerignoreto exclude unnecessary files
Multi-Stage Build Pattern
code
Stage 1: Build (full SDK, compile code)
↓
Stage 2: Runtime (slim image, only artifacts)
Benefits:
- •Smaller final image
- •No build tools in production
- •Faster deployment
- •Reduced attack surface
Image Size Optimization
Strategies
| Strategy | Impact |
|---|---|
| Use slim/alpine base | 50-80% reduction |
| Multi-stage builds | 50-90% reduction |
| Remove cache after install | 10-30% reduction |
| Use .dockerignore | Variable |
Target Sizes
| App Type | Target Size |
|---|---|
| Python API | < 200MB |
| Node.js API | < 150MB |
| Go binary | < 50MB |
.dockerignore Essentials
code
.git .gitignore node_modules __pycache__ *.pyc .env* .vscode .idea tests docs *.md
Security Best Practices
Rules
- •Don't run as root (use non-root user)
- •Don't store secrets in images
- •Use specific image tags (not
latest) - •Scan images for vulnerabilities
- •Minimize installed packages
- •Use read-only filesystem where possible
User Configuration
- •Create non-root user
- •Set USER directive before CMD
- •Use numeric UID for Kubernetes compatibility
Secret Handling
- •Use environment variables at runtime
- •Use Docker secrets for Swarm
- •Use volume mounts for sensitive files
- •Never COPY secrets into image
Health Checks
Configuration
| Setting | Recommended |
|---|---|
| Interval | 30s |
| Timeout | 10s |
| Retries | 3 |
| Start period | 30s |
Health Check Types
| Type | Endpoint | Use Case |
|---|---|---|
| HTTP | /health | Web APIs |
| TCP | Port check | Databases |
| Command | Custom script | Complex checks |
Health Response
- •Return 200 for healthy
- •Return 503 for unhealthy
- •Include dependency status
- •Keep checks lightweight
Docker Compose
Service Organization
| Service Type | Port Pattern |
|---|---|
| Frontend | 3000:80 |
| Backend API | 8000:8000 |
| Database | 5432:5432 |
| Cache | 6379:6379 |
Network Strategy
- •Use custom bridge network
- •Don't expose ports unless necessary
- •Use service names for internal communication
- •Isolate databases on separate network
Volume Types
| Type | Use Case |
|---|---|
| Named volume | Database data |
| Bind mount | Development code |
| tmpfs | Temporary/sensitive data |
Environment Configuration
Variable Hierarchy
- •Environment variables (highest priority)
- •.env file
- •docker-compose.yml defaults
- •Dockerfile defaults (lowest)
Environment Files
| File | Purpose |
|---|---|
.env | Local defaults |
.env.example | Template (committed) |
.env.local | Local overrides |
.env.production | Production values |
Configuration Rules
- •Don't commit
.envfiles with secrets - •Provide
.env.examplewith placeholders - •Validate required variables at startup
- •Use different values per environment
Development vs Production
Development
- •Mount source code as volume
- •Enable hot reload
- •Expose debug ports
- •Use development dependencies
- •Verbose logging
Production
- •Copy only built artifacts
- •No source code in image
- •Minimal base image
- •No development dependencies
- •Structured logging
Logging
Rules
- •Log to stdout/stderr
- •Use JSON format for production
- •Don't log to files inside container
- •Use logging drivers for aggregation
Log Drivers
| Driver | Use Case |
|---|---|
| json-file | Development |
| fluentd | Production (ELK) |
| awslogs | AWS CloudWatch |
| gcplogs | Google Cloud |
Resource Limits
Recommended Limits
| Resource | Development | Production |
|---|---|---|
| Memory | 512MB | Based on app |
| CPU | 0.5 | Based on app |
| PIDs | 100 | 100 |
Setting Rules
- •Always set memory limits
- •Set CPU limits for shared hosts
- •Monitor actual usage before setting
- •Leave headroom for spikes
Best Practices
DO
- •Use multi-stage builds
- •Pin image versions
- •Use non-root user
- •Add health checks
- •Use .dockerignore
- •Scan for vulnerabilities
DON'T
- •Use
latesttag - •Run as root
- •Store secrets in images
- •Install unnecessary packages
- •Ignore layer caching
- •Skip health checks
Docker Checklist
Dockerfile
- • Uses slim/alpine base
- • Multi-stage build
- • Non-root user
- • Specific image tag
- • Health check defined
- • .dockerignore exists
Security
- • No secrets in image
- • Image scanned
- • Minimal packages
- • User not root
Configuration
- • Environment variables used
- • Resource limits set
- • Logging to stdout
- • Graceful shutdown handled