Difference between revisions of "Docker Best Practices"

From Gcube Wiki
Jump to: navigation, search
(What to Package)
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Docker Repositories =
+
= Base and Composed Images =
Setting up a DTR or Docker Hub?
+
Single User vs Organization?
+
  
= Layout of a Docker-enabled Project =
+
Never build or compose from a <code>latest</code> tag.
  
 
= Dockerfile =
 
= Dockerfile =
 
== Where to keep the Dockerfile ==
 
 
== Base/Composed Images ==
 
Which ones we can use? Which repos/organizations do we trust?
 
  
 
== Use Metadata Labels ==
 
== Use Metadata Labels ==
Line 23: Line 16:
  
 
== Use COPY instead of ADD ==
 
== Use COPY instead of ADD ==
 +
 +
== Sensitive Information ==
 +
Never add passwords, hostnames, externals paths, tokens, and keys into images. Use a <code>.dockerignore</code> file to avoid a hazardous COPY instruction, which pulls in sensitive information from the build context.
  
 
== Minimize the Image Size ==
 
== Minimize the Image Size ==
  
= Build the Image =  
+
= What to Package =
 
+
What do we put inside a Docker image.
== Tags ==
+
Use fixed tags for immutability.
+
 
+
== Automate ==
+
  
== Push ==
 
  
= Test the Images =  
+
= Stubs =
 +
Sample stub for a service's Dockerfile:
 +
<pre>
 +
FROM tomcat:8.0-jre8
 +
ADD /my-web-app.war /usr/local/tomcat/webapps/
 +
CMD ["catalina.sh", "run"]
 +
</pre>
  
= Document How to launch the Containers =
+
''Back to the [[Docker_Guide_for_gCube_Users | Docker guide]].''
  
= Find, Fix and Monitor for Image Vulnerabilities =
+
[[Category:Docker]]

Latest revision as of 20:52, 16 August 2020

Base and Composed Images

Never build or compose from a latest tag.

Dockerfile

Use Metadata Labels

Define the Maintainers

Which Users inside the Image

Define the App Name

Define the WORKDIR

Use COPY instead of ADD

Sensitive Information

Never add passwords, hostnames, externals paths, tokens, and keys into images. Use a .dockerignore file to avoid a hazardous COPY instruction, which pulls in sensitive information from the build context.

Minimize the Image Size

What to Package

What do we put inside a Docker image.


Stubs

Sample stub for a service's Dockerfile:

FROM tomcat:8.0-jre8
ADD /my-web-app.war /usr/local/tomcat/webapps/
CMD ["catalina.sh", "run"]

Back to the Docker guide.