--- name: docker description: > Guidelines for writing efficient and secure Dockerfiles. Trigger: When working with Dockerfile, docker-compose, or container configurations. license: Apache-2.0 metadata: author: poletron version: "1.0" scope: [root] auto_invoke: "Working with docker" ## When to Use Use this skill when: - Writing or reviewing Dockerfiles - Configuring multi-stage builds - Optimizing container image size - Implementing container security best practices --- ## Critical Patterns ### Multi-Stage Builds (REQUIRED) ```dockerfile # ✅ ALWAYS: Use multi-stage to reduce final image size FROM node:18-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci --only=production FROM node:18-alpine WORKDIR /app COPY --from=builder /app/node_modules ./node_modules COPY . . CMD ["node", "server.js"] ``` ### Non-Root User (REQUIRED) ```dockerfile # ✅ ALWAYS: Run as non-root for security RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001 USER appuser ``` ### Specific Tags (REQUIRED) ```dockerfile # ✅ ALWAYS: Use specific version tags FROM node:18.19-alpine # ❌ NEVER: Use 'latest' tag FROM node:latest ``` --- ## Decision Tree ``` Need smaller image? → Use multi-stage build Need security? → Run as non-root user Need caching? → Order from least to most changing Need reproducibility? → Pin exact versions ``` --- ## Code Examples ### Layer Optimization ```dockerfile # ✅ Good: Combine commands, clean in same layer RUN apt-get update && \ apt-get install -y --no-install-recommends curl && \ rm -rf /var/lib/apt/lists/* # ❌ Bad: Separate layers, cache not cleaned RUN apt-get update RUN apt-get install curl ``` ### Health Checks ```dockerfile HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD curl -f http://localhost:3000/health || exit 1 ``` --- ## Commands ```bash docker build -t myapp:1.0 . # Build image docker run -d -p 3000:3000 myapp:1.0 # Run container docker scan myapp:1.0 # Scan for vulnerabilities docker history myapp:1.0 # View layer history ``` --- ## Resources - **Additional docs**: [infrastructure.md](infrastructure.md) --- ## ⭐️ Advanced Expert Patterns ### 1. Dockerfile Optimization & Multi-Stage Builds **Key techniques:** ```dockerfile # Optimized multi-stage pattern FROM node:18-alpine AS deps WORKDIR /app COPY package*.json ./ RUN npm ci --only=production && npm cache clean --force FROM node:18-alpine AS build WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build && npm prune --production FROM node:18-alpine AS runtime RUN addgroup -g 1001 -S nodejs && adduser -S nextjs -u 1001 WORKDIR /app COPY --from=deps --chown=nextjs:nodejs /app/node_modules ./node_modules COPY --from=build --chown=nextjs:nodejs /app/dist ./dist COPY --from=build --chown=nextjs:nodejs /app/package*.json ./ USER nextjs EXPOSE 3000 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ CMD curl -f http://localhost:3000/health || exit 1 CMD ["node", "dist/index.js"] ``` ### 2. Container Security Hardening **Security patterns:** ```dockerfile # Security-hardened container FROM node:18-alpine RUN addgroup -g 1001 -S appgroup && \ adduser -S appuser -u 1001 -G appgroup WORKDIR /app COPY --chown=appuser:appgroup package*.json ./ RUN npm ci --only=production COPY --chown=appuser:appgroup . . USER 1001 # Drop capabilities, set read-only root filesystem ``` ### 3. Docker Compose Orchestration **Production-ready compose pattern:** ```yaml version: '3.8' services: app: build: context: . target: production depends_on: db: condition: service_healthy networks: - frontend - backend healthcheck: test: ["CMD", "curl", "-f", "http://localhost:3000/health"] interval: 30s timeout: 10s retries: 3 deploy: resources: limits: cpus: '0.5' memory: 512M reservations: cpus: '0.25' memory: 256M db: image: postgres:15-alpine environment: POSTGRES_DB_FILE: /run/secrets/db_name POSTGRES_USER_FILE: /run/secrets/db_user POSTGRES_PASSWORD_FILE: /run/secrets/db_password secrets: - db_name - db_user - db_password volumes: - postgres_data:/var/lib/postgresql/data networks: - backend healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"] interval: 10s timeout: 5s retries: 5 networks: frontend: driver: bridge backend: driver: bridge internal: true volumes: postgres_data: secrets: db_name: external: true db_user: external: true db_password: external: true ``` ### 4. Image Size Optimization **Optimization techniques:** ```dockerfile # Minimal production image FROM gcr.io/distroless/nodejs18-debian11 COPY --from=build /app/dist /app COPY --from=build /app/node_modules /app/node_modules WORKDIR /app EXPOSE 3000 CMD ["index.js"] ``` ### 5. Development Workflow Integration **Development workflow:** ```yaml # Development override services: app: build: context: . target: development volumes: - .:/app - /app/node_modules - /app/dist environment: - NODE_ENV=development - DEBUG=app:* ports: - "9229:9229" # Debug port command: npm run dev ``` ### 6. Performance & Resource Management **Resource management:** ```yaml services: app: deploy: resources: limits: cpus: '1.0' memory: 1G reservations: cpus: '0.5' memory: 512M restart_policy: condition: on-failure delay: 5s max_attempts: 3 window: 120s ``` ## Advanced Problem-Solving Patterns ### Cross-Platform Builds ```bash # Multi-architecture builds docker buildx create --name multiarch-builder --use docker buildx build --platform linux/amd64,linux/arm64 \ -t myapp:latest --push . ``` ### Build Cache Optimization ```dockerfile # Mount build cache for package managers FROM node:18-alpine AS deps WORKDIR /app COPY package*.json ./ RUN --mount=type=cache,target=/root/.npm \ npm ci --only=production ``` ### Secrets Management ```dockerfile # Build-time secrets (BuildKit) FROM alpine RUN --mount=type=secret,id=api_key \ API_KEY=$(cat /run/secrets/api_key) && \ # Use API_KEY for build process ```