🖼️ Docker Images

Documentation covering image building, optimization techniques, and security best practices for production‑grade Docker environments.

---

🏗️ Multi‑Stage Builds (Recommended)

Multi‑stage builds reduce image size, improve security, and separate build‑time dependencies from runtime layers.

FROM node:18 AS builder
WORKDIR /app

COPY package*.json ./
RUN npm ci

COPY . .
RUN npm run build

FROM nginx:alpine
COPY --from=builder /app/dist /usr/share/nginx/html

EXPOSE 80

Benefits:

• Smaller final image
• No build tools in production
• Cleaner attack surface
• Faster deployments

---

🚀 Optimization Best Practices

• Use official Alpine images when possible
• Minimize the number of layers
• Clean caches in the same layer

  RUN apk add --no-cache curl && rm -rf /var/cache/*
  

• Always use a .dockerignore file
• Avoid installing unnecessary packages
• Prefer COPY over ADD unless extracting archives
• Pin versions of base images (e.g., python:3.12.2-alpine)

---

📦 Checking Image Size

docker images --format "{{.Repository}}:{{.Tag}} → {{.Size}}"

Useful for identifying oversized images or debugging multi‑stage builds.

---

🔐 Image Security

Vulnerability Scanning

trivy image myapp:latest
# or
docker scout quickview myapp:latest

Security Best Practices

• Run as a non‑root user

  USER nonroot
  

• Do not store secrets in images
• Pin dependency versions
• Regularly update base images
• Avoid exposing unnecessary ports
• Use minimal base images (e.g., distroless, alpine)
• Validate downloaded binaries with checksums

---

🧪 Example: Secure Production Image

FROM python:3.12-alpine AS base
RUN adduser -D appuser

WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

COPY . .

USER appuser
EXPOSE 8000

CMD ["python", "main.py"]

---

📘 Additional Topics

• Dockerfile best practices
• How multi‑stage builds work
• Optimizing image layers
• Securing container runtimes