DCEU 18: Dockerfile Best Practices

Tibor Vass
Docker, Inc.
Dockerfile Best Practices
Sebastiaan van Stijn
Docker, Inc.
@tiborvass @thaJeztah

Dockerfile
A blueprint to build Docker images
Popular: 1+ million Dockerfiles on GitHub

https://docs.docker.com/engine/reference/builder/

Use latest Docker, enable BuildKit today!
Docker client:
export DOCKER_BUILDKIT=1
Docker daemon config:
{
"features": {"buildkit": true}
}
Windows support
coming soon

image: template to instantiate running containers.
References list of filesystem layers
layer: a list of changes to a rootfs
copy-on-write filesystem: allows smaller disk usage
Quick refresher on Images

Quick refresher on Build
Parse Dockerfile and get build steps to perform
build caching: no need to perform build steps where files or RUN line
have not changed, reuse cached layers
build context: local files that can be copied to the image

- Consistency/Repeatability
- (Incremental) build time
- Image size
- Maintainability
Areas of improvements

-rw-r--r-- 1 656 Dec 4 12:20 Dockerfile
drwxr-xr-x 2 6.1M Dec 4 09:44 docs/
-rw-r--r-- 1 1.7K Dec 3 09:48 pom.xml
-rw-r--r-- 1 1.0K Dec 4 10:12 README.md
drwxr-xr-x 4 44K Dec 3 09:48 src/
drwxr-xr-x 2 17M Dec 4 09:50 target/
Basic Java Spring Hello world web app
Example project

FROM debian
COPY . /app
RUN apt-get update
RUN apt-get -y install openjdk-8-jdk ssh emacs
CMD ["java", "-jar", "/app/target/app.jar"]
Let’s improve this Dockerfile

Let’s improve this Dockerfile
FROM debian
COPY . /app
RUN apt-get update
RUN apt-get -y install openjdk-8-jdk ssh emacs vim

Order matters for caching
FROM debian
COPY . /app
RUN apt-get update
RUN apt-get -y install openjdk-8-jdk ssh vim
COPY . /app

Order matters for caching
FROM debian
RUN apt-get update
COPY . /app

More specific COPY to limit cache bust
FROM debian
RUN apt-get update
COPY . /app
COPY target/app.jar /app

FROM debian
RUN apt-get update
CMD ["java", "-jar", "/app/app.jar"]
Pro Tip! Use COPY, not ADD for local files

FROM debian
RUN apt-get update

Identify cacheable "units"
FROM debian
RUN apt-get update

Line buddies: apt-get update & install
FROM debian
RUN apt-get update
RUN apt-get update && apt-get -y install
openjdk-8-jdk ssh vim

Line buddies: apt-get update & install
FROM debian

Remove unnecessary dependencies
FROM debian

Remove unnecessary dependencies
FROM debian
openjdk-8-jdk

Use --no-install-recommends
FROM debian
RUN apt-get update &&
apt-get -y install --no-install-recommends
openjdk-8-jdk

Remove package manager cache
FROM debian
openjdk-8-jdk
&& rm -rf /var/lib/apt/lists/*

Reuse official images when possible
FROM debian
openjdk-8-jdk
&& rm -rf /var/lib/apt/lists/*
FROM openjdk

- Reduce time spent on maintenance
(frequently updated with fixes)
- Reduce size (shared layers between images)
- Pre-configured for container use
- Built by smart people
- Bonus: scanned for vulnerabilities on Docker Hub

FROM openjdk

Use more specific tags
FROM openjdk:latest
FROM openjdk:8

FROM openjdk:8

Read the image's documentation on
Docker Hub
https://hub.docker.com/_/openjdk

FROM openjdk:8-jre

Look for minimal flavors
FROM openjdk:8-jre-slim

FROM openjdk:8-jre-slim
FROM openjdk:8-jre-alpine

REPOSITORY TAG SIZE
openjdk 8 624MB
openjdk 8-jre 443MB
openjdk 8-jre-slim 204MB
openjdk 8-jre-alpine 83MB

Look for reproducibility

Build from source in a consistent environment
- Build environment is described in the Dockerfile
- Correct versions of build tools installed
- Prevent inconsistencies between environments
- There may be system dependencies
- The "source of truth" is the source code not the build artifact

FROM maven:3.6-jdk-8-alpine
COPY app.jar /app
COPY pom.xml /app/
COPY src /app/src
RUN cd /app && mvn -e -B package

COPY pom.xml /app/
COPY src /app/src

WORKDIR /app
COPY pom.xml /app/.
COPY src /app./src

WORKDIR /app
COPY pom.xml .
COPY src ./src
RUN mvn -e -B package

Cache dependencies
WORKDIR /app
COPY pom.xml .
RUN mvn -e -B dependency:resolve
COPY src ./src

Identify build dependencies
WORKDIR /app
COPY pom.xml .
COPY src ./src

Multi-stage builds to remove build deps
WORKDIR /app
COPY pom.xml .
COPY src ./src

FROM maven:3.6-jdk-8-alpine AS builder
WORKDIR /app
COPY pom.xml .
COPY src ./src
COPY --from=builder /app/target/app.jar /
CMD ["java", "-jar", "/app.jar"]

WORKDIR /app
COPY pom.xml .
COPY src ./src

- Moby: 16 stages
https://github.com/moby/moby/blob/master/Dockerfile
- BuildKit: 44 stages
https://github.com/moby/buildkit/blob/master/hack/do
ckerfiles/test.buildkit.Dockerfile
Projects with many stages

- Separate build from runtime environment
(shrinking image size)
- Slight variations on images
- DRY (Don’t Repeat Yourself)
- Build/dev/test/lint environments
- Concurrent stages
- Platform-specific stages
Multi-stage usecases

...
FROM openjdk:8-jre-jessie AS release-jessie
FROM openjdk:8-jre-alpine AS release-alpine
docker build --target X

...
FROM openjdk:8-jre-jessie AS release-jessie
COPY --from=builder /app/app.jar /
FROM openjdk:8-jre-alpine AS release-alpine
docker build --target X

ARG flavor=alpine
...
FROM openjdk:8-jre-$flavor AS release
Global ARG: docker build --build-arg K=V

...
FROM openjdk:8-jre-alpine AS lint
RUN wget https://github.com/checkstyle/checkstyle/releases/download/checkstyle-8.15/checkstyle-8.15-all.jar
COPY checks.xml .
COPY src /src
RUN java -jar checkstyle-8.15-all.jar -c checks.xml /src
Various environments: build, dev, test, lint, ...

...
FROM openjdk:8-jre-alpine AS release
FROM builder AS dev
RUN apk add --no-cache strace
ENTRYPOINT ["ash"]

...
RUN mvn -e -B package -DskipTests
FROM builder AS unit-test
RUN mvn -e -B test
FROM release AS integration-test
RUN apk add --no-cache curl
RUN ./test/run.sh

...
FROM tiborvass/whalesay AS assets
RUN whalesay "¡Hola DockerCon!" > /out/assets.html
FROM openjdk:8-jre-alpine AS release
COPY --from=assets /out /assets
Multi-stage: build concurrently

Benchmarks
Based on github.com/moby/moby Dockerfile, master branch. Smaller is better.
Time for full build from empty state
2.0x
faster

Benchmarks
Repeated build with matching cache
7.2x
faster

Benchmarks
Repeated build with new source code
2.5x
faster

Some new Dockerfile
features in v18.09

“Supercharged Docker Build with BuildKit”
BlackBelt session Wednesday 12pm
- What’s new
- New Dockerfile features (RUN --mount, secrets, ssh,
syntax customization)

# syntax = docker/dockerfile:1.0-experimental
# syntax=docker/dockerfile:1.0-experimental
WORKDIR /app
COPY . /app

Context mounts (v18.09 only)
WORKDIR /app
COPY . /app
RUN --mount=target=. mvn -e -B package -DoutputDirectory=/

Context mounts (v18.09 only)
WORKDIR /app
RUN --mount=target=. mvn -e -B package -DoutputDirectory=/
COPY --from=builder /app.jar /

Application cache (v18.09 only)
WORKDIR /app
RUN --mount=target=. --mount=type=cache,target=/root/.m2
&& mvn package -DoutputDirectory=/
COPY --from=builder /app.jar /
CMD ["java", "/app.jar"]

We went from:
- inconsistent build/dev/test environments
- bloated image
- slow build and incremental build times (cache busts)
To:
- consistent build/dev/test environments
- minimal image
- very fast build and incremental build times
Improvements recap

Read more on blog posts
https://medium.com/@tonistiigi/advanced-
multi-stage-build-patterns-6f741b852fae
https://medium.com/@tonistiigi/build-secrets-an
d-ssh-forwarding-in-docker-18-09-ae8161d066

• Multi-stage, multi-stage, multi-stage
• Enable BuildKit
• Supercharged Docker Build with
BuildKit in BlackBelt session on
Wednesday at 12pm
Thank you!

Take A Breakout Survey
Access your session and/or workshop surveys for the conference at any time by tapping the Sessions
link on the navigation menu or block on the home screen.
Find the session/workshop you attended and tap on it to view the session details. On this page, you will
find a link to the survey.

DCEU 18: Dockerfile Best Practices

Run as an unprivileged user
RUN addgroup -g 50 -S appuser
&& adduser -D -S -h /app -s /sbin/nologin
-u 1000 -G appuser appuser
USER appuser:appuser
COPY app.jar /app

Run as an unprivileged user
FROM openjdk:8u181-jre-alpine
RUN addgroup -g 50 -S appuser
&& adduser -D -S -h /app -s /sbin/nologin
-u 1000 -G appuser appuser
USER appuser:appuser
COPY app.jar /app

FROM ...
RUN --mount=type=secret,id=mysecret,required ...
$ docker build --secret id=mysecret,src=/local/secret .
Build secrets

FROM ...
RUN --mount=type=ssh git clone git@github.com:myorg/myproject.git
$ docker build --ssh default
SSH

Docker Product / Feature Icons
Container Image Registry Control Plane
Product symbols:
• OK to change size (proportionally)
• OK to change color
• NO changes to shapes, direction, or design
• (ok to change ”service” design)
Service (swarm)
Pod (kubernetes)
Group of
containers
or

Computer, PC, terminal, laptop, device
Mobile watch
Server, data center
Storage
database
NetworkGlobe, location Layer, vm
VM
Edge DeviceDevelop dev
Cloud

Repair tune
CI /
CD
Metrics, alert, dashboard Monitor, logging,
operations configure
Relationship,
hierarchy, process, integration, arrows,
cycle
Check

Calendar,
date
CI /
CD
Clocks,
speed, time
Security, secure, Scan, key, sign, encrypt
firewall
Process, relationship, hierarchy, cycle
integrate
Chain, brokentrust

People MiscPeople
executive
architect
practitioner
developer
Generic
male
Operator, support
Hands - Shake
Agreement - button
group
Generic
female
Generic
speaker

• 20+ Websites for Incredible Free Stock Photos
− https://mymodernmet.com/best-free-stock-photography-websites/
− Includes sites focusing on food, nature, places, vintage, humorous/whimsical as well as
general photo sites
• 21 Amazing Sites With Breathtaking Free Stock Photos
− https://blog.snappa.com/free-stock-photos/

Generic Block Diagrams
Calls to Action
Summary Groups

DCEU 18: Dockerfile Best Practices

More Related Content

What's hot (20)

Similar to DCEU 18: Dockerfile Best Practices (20)

More from Docker, Inc. (20)

Recently uploaded (20)

DCEU 18: Dockerfile Best Practices