Best Practices Guide: Vyatta Firewall - Brocade...Best Practices Guide
Dockerfiles & Best Practices
-
Upload
avash-mulmi -
Category
Technology
-
view
117 -
download
1
Transcript of Dockerfiles & Best Practices
Dockerfiles & Best Practices#BDay4
Avash Mulmi
Mozilla Representative for Nepal
Volunteer, FOSS Nepal Community
Docker Meetup Organizer
Agenda
What are Dockerfiles?
Usage
Best Practices
Dockerfile(s)?
Textfile, named Dockerfile
Contains commands, in sequential order
Used to build an image
Have own format and instruction set
Dockerfile
Dockerfile(s)?
Building Images
Change WORKDIR to Folder with Dockerfile (General Practice)
~# docker build .
~# docker build -t IMAGE_NAME:Tag .
~# docker build -t IMAGE_NAME:Tag -f Dockerfile /path/to/Dockerfile
Working with Built Image
Check for built image:
~# docker images
Saving built image:
~# docker save IMAGENAME > image.tar
Deleting/Removing built image:
~# docker rmi IMAGENAME
~# docker rmi IMAGE_ID
Best Practices
Ephemeral Containers
Using .dockerignore file
As lightweight as possible
Minimize the number of layers
One container, One purpose
Use volumes
Avoid using root user
Ephemeral Containers
Containers should be ephemeral
Literal meaning of Ephemeral Short lived, brief, momentary
Stopped, Destroyed and New one built with minimum set-up & configurations
Good and Complete Dockerfile can achieve this easily
.dockerignore
Similar to .gitignore
Generally Dockerfile is in an empty directory
In some cases, we need to add files and directories to the containers
In such cases, use .dockerignore in those directories to skip files that are not required at all
Lightweight
Install only required packages
It can reduce complexity, dependencies, file size and build times
Some applications might look important for future
For eg: a text editor in a database image
Make image as small as possible using light base images where possible
Minimize Number of Layers
Each RUN command creates a new layer
Need to know figure out how to minimize the number of layers
Example 1: update, upgrade and installation of packages can stay in a single RUN command with multi-line arguments
Example 2: download of a zip file, extraction and move to another folder
Benefits: docker pull and docker push are faster, reduces complexity of an image etc.
Example 1
RUN apt-get updateRUN apt-get install apache2 git mysql-server php5 vimRUN apt-get clean
RUN apt-get update \&& apt-get install apache2 git mysql-server php5 vim \&& apt-get clean
Example 2
RUN curl http://192.168.100.5/file.tar.gzRUN tar xvf file.tar.gzRUN mv EXTRACTED_FILE /opt/
RUN curl http://192.168.100.5/file.tar.gz | tar xvf -C /opt/
Example 3
RUN apt-get update \&& apt-get install apache2 git mysql-server php5 vim \&& apt-get clean
RUN curl http://192.168.100.5/file.tar.gz | tar xvf -C /opt/
RUN cp /etc/someconfig /opt/someconfig \&& ln -s /usr/share/app1/default.cfg /opt/default.cfg
RUN apt-get update \&& apt-get install apache2 git mysql-server php5 vim \&& apt-get clean \&& curl | tar xvf -C /opt/ \&& cp /etc/someconfig /opt/someconfig \&& ln -s /usr/share/app1/default.cfg /opt/default.cfg \&& cd /opt/ && ./configure && make && make install \&& rm old_unnecessary_files
One Container, One Purpose
Keep containers as clean and modular as possible
Creating containers for different dependent applications and linking them makes it easier to maintain & reuse those containers
Eg: Instead of single container with webserver, database and (php), three separate containers with webserver, database and (php) in each is better.
Why? Maintenance & Reusablity
Use Volumes
Do not store data in containers, as far as possible
Use Volumes to store data
Concept of ephemeral
App container running v1.9 should be easily stopped, destroyed and updated with container running v2.0 without losing any data
Avoid using `root` user
By default docker runs containers with root user
If possible use a normal user
Depends on situation
Delete unnecessary files
Reduces size of image and container
Eg: RUN curl https://192.168.5.100/file.tar.gz \&& tar xvf -C file.tar.gz /opt/ \&& rm file.tar.gz
Use comments
Comments can help users as well as yourself in the future.
Dockerfile comments start with #
Eg:#Install required packages for the appRUN apt-get install package1 package2 package3
# Modifying texts from default configRUN sed -i s/word1/word2/g config.cfg
ADD & COPY
COPY only copies file from directory
ADD allows source to be URL
ADD also has functionality of `tar`, archiving
Use COPY as far as possible as it is more transparent.
ADD may add malicious files from unknown sources if used improperly.
References
Dockerfile referenceshttps://docs.docker.com/engine/reference/builder/
10 things to avoid in docker containershttps://developers.redhat.com/blog/2016/02/24/10-things-to-avoid-in-docker-containers/
Docker best practiceshttps://github.com/FuriKuri/docker-best-practices