Skip to content

Docker

A lot of the operations below also apply to Podman.

Multi-stage builds

Please make sure to use multi-stage builds to reduce the final image size by eliminating build toolchains from the production image.

FROM xxx-building-image AS builder

ADD ...

RUN make

FROM xxx-runtime-image

COPY --from=builder ...

Docker messying up the netfilter NAT table

Sucks. Use Podman.

Do not use Alpine

Alpine uses musl as libc. This is pretty troublesome in some cases, especially when it comes to gai.conf(5) and nsswitch.conf(5). Although these examples are not really sound in a container environment, musl still behaves somehow different from glibc.

Moreover, Alpine is too minimal. It is usual that the administrator need to run an interactive shell somehow in a running production container to diagnose problems, and Alpine doesn't ship with any of them.

Use a Debian or Ubuntu image instead. Debian Slim images are still pretty tiny, especially in terms of today's hard drives. However, they contain much more tools that are more realistic in a production environment.

Moreover, because Docker uses overlayfs, these images won't get saved twice on the disk.

The confusing latest version

If I remembered correctly (I hadn't been using Docker for four years, unfortunately), the latest version is just a placeholder for the current latest version of that image. It has nothing to do with auto updates or whatever. It can even break things because the lates version may change from time to time.

Last update: November 5, 2023
Created: November 5, 2023