github.com/slava-ustovytski/docker@v1.8.2-rc1/docs/articles/dockerfile_best-practices.md (about)

     1  <!--[metadata]>
     2  +++
     3  title = "Best practices for writing Dockerfiles"
     4  description = "Hints, tips and guidelines for writing clean, reliable Dockerfiles"
     5  keywords = ["Examples, Usage, base image, docker, documentation, dockerfile, best practices, hub,  official repo"]
     6  [menu.main]
     7  parent = "smn_images"
     8  +++
     9  <![end-metadata]-->
    10  
    11  # Best practices for writing Dockerfiles
    12  
    13  ## Overview
    14  
    15  Docker can build images automatically by reading the instructions from a
    16  `Dockerfile`, a text file that contains all the commands, in order, needed to
    17  build a given image. `Dockerfile`s adhere to a specific format and use a
    18  specific set of instructions. You can learn the basics on the 
    19  [Dockerfile Reference](https://docs.docker.com/reference/builder/) page. If
    20  you’re new to writing `Dockerfile`s, you should start there.
    21  
    22  This document covers the best practices and methods recommended by Docker,
    23  Inc. and the Docker community for creating easy-to-use, effective
    24  `Dockerfile`s. We strongly suggest you follow these recommendations (in fact,
    25  if you’re creating an Official Image, you *must* adhere to these practices).
    26  
    27  You can see many of these practices and recommendations in action in the [buildpack-deps `Dockerfile`](https://github.com/docker-library/buildpack-deps/blob/master/jessie/Dockerfile).
    28  
    29  > Note: for more detailed explanations of any of the Dockerfile commands
    30  >mentioned here, visit the [Dockerfile Reference](https://docs.docker.com/reference/builder/) page.
    31  
    32  ## General guidelines and recommendations
    33  
    34  ### Containers should be ephemeral
    35  
    36  The container produced by the image your `Dockerfile` defines should be as
    37  ephemeral as possible. By “ephemeral,” we mean that it can be stopped and
    38  destroyed and a new one built and put in place with an absolute minimum of
    39  set-up and configuration.
    40  
    41  ### Use a .dockerignore file
    42  
    43  In most cases, it's best to put each Dockerfile in an empty directory. Then,
    44  add to that directory only the files needed for building the Dockerfile. To
    45  increase the build's performance, you can exclude files and directories by
    46  adding a `.dockerignore` file to that directory as well. This file supports 
    47  exclusion patterns similar to `.gitignore` files. For information on creating one,
    48  see the [.dockerignore file](../../reference/builder/#dockerignore-file).
    49  
    50  ### Avoid installing unnecessary packages
    51  
    52  In order to reduce complexity, dependencies, file sizes, and build times, you
    53  should avoid installing extra or unnecessary packages just because they
    54  might be “nice to have.” For example, you don’t need to include a text editor
    55  in a database image.
    56  
    57  ### Run only one process per container
    58  
    59  In almost all cases, you should only run a single process in a single
    60  container. Decoupling applications into multiple containers makes it much
    61  easier to scale horizontally and reuse containers. If that service depends on
    62  another service, make use of [container linking](https://docs.docker.com/userguide/dockerlinks/).
    63  
    64  ### Minimize the number of layers
    65  
    66  You need to find the balance between readability (and thus long-term
    67  maintainability) of the `Dockerfile` and minimizing the number of layers it
    68  uses. Be strategic and cautious about the number of layers you use.
    69  
    70  ### Sort multi-line arguments
    71  
    72  Whenever possible, ease later changes by sorting multi-line arguments
    73  alphanumerically. This will help you avoid duplication of packages and make the
    74  list much easier to update. This also makes PRs a lot easier to read and
    75  review. Adding a space before a backslash (`\`) helps as well.
    76  
    77  Here’s an example from the [`buildpack-deps` image](https://github.com/docker-library/buildpack-deps):
    78  
    79      RUN apt-get update && apt-get install -y \
    80        bzr \
    81        cvs \
    82        git \
    83        mercurial \
    84        subversion
    85  
    86  ### Build cache
    87  
    88  During the process of building an image Docker will step through the
    89  instructions in your `Dockerfile` executing each in the order specified.
    90  As each instruction is examined Docker will look for an existing image in its
    91  cache that it can reuse, rather than creating a new (duplicate) image.
    92  If you do not want to use the cache at all you can use the ` --no-cache=true`
    93  option on the `docker build` command.
    94  
    95  However, if you do let Docker use its cache then it is very important to
    96  understand when it will, and will not, find a matching image. The basic rules
    97  that Docker will follow are outlined below:
    98  
    99  * Starting with a base image that is already in the cache, the next
   100  instruction is compared against all child images derived from that base
   101  image to see if one of them was built using the exact same instruction. If
   102  not, the cache is invalidated.
   103  
   104  * In most cases simply comparing the instruction in the `Dockerfile` with one
   105  of the child images is sufficient.  However, certain instructions require
   106  a little more examination and explanation.
   107  
   108  * For the `ADD` and `COPY` instructions, the contents of the file(s) 
   109  in the image are examined and a checksum is calculated for each file. 
   110  The last-modified and last-accessed times of the file(s) are not considered in 
   111  these checksums. During the cache lookup, the checksum is compared against the 
   112  checksum in the existing images. If anything has changed in the file(s), such 
   113  as the contents and metadata, then the cache is invalidated. 
   114  
   115  * Aside from the `ADD` and `COPY` commands cache checking will not look at the
   116  files in the container to determine a cache match. For example, when processing
   117  a `RUN apt-get -y update` command the files updated in the container
   118  will not be examined to determine if a cache hit exists.  In that case just
   119  the command string itself will be used to find a match.
   120  
   121  Once the cache is invalidated, all subsequent `Dockerfile` commands will
   122  generate new images and the cache will not be used.
   123  
   124  ## The Dockerfile instructions
   125  
   126  Below you'll find recommendations for the best way to write the
   127  various instructions available for use in a `Dockerfile`.
   128  
   129  ### FROM
   130  
   131  [Dockerfile reference for the FROM instruction](https://docs.docker.com/reference/builder/#from)
   132  
   133  Whenever possible, use current Official Repositories as the basis for your
   134  image. We recommend the [Debian image](https://registry.hub.docker.com/_/debian/)
   135  since it’s very tightly controlled and kept extremely minimal (currently under
   136  100 mb), while still being a full distribution.
   137  
   138  ### RUN
   139  
   140  [Dockerfile reference for the RUN instruction](https://docs.docker.com/reference/builder/#run)
   141  
   142  As always, to make your `Dockerfile` more readable, understandable, and
   143  maintainable, put long or complex `RUN` statements on multiple lines separated
   144  with backslashes.
   145  
   146  Probably the most common use-case for `RUN` is an application of `apt-get`.
   147  When using `apt-get`, here are a few things to keep in mind:
   148  
   149  * Don’t do `RUN apt-get update` on a single line. This will cause
   150  caching issues if the referenced archive gets updated, which will make your
   151  subsequent `apt-get install` fail without comment.
   152  
   153  * Avoid `RUN apt-get upgrade` or `dist-upgrade`, since many of the “essential”
   154  packages from the base images will fail to upgrade inside an unprivileged
   155  container. If a base package is out of date, you should contact its
   156  maintainers. If you know there’s a particular package, `foo`, that needs to be
   157  updated, use `apt-get install -y foo` and it will update automatically.
   158  
   159  * Do write instructions like:
   160  
   161          RUN apt-get update && apt-get install -y \
   162              package-bar \
   163              package-baz \
   164              package-foo
   165  
   166  Writing the instruction this way not only makes it easier to read
   167  and maintain, but also, by including `apt-get update`, ensures that the cache
   168  will naturally be busted and the latest versions will be installed with no
   169  further coding or manual intervention required.
   170  
   171  * Further natural cache-busting can be realized by version-pinning packages
   172  (e.g., `package-foo=1.3.*`). This will force retrieval of that version
   173  regardless of what’s in the cache.
   174  Writing your `apt-get` code this way will greatly ease maintenance and reduce
   175  failures due to unanticipated changes in required packages.
   176  
   177  #### Example
   178  
   179  Below is a well-formed `RUN` instruction that demonstrates the above
   180  recommendations. Note that the last package, `s3cmd`, specifies a version
   181  `1.1.0*`. If the image previously used an older version, specifying the new one
   182  will cause a cache bust of `apt-get update` and ensure the installation of
   183  the new version (which in this case had a new, required feature).
   184  
   185      RUN apt-get update && apt-get install -y \
   186          aufs-tools \
   187          automake \
   188          btrfs-tools \
   189          build-essential \
   190          curl \
   191          dpkg-sig \
   192          git \
   193          iptables \
   194          libapparmor-dev \
   195          libcap-dev \
   196          libsqlite3-dev \
   197          lxc=1.0* \
   198          mercurial \
   199          parallel \
   200          reprepro \
   201          ruby1.9.1 \
   202          ruby1.9.1-dev \
   203          s3cmd=1.1.0*
   204  
   205  Writing the instruction this way also helps you avoid potential duplication of
   206  a given package because it is much easier to read than an instruction like:
   207  
   208      RUN apt-get install -y package-foo && apt-get install -y package-bar
   209  
   210  ### CMD
   211  
   212  [Dockerfile reference for the CMD instruction](https://docs.docker.com/reference/builder/#cmd)
   213  
   214  The `CMD` instruction should be used to run the software contained by your
   215  image, along with any arguments. `CMD` should almost always be used in the
   216  form of `CMD [“executable”, “param1”, “param2”…]`. Thus, if the image is for a
   217  service (Apache, Rails, etc.), you would run something like
   218  `CMD ["apache2","-DFOREGROUND"]`. Indeed, this form of the instruction is
   219  recommended for any service-based image.
   220  
   221  In most other cases, `CMD` should be given an interactive shell (bash, python,
   222  perl, etc), for example, `CMD ["perl", "-de0"]`, `CMD ["python"]`, or
   223  `CMD [“php”, “-a”]`. Using this form means that when you execute something like
   224  `docker run -it python`, you’ll get dropped into a usable shell, ready to go.
   225  `CMD` should rarely be used in the manner of `CMD [“param”, “param”]` in
   226  conjunction with [`ENTRYPOINT`](https://docs.docker.com/reference/builder/#entrypoint), unless
   227  you and your expected users are already quite familiar with how `ENTRYPOINT`
   228  works. 
   229  
   230  ### EXPOSE
   231  
   232  [Dockerfile reference for the EXPOSE instruction](https://docs.docker.com/reference/builder/#expose)
   233  
   234  The `EXPOSE` instruction indicates the ports on which a container will listen
   235  for connections. Consequently, you should use the common, traditional port for
   236  your application. For example, an image containing the Apache web server would
   237  use `EXPOSE 80`, while an image containing MongoDB would use `EXPOSE 27017` and
   238  so on.
   239  
   240  For external access, your users can execute `docker run` with a flag indicating
   241  how to map the specified port to the port of their choice.
   242  For container linking, Docker provides environment variables for the path from
   243  the recipient container back to the source (ie, `MYSQL_PORT_3306_TCP`).
   244  
   245  ### ENV
   246  
   247  [Dockerfile reference for the ENV instruction](https://docs.docker.com/reference/builder/#env)
   248  
   249  In order to make new software easier to run, you can use `ENV` to update the
   250  `PATH` environment variable for the software your container installs. For
   251  example, `ENV PATH /usr/local/nginx/bin:$PATH` will ensure that `CMD [“nginx”]`
   252  just works.
   253  
   254  The `ENV` instruction is also useful for providing required environment
   255  variables specific to services you wish to containerize, such as Postgres’s
   256  `PGDATA`.
   257  
   258  Lastly, `ENV` can also be used to set commonly used version numbers so that
   259  version bumps are easier to maintain, as seen in the following example:
   260  
   261      ENV PG_MAJOR 9.3
   262      ENV PG_VERSION 9.3.4
   263      RUN curl -SL http://example.com/postgres-$PG_VERSION.tar.xz | tar -xJC /usr/src/postgress && …
   264      ENV PATH /usr/local/postgres-$PG_MAJOR/bin:$PATH
   265  
   266  Similar to having constant variables in a program (as opposed to hard-coding
   267  values), this approach lets you change a single `ENV` instruction to
   268  auto-magically bump the version of the software in your container.
   269  
   270  ### ADD or COPY
   271  
   272  [Dockerfile reference for the ADD instruction](https://docs.docker.com/reference/builder/#add)<br/>
   273  [Dockerfile reference for the COPY instruction](https://docs.docker.com/reference/builder/#copy)
   274  
   275  Although `ADD` and `COPY` are functionally similar, generally speaking, `COPY`
   276  is preferred. That’s because it’s more transparent than `ADD`. `COPY` only
   277  supports the basic copying of local files into the container, while `ADD` has
   278  some features (like local-only tar extraction and remote URL support) that are
   279  not immediately obvious. Consequently, the best use for `ADD` is local tar file
   280  auto-extraction into the image, as in `ADD rootfs.tar.xz /`.
   281  
   282  If you have multiple `Dockerfile` steps that use different files from your
   283  context, `COPY` them individually, rather than all at once. This will ensure that
   284  each step's build cache is only invalidated (forcing the step to be re-run) if the
   285  specifically required files change.
   286  
   287  For example:
   288  
   289      COPY requirements.txt /tmp/
   290      RUN pip install /tmp/requirements.txt
   291      COPY . /tmp/
   292  
   293  Results in fewer cache invalidations for the `RUN` step, than if you put the
   294  `COPY . /tmp/` before it.
   295  
   296  Because image size matters, using `ADD` to fetch packages from remote URLs is
   297  strongly discouraged; you should use `curl` or `wget` instead. That way you can
   298  delete the files you no longer need after they've been extracted and you won't
   299  have to add another layer in your image. For example, you should avoid doing
   300  things like:
   301  
   302      ADD http://example.com/big.tar.xz /usr/src/things/
   303      RUN tar -xJf /usr/src/things/big.tar.xz -C /usr/src/things
   304      RUN make -C /usr/src/things all
   305  
   306  And instead, do something like:
   307  
   308      RUN mkdir -p /usr/src/things \
   309          && curl -SL http://example.com/big.tar.xz \
   310          | tar -xJC /usr/src/things \
   311          && make -C /usr/src/things all
   312  
   313  For other items (files, directories) that do not require `ADD`’s tar
   314  auto-extraction capability, you should always use `COPY`.
   315  
   316  ### ENTRYPOINT
   317  
   318  [Dockerfile reference for the ENTRYPOINT instruction](https://docs.docker.com/reference/builder/#entrypoint)
   319  
   320  The best use for `ENTRYPOINT` is to set the image's main command, allowing that
   321  image to be run as though it was that command (and then use `CMD` as the
   322  default flags).
   323  
   324  Let's start with an example of an image for the command line tool `s3cmd`:
   325  
   326      ENTRYPOINT ["s3cmd"]
   327      CMD ["--help"]
   328  
   329  Now the image can be run like this to show the command's help:
   330  
   331      $ docker run s3cmd
   332  
   333  Or using the right parameters to execute a command:
   334  
   335      $ docker run s3cmd ls s3://mybucket
   336  
   337  This is useful because the image name can double as a reference to the binary as
   338  shown in the command above.
   339  
   340  The `ENTRYPOINT` instruction can also be used in combination with a helper
   341  script, allowing it to function in a similar way to the command above, even
   342  when starting the tool may require more than one step.
   343  
   344  For example, the [Postgres Official Image](https://registry.hub.docker.com/_/postgres/)
   345  uses the following script as its `ENTRYPOINT`:
   346  
   347  ```bash
   348  #!/bin/bash
   349  set -e
   350  
   351  if [ "$1" = 'postgres' ]; then
   352      chown -R postgres "$PGDATA"
   353  
   354      if [ -z "$(ls -A "$PGDATA")" ]; then
   355          gosu postgres initdb
   356      fi
   357  
   358      exec gosu postgres "$@"
   359  fi
   360  
   361  exec "$@"
   362  ```
   363  
   364  > **Note**:
   365  > This script uses [the `exec` Bash command](http://wiki.bash-hackers.org/commands/builtin/exec)
   366  > so that the final running application becomes the container's PID 1. This allows
   367  > the application to receive any Unix signals sent to the container.
   368  > See the [`ENTRYPOINT`](https://docs.docker.com/reference/builder/#entrypoint)
   369  > help for more details.
   370  
   371  
   372  The helper script is copied into the container and run via `ENTRYPOINT` on
   373  container start:
   374  
   375      COPY ./docker-entrypoint.sh /
   376      ENTRYPOINT ["/docker-entrypoint.sh"]
   377  
   378  This script allows the user to interact with Postgres in several ways.
   379  
   380  It can simply start Postgres:
   381  
   382      $ docker run postgres
   383  
   384  Or, it can be used to run Postgres and pass parameters to the server:
   385  
   386      $ docker run postgres postgres --help
   387  
   388  Lastly, it could also be used to start a totally different tool, such as Bash:
   389  
   390      $ docker run --rm -it postgres bash
   391  
   392  ### VOLUME
   393  
   394  [Dockerfile reference for the VOLUME instruction](https://docs.docker.com/reference/builder/#volume)
   395  
   396  The `VOLUME` instruction should be used to expose any database storage area,
   397  configuration storage, or files/folders created by your docker container. You
   398  are strongly encouraged to use `VOLUME` for any mutable and/or user-serviceable
   399  parts of your image.
   400  
   401  ### USER
   402  
   403  [Dockerfile reference for the USER instruction](https://docs.docker.com/reference/builder/#user)
   404  
   405  If a service can run without privileges, use `USER` to change to a non-root
   406  user. Start by creating the user and group in the `Dockerfile` with something
   407  like `RUN groupadd -r postgres && useradd -r -g postgres postgres`.
   408  
   409  > **Note:** Users and groups in an image get a non-deterministic
   410  > UID/GID in that the “next” UID/GID gets assigned regardless of image
   411  > rebuilds. So, if it’s critical, you should assign an explicit UID/GID.
   412  
   413  You should avoid installing or using `sudo` since it has unpredictable TTY and
   414  signal-forwarding behavior that can cause more problems than it solves. If
   415  you absolutely need functionality similar to `sudo` (e.g., initializing the
   416  daemon as root but running it as non-root), you may be able to use
   417  [“gosu”](https://github.com/tianon/gosu). 
   418  
   419  Lastly, to reduce layers and complexity, avoid switching `USER` back
   420  and forth frequently.
   421  
   422  ### WORKDIR
   423  
   424  [Dockerfile reference for the WORKDIR instruction](https://docs.docker.com/reference/builder/#workdir)
   425  
   426  For clarity and reliability, you should always use absolute paths for your
   427  `WORKDIR`. Also, you should use `WORKDIR` instead of  proliferating
   428  instructions like `RUN cd … && do-something`, which are hard to read,
   429  troubleshoot, and maintain.
   430  
   431  ### ONBUILD
   432  
   433  [Dockerfile reference for the ONBUILD instruction](https://docs.docker.com/reference/builder/#onbuild)
   434  
   435  An `ONBUILD` command executes after the current `Dockerfile` build completes.
   436  `ONBUILD` executes in any child image derived `FROM` the current image.  Think
   437  of the `ONBUILD` command as an instruction the parent `Dockerfile` gives
   438  to the child `Dockerfile`.
   439  
   440  A Docker build executes `ONBUILD` commands before any command in a child
   441  `Dockerfile`.
   442  
   443  `ONBUILD` is useful for images that are going to be built `FROM` a given
   444  image. For example, you would use `ONBUILD` for a language stack image that
   445  builds arbitrary user software written in that language within the
   446  `Dockerfile`, as you can see in [Ruby’s `ONBUILD` variants](https://github.com/docker-library/ruby/blob/master/2.1/onbuild/Dockerfile). 
   447  
   448  Images built from `ONBUILD` should get a separate tag, for example:
   449  `ruby:1.9-onbuild` or `ruby:2.0-onbuild`.
   450  
   451  Be careful when putting `ADD` or `COPY` in `ONBUILD`. The “onbuild” image will
   452  fail catastrophically if the new build's context is missing the resource being
   453  added. Adding a separate tag, as recommended above, will help mitigate this by
   454  allowing the `Dockerfile` author to make a choice.
   455  
   456  ## Examples for Official Repositories
   457  
   458  These Official Repositories have exemplary `Dockerfile`s:
   459  
   460  * [Go](https://registry.hub.docker.com/_/golang/)
   461  * [Perl](https://registry.hub.docker.com/_/perl/)
   462  * [Hy](https://registry.hub.docker.com/_/hylang/)
   463  * [Rails](https://registry.hub.docker.com/_/rails)
   464  
   465  ## Additional resources:
   466  
   467  * [Dockerfile Reference](https://docs.docker.com/reference/builder/)
   468  * [More about Base Images](https://docs.docker.com/articles/baseimages/)
   469  * [More about Automated Builds](https://docs.docker.com/docker-hub/builds/)
   470  * [Guidelines for Creating Official 
   471  Repositories](https://docs.docker.com/docker-hub/official_repos/)