Skip to Content
DockerDocker notes

Docker notes

🔑 Core Concepts

1. Docker Images vs Containers

  • Image: A read-only template (e.g., an OS + app code + dependencies).
  • Container: A running instance of an image with a writable layer.

2. Layers and Caching

  • Docker images are composed of layers, each representing an instruction (e.g., RUN, COPY) in a Dockerfile.
  • Docker caches layers to speed up rebuilds.
  • Reordering commands in your Dockerfile can drastically affect rebuild times and cache invalidation.

3. Tags

  • Tags are used to version and differentiate images.
  • Convention: my-app:latest, my-app:v1.2.0, my-app:commit-hash.
  • Avoid relying solely on :latest in production.

4. Registries

  • Remote storage for Docker images:

    • Docker Hub (default)
    • GHCR (GitHub Container Registry)
    • Amazon ECR, Google GCR, Harbor, etc.

  • Understand docker login, docker push, docker pull.

5. Image IDs and Digests

  • IMAGE ID: SHA of image content.

  • Digest: Cryptographic hash to uniquely identify image content.

    • Used for immutability in CI/CD.

✅ Recommended Practices

🏗️ Build and Tagging

  • Use multi-stage builds to reduce final image size.
  • Tag images semantically (e.g., v1.0.0, 20240516, main-abc123).
  • Automate image tagging with CI pipelines.

🧽 Image Hygiene

  • Remove unused images: docker image prune, docker system prune.

  • Avoid bloated images:

    • Prefer alpine, distroless, or scratch base images when appropriate.
    • Combine RUN commands to reduce layer count.

🔐 Security

  • Scan images for vulnerabilities:

  • Pin versions of OS packages and dependencies to avoid surprises.

🧪 Testing and Promotion

  • Use CI pipelines to build, test, and promote images (dev → staging → prod).
  • Promote by re-tagging, not rebuilding.

📦 Registry Management

  • Use private registries for proprietary images.
  • Implement retention policies and garbage collection in registries to avoid storage bloat.
  • Monitor access control and credentials (especially for cloud registries).

📄 Documentation and Labels

  • Use Dockerfile LABEL for metadata (e.g., org.opencontainers.image.source).
  • Track source, build date, and version inside images.

⚙️ Useful Commands

docker build -t my-app:v1.2.3 .
docker tag my-app:v1.2.3 registry.example.com/my-app:v1.2.3
docker push registry.example.com/my-app:v1.2.3
docker pull my-app:latest
docker image ls
docker image prune -a
docker scan my-app:v1.2.3

📚 Advanced Topics

  • OCI image spec and compatibility
  • SBOM (Software Bill of Materials)
  • Reproducible builds
  • Notary/Content trust for signed images
  • Immutable infrastructure and GitOps using Docker images

Let me know if you want examples of good Dockerfiles or want to learn about building and promoting images in CI/CD pipelines (e.g., GitHub Actions or GitLab CI).

Last updated on
Multi stage buildThe Rust Programming Language