Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to write Dockerfile". In daily operation, I believe many people have doubts about how to write Dockerfile. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful for you to answer the doubts about "how to write Dockerfile"! Next, please follow the editor to study!

It is best not to run under privileged users (root).

Docker defaults that all applications will run under the root user of the container, but this will cause some potential security risks. Container running in a production environment is best run under an unprivileged user through the USER command.

Where is the hidden danger? ask for supplement.

The security hazard is that if the container is compromise, then if the root is running the container, it is more likely to cause problems with the system. But using root user itself should be fine.

It means that if you use root to run container, will there be a problem? Then why is it recommended to use the USER command to change the non-root of docker?

The isolation effectiveness of Docker is limited. If the application in a container is malicious and root, then if it changes the system configuration (root permission, such as unload a system module, changes a system file), it will also affect other container (share a kernel).

Avoid using apt-get upgrade

The Upgrade command is used to upgrade the current base image. Unprivileged users cannot Upgrade some core applications. And the Upgrade command disrupts the cached image, making the compilation time longer. In general, choosing the correct basic image does not need to be upgraded, and if it is really necessary, it is best to contact the maintainer of the basic image so that all users can benefit from it. If you just need to update a program foo, you can do this using apt-get install-y foo.

Merge commands as much as possible

Each command in Dockerfile creates a new layer, and there is a limit to the number of layer a container can have. So merging logically coherent commands as much as possible can reduce the number of layers of layer, and the method of merging commands can include merging multiple commands (EXPOSE, ENV, VOLUME, COPY).

Each command in Dockerfile creates a new layer, and there is a limit to the number of layer a container can have. So combining logically coherent commands as much as possible can reduce the number of layers of layer, which can also speed up compilation?

Merge multiple commands that can be merged (EXPOSE, ENV, VOLUME, COPY), such as:

Use "& &" to connect RUN commands, such as:

However, excessive merge commands may affect the readability of Dockerfile, so there is a tradeoff between optimizing code and readability.

Arrange the order of commands reasonably

The order of commands affects the time required to compile. Each command produces a layer. If a layer is already in the cache, the time it takes to generate the layer is very short. From the first layer that is not cached, all subsequent commands are recompiled. For this reason, we recommend putting commands that do not change very often first, so that more layer can be cached successfully, thus reducing compilation time.

Avoid storing data in containers

The container needs to be stateless so that it is convenient to launch a new Container to replace the Container dropped by down. If the container contains state, additional operation and maintenance staff are needed to restore the state when down drops Container.

Use .dockerkeeper

Using .dockerkeeper can reduce the number of unnecessary files copied to Container, which reduces the image size. For example, there are .git files in many places, but this file does not need to be copied into Container.

Avoid installing unnecessary software

Installing unnecessary software wastes space and increases compilation time. For example, the Container of a database does not need to install text editing software. Further, if the program can be compiled locally, there is no need to install the software and lib needed for the compiler in Container. Just copy the locally compiled binary into Container.

At this point, the study on "how to write Dockerfile" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.