wget
or curl
but not both DOK-DL4001Don't install two tools that have the same effect to avoid the additional cruft.
sudo
DOK-DL3004Do not use sudo
as it leads to unpredictable behavior and possibly security vulnerabilities. Use a tool like gosu
to perform user switching operations.
Use function_name()
and refer to passed parameters as $1
, $2
etc. Shell script functions behave just like scripts and other commands: - They always take 0 to N parameters, referred to by $1
, $2
etc. They cannot declare parameters by name.
apt-get
lists after installing anything DOK-DL3009Cleaning up the apt cache and removing /var/lib/apt/lists
helps keep the image size down. Since the RUN
statement starts with apt-get update
, the package cache will always be refreshed prior to apt-get install
.
WORKDIR
DOK-DL3000By using absolute paths you will not run into problems when a previous WORKDIR
instruction changes. You also often don't know the WORKDIR
context of your base container.
For some POSIX commands it makes no sense to run them in a Docker container because they are bound to the host or are otherwise dangerous (like ´shutdown´, ´service´, ´ps´, ´free´, ´top´, ´kill´, ´mount´, ´ifconfig´). Interactive utilities also don't make much sense (´nano´, ´vim´).
root
when the Dockerfile completes DOK-DL3002Switching to the root USER
opens up certain security risks if an attacker gets access to the container. In order to mitigate this, switch back to a non privileged user after running the commands you need as root.
WORKDIR
to switch to a directory DOK-DL3003Only use cd
in a subshell. Most commands can work with absolute paths and in most cases, it is not necessary to change directories. Docker provides the WORKDIR
instruction if you really need to change the current working directory.
Using the latest
tag can cause breakages when a new version of an image is released. You can never rely on the assumption that the latest
tag points to a specific version of an image.
pip
DOK-DL3013Version pinning forces the build to retrieve a particular version regardless of what’s in the cache. This technique can also reduce failures due to unanticipated changes in required packages. You can read more about version pinning here.
-y
switch DOK-DL3014Without the -y
/--assume-yes
option it might be possible for the build to break without human intervention.
You can never rely on the assumption that the latest
tag points to a specific version of an image. Explicitly tagging the image with a specific version (e.g. ubuntu:12.04) ensures that your application will not break due to random changes across different versions of an image you depend on.
COPY --from
should reference a previously defined FROM
alias DOK-DL3022Trying to copy from a missing image alias results in an error.
COPY --from
cannot reference its own FROM
alias DOK-DL3023Trying to copy from the same image the instruction is running in results in an error.
FROM
aliases (stage names) must be unique DOK-DL3024Defining duplicate stage names results in an error.
ENTRYPOINT
instructions detected DOK-DL4004If you list more than one ENTRYPOINT
then only the last ENTRYPOINT
command will be setup, making prior ENTRYPOINT
setups redundant.
apt
, use apt-get
or apt-cache
instead DOK-DL3027Do not use apt
as it is meant to be an end-user tool. apt
is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get
and apt-cache
Once a package is installed, it does not need to be re-installed and the Docker cache can be leveraged instead. Since the pip cache makes the images larger and is not needed, it's better to disable it.
yarn cache clean
after yarn install
DOK-P1005yarn
keeps a local cache of downloaded packages. Not cleaning cached package data after installation can result in higher image sizes.
It is always recommended to clean the cached packages after installing them.
#
DOK-SC1099A keyword is found immediately following a #
. In order for the #
to start a comment, it needs to come after a word boundary such as a space.