Docker

Don't install two tools that have the same effect to avoid the additional cruft.

Use function_name() and refer to passed parameters as $1, $2 etc. Shell script functions behave just like scripts and other commands: - They always take 0 to N parameters, referred to by $1, $2 etc. They cannot declare parameters by name.

Cleaning up the apt cache and removing /var/lib/apt/lists helps keep the image size down. Since the RUN statement starts with apt-get update, the package cache will always be refreshed prior to apt-get install.

By using absolute paths you will not run into problems when a previous WORKDIR instruction changes. You also often don't know the WORKDIR context of your base container.

For some POSIX commands it makes no sense to run them in a Docker container because they are bound to the host or are otherwise dangerous (like ´shutdown´, ´service´, ´ps´, ´free´, ´top´, ´kill´, ´mount´, ´ifconfig´). Interactive utilities also don't make much sense (´nano´, ´vim´).

Switching to the root USER opens up certain security risks if an attacker gets access to the container. In order to mitigate this, switch back to a non privileged user after running the commands you need as root.

Only use cd in a subshell. Most commands can work with absolute paths and in most cases, it is not necessary to change directories. Docker provides the WORKDIR instruction if you really need to change the current working directory.

Using the latest tag can cause breakages when a new version of an image is released. You can never rely on the assumption that the latest tag points to a specific version of an image.

Without the -y/--assume-yes option it might be possible for the build to break without human intervention.

You can never rely on the assumption that the latest tag points to a specific version of an image. Explicitly tagging the image with a specific version (e.g. ubuntu:12.04) ensures that your application will not break due to random changes across different versions of an image you depend on.

Trying to copy from a missing image alias results in an error.

Trying to copy from the same image the instruction is running in results in an error.

Defining duplicate stage names results in an error.

If you list more than one ENTRYPOINT then only the last ENTRYPOINT command will be setup, making prior ENTRYPOINT setups redundant.

Do not use apt as it is meant to be an end-user tool. apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable apt-get and apt-cache

Once a package is installed, it does not need to be re-installed and the Docker cache can be leveraged instead. Since the pip cache makes the images larger and is not needed, it's better to disable it.

yarn keeps a local cache of downloaded packages. Not cleaning cached package data after installation can result in higher image sizes. It is always recommended to clean the cached packages after installing them.

A keyword is found immediately following a #. In order for the # to start a comment, it needs to come after a word boundary such as a space.