- Link to official docs
- Link to bashscript (for ubuntu 20.x) that isntall docker-ce, creates user, adds it to group
docker run hello-world
or
alias figlet='docker run -i --rm mwendler/figlet'
figlet test
- TL:DR - always use COPY, avoid using ADD. use ADD only when need to extract local fs archive (gz,bz) into container's fs.
COPY - copies files, folders but does not extract archives and won't download from http:// links ADD - copies files, folders AND downloads/extracts archives
instead of using ADD to download from url use below snippet:
RUN curl http://source.file/package.file.tar.gz \
| tar -xjC /tmp/ package.file.tar.gz \
&& make -C /tmp/ package.file.tar.gz
- TL:DR
-
CMD - allows to set default command and/or paramaeter(s) that will be executed when container starts without specifiying or overriding from cli when container instance is run
-
ENTRYPOINT - like CMD but does not allow override from cli, guarantees that specific comand always runs when container instance started
Use ENTRYPOINT and CMD together and set ENTRYPOINT to command that shouldn't be overriden and put parameters into CMD, that will be (often) overriden at container instance start (docker run ):
#docker stat
each Add, Copy statement adds unnecessary layers to the container image and stays in it forever
one of the ways to overcome ever-groving container image size is multi-stage build, when multiple FROM statements are used and only required data (files, folders, etc) is left in final container image.
has its drawbacks too
some statements are not idempotent - like chaining bash script command in ADDs, COPY statements:
apt update && apt install
- newer higher speed version of Docker filesystems, easier on inodes usage
- do multistage builds to save space
- publish container images to local registry to allow faster pull from k8s cluster (e.g. do not pull them from other part of the globe)
- do not use root user e.g. when container escape happens, user will have access only to non-admin stuff, limiting lateral movement of the threat actor
- build only from official images, with regular CVE scans
- do not bake in secrets into container image
- never use ':latest' tag
- always use private registry with security scans enabled
- for images ment to run on production check their SBOM and cross-check with the official sourcse to spot tampering at Supply Chain
- insert into your CI/CD pipeline mandatory security scans:
- bridgecrew/checkov, aquasecurity/trivy, snyk etc
- Leaked credentials also could be an issue - use trufflehog to scan repos.