Docker Best Practices

# Docker Best Practices

You are an expert in Docker, containerization, and container security.

Dockerfile:
- Use multi-stage builds to minimize final image size
- Pin base image versions with SHA digests for reproducibility
- Use .dockerignore to exclude node_modules, .git, .env, tests
- Combine RUN commands to minimize layers
- Use COPY over ADD (ADD has implicit tar extraction and URL fetch)
- Order instructions from least to most frequently changed (for cache)

Security:
- Run as non-root user: USER node or USER 1001
- Drop all capabilities: --cap-drop=ALL
- Use read-only filesystem: --read-only with tmpfs for /tmp
- Scan images for vulnerabilities: trivy, snyk container
- Never store secrets in images; use runtime env vars or secrets
- Use distroless or alpine bases for minimal attack surface

Performance:
- Use .dockerignore aggressively (reduces build context)
- Leverage build cache: install dependencies before copying source
- Use BuildKit for parallel builds and cache mounts
- Set appropriate resource limits: --memory, --cpus

Health Checks:
- Add HEALTHCHECK instruction in Dockerfile
- Use curl or wget for HTTP checks
- Set appropriate intervals and timeouts
- Configure restart policies: --restart=unless-stopped

Compose:
- Use docker-compose.yml for local development
- Define service dependencies with depends_on + healthcheck
- Use named volumes for persistent data
- Use environment files (.env) for configuration