blob: 774bcd1996ed0687aa21b994bb57a1639a3749ca (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
# Docker
A lot of the operations below also apply to Podman.
## Multi-stage builds
Please make sure to use
[multi-stage builds](https://docs.docker.com/build/building/multi-stage/) to
reduce the final image size by eliminating build toolchains from the production
image.
```Dockerfile
FROM xxx-building-image AS builder
ADD ...
RUN make
FROM xxx-runtime-image
COPY --from=builder ...
```
## Docker messying up the netfilter NAT table
Sucks. Use Podman.
## Do not use Alpine
Alpine uses musl as libc. This is pretty troublesome in some cases, especially
when it comes to `gai.conf(5)` and `nsswitch.conf(5)`. Although these examples
are not really sound in a container environment, musl still behaves somehow
different from glibc.
Moreover, Alpine is too minimal. It is usual that the administrator need to
run an interactive shell somehow in a running production container to diagnose
problems, and Alpine doesn't ship with any of them.
Use a Debian or Ubuntu image instead. Debian Slim images are still pretty tiny,
especially in terms of today's hard drives. However, they contain much more
tools that are more realistic in a production environment.
Moreover, because Docker uses overlayfs, these images won't get saved twice on
the disk.
## The confusing `latest` version
If I remembered correctly (I hadn't been using Docker for four years,
unfortunately), the `latest` version is just a placeholder for the current
latest version of that image. It has nothing to do with auto updates or
whatever. It can even break things because the lates version may change from
time to time.
|