Essential Dockerizing Tips: From Base Image to Log Rotation

1. Choose a Base Image

Start from an official language or service image (e.g., java, python, nginx) or a minimal OS image. Alpine Linux is recommended for its small size (~5 MB). URL: https://hub.docker.com/_/alpine/

Alpine uses apk instead of apt-get .

2. Install Required Packages

Combine update and install in a single RUN instruction to avoid extra layers, e.g. apt-get update && apt-get install -y … or apk add ….

Install only the packages needed for the final runtime; move build‑time tools (e.g., vim, compilers) to separate Dockerfiles used only for building.

3. Add Custom Files

Prefer COPY over ADD unless you need URL download or archive extraction.

Place application code in conventional directories (e.g., /usr/src for Python).

Set file permissions in the source repository so that no extra RUN chmod layer is required.

4. Define Runtime User Permissions

Containers run as root by default. Use docker run --user UID:GID … or create a non‑root user in the Dockerfile (e.g., RUN adduser --uid 1000 --disabled-password appuser) and switch to it with USER appuser.

Avoid running application processes as root whenever possible.

5. Expose Ports Carefully

Expose non‑privileged ports (e.g., 8080) and map them to privileged ports only when required, to keep the container process non‑root.

6. Define an Entrypoint

Simple case: ENTRYPOINT ["/usr/local/bin/app"].

Robust case: create a docker-entrypoint.sh script that reads environment variables, performs templating with envsubst, and then exec s the main binary. Make the script executable and reference it with ENTRYPOINT ["/docker-entrypoint.sh"]. Official Elasticsearch and PostgreSQL entrypoint scripts illustrate this pattern.

7. Choose a Configuration Strategy

Use application‑specific configuration files when the format is complex.

Prefer environment variables for simple 12‑factor‑compatible configuration; you can still generate config files at container start with envsubst.

8. Externalize Persistent Data

Never store persistent data inside the image. Use Docker volumes or bind mounts. Ensure the host directory is owned by a non‑privileged UID/GID that matches the container user.

9. Handle Logging

Write logs to stdout and stderr so Docker can capture them ( docker logs CONTAINER). For services that generate their own log files (e.g., Nginx access and error logs), mount a host directory and configure log rotation.

10. Rotate Log Files

If logs are written to files, set up host‑side rotation with tools such as logrotate to prevent disk exhaustion.

Reference: http://t.cn/ReT0AyJ