Master Dockerfile: Essential Commands and Optimization Tips for Lean Images

After covering Docker basics, this article introduces Dockerfile, a text file that contains a series of instructions to assemble Docker images, where each instruction performs a specific action like installing packages, copying files, or defining the startup command.

Key Dockerfile Instructions

FROM : Set the base image for a new image.

RUN : Execute a command in a new layer and commit the result.

CMD : Specify the default command to run when the container starts.

COPY : Copy files and directories from the build context into the container filesystem.

ADD : Similar to COPY but also supports archive extraction.

ENV : Set environment variables.

EXPOSE : Declare the ports the container listens on at runtime.

ENTRYPOINT : Configure the container to run as an executable.

VOLUME : Create a mount point for external storage.

WORKDIR : Set the working directory for subsequent instructions.

Dockerfile Best Practices

Use Minimal Base Images

Choosing lightweight base images reduces final image size and attack surface.

Alpine Linux : A popular minimal image (~5 MB).

<code>FROM alpine:latest</code>

Advantages: small size, high security, fast download. Drawbacks: may require extra configuration; some packages differ because it uses musl instead of glibc .

Scratch : An empty image suitable for statically compiled binaries (Go, Rust).

<code>FROM scratch
COPY myapp /myapp
CMD ["/myapp"]</code>

Reduce Layer Count

Each RUN , COPY , and ADD creates a new layer. Merging commands reduces layers and overall image size.

Inefficient:

<code>RUN apt-get update
RUN apt-get install -y python
RUN apt-get install -y pip</code>

Efficient:

<code>RUN apt-get update && apt-get install -y \
    python \
    pip \
 && rm -rf /var/lib/apt/lists/*</code>

Optimize Layer Caching

The order of instructions affects cache efficiency.

Copy dependencies first : Copy files that change rarely (e.g., package.json or requirements.txt ) before copying the rest of the source code.

<code>COPY package.json .
RUN npm install
COPY . .</code>

Minimize early‑layer changes : Changes in early layers invalidate caches for all subsequent layers.

Install Dependencies Wisely

Remove temporary files and caches after installing packages to shrink the image.

<code>RUN pip install --no-cache-dir -r requirements.txt</code>

Manage Secrets Carefully

Never embed passwords or API keys directly in a Dockerfile.

Use environment variables at runtime to pass secrets.

Leverage Docker secrets via Docker Swarm or Kubernetes.

Optimize Image Size

Delete unnecessary files in the same RUN command to avoid persisting them in intermediate layers.

<code>RUN apt-get update && apt-get install -y --no-install-recommends package \
    && apt-get clean && rm -rf /var/lib/apt/lists/*</code>

Minimize installed packages using flags like --no-install-recommends .

<code>RUN apt-get install -y --no-install-recommends package</code>

Combine installation and cleanup in a single RUN statement for maximum size reduction.

Use optimization tools such as Docker Slim to automatically analyze and shrink images.

Leverage .dockerignore

The .dockerignore file excludes files and directories from the build context, reducing data sent to the Docker daemon and protecting sensitive information.

Example .dockerignore:

<code>.git
node_modules
Dockerfile
.dockerignore</code>

Adopt Multi‑Stage Builds

Multi‑stage builds let you use intermediate images and copy only the necessary artifacts into the final image.

<code># Build stage
FROM golang:1.16-alpine AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp

# Final image
FROM alpine:latest
WORKDIR /app
COPY --from=builder /app/myapp .
CMD ["./myapp"]</code>

Run as a Non‑Root User

Running applications as a non‑root user enhances security.

<code>RUN adduser -D appuser
USER appuser</code>

Scan for Vulnerabilities

Use scanning tools such as Trivy, Anchore, or Clair to identify known vulnerabilities.

Regularly update base images and dependencies to include security patches.

Logging and Monitoring

Direct logs to STDOUT/STDERR for easier collection and analysis.

Integrate monitoring systems like Prometheus or the ELK Stack to monitor container health.

Case Study: Optimized Node.js Dockerfile

Below is an optimized Dockerfile for a Node.js application.

<code># Use Alpine‑based official Node.js image
FROM node:14-alpine

# Set working directory
WORKDIR /app

# Copy package files and install production dependencies
COPY package*.json ./
RUN npm ci --only=production

# Copy the rest of the application code
COPY . .

# Create a non‑root user and switch to it
RUN addgroup appgroup && adduser -S appuser -G appgroup
USER appuser

# Expose application port
EXPOSE 3000

# Define the command to run the app
CMD ["node", "app.js"]
</code>

Additional Recommendations

Pin versions : Use specific versions of base images and packages for reproducible builds.

Stay updated : Regularly refresh dependencies and base images to incorporate security fixes.

Add metadata : Use the LABEL instruction to provide image metadata.

<code>LABEL maintainer="[email protected]"</code>

Set proper permissions on files and directories.

Avoid root user : Always switch to a non‑root user before running the application.

Conclusion

Creating efficient Docker images is both an art and a science. By following Dockerfile best practices—choosing minimal base images, reducing layers, optimizing caching, managing secrets, and employing multi‑stage builds—you can significantly improve container performance, security, and maintainability. Continuously update your knowledge and adopt new tools in the evolving container ecosystem, as optimization is an ongoing process with always room for improvement.