Best Practices for Building Base Containers
Problem
I’ve gone through the process of building base containers several times and wanted to provide others guidance as to what I remind myself when starting out.
Solution
So, here are my commandments:
- Don’t build from scratch
- Avoid running as root
-
Package a single app per container
-
Properly handle PID 1, signal handling, and zombie processes
- Optimize for the Docker build cache
- Build the smallest image possible
- Reduce the amount of clutter in your image
- Clean temporary files
- Use vulnerability scanning in Container Registry
- Carefully consider whether to use a public image
-
Properly tag images during build and when pulling an image use a specific version (not just latest)
-
Be mindful of licenses
- Use native OS package manager (yum, apt, etc.) as much as possible
-
During initialization scripts, explicitly set path to execution programs
-
Set environment variables and unset sensitive ones
-
Include documentation on usage
- Learn from vendor’s best practices
- Building containerized applications with Red Hat
- Project Atomic’s Container Best Practices Guide
- Red Hat’s Container Security Guide
- Google’s best practices
- Docker’s best practices
- Red Hat’s Getting Started with Containers
- Red Hat’s Recommended Practices for Container Development
- Red Hat’s for Migrating to Containerized Applications
- Finding, Running, and Building Containers with podman, skopeo, and buildah
- Creating and managing applications on OpenShift Container Platform
- Creating and managing images and imagestreams in OpenShift Container Platform
Summary
If you’re looking for some examples of containers I’ve built, check out this GitHub repo.