I’ve gone through the process of building base containers several times and wanted to provide others guidance as to what I remind myself when starting out.


So, here are my commandments:

  1. Don’t build from scratch
  2. Avoid running as root
  3. Package a single app per container

  4. Properly handle PID 1, signal handling, and zombie processes

  5. Optimize for the Docker build cache
    • Adopt the Filesystem Hierarchy Standard (FHS) to only have one COPY command to target container
  6. Build the smallest image possible
    • Reduce the amount of clutter in your image
    • Clean temporary files
  7. Use vulnerability scanning in Container Registry
    • Carefully consider whether to use a public image
  8. Properly tag images during build and when pulling an image use a specific version (not just latest)

  9. Be mindful of licenses

  10. Use native OS package manager (yum, apt, etc.) as much as possible
  11. During initialization scripts, explicitly set path to execution programs

  12. Set environment variables and unset sensitive ones

  13. Set standard identifiers

  14. Include documentation on usage

  15. Learn from vendor’s best practices


If you’re looking for some examples of containers I’ve built, check out this GitHub repo.