- container for application serving end-users
- Debian/Ubuntu bookworm slim base image => smaller image size, faster build
- multi-stage build
- discard build tools in final stage
- nearly 50% smaller image size compared to standard build
- optimized order of comamnds
- fewer layers to cache => faster build
- application code copied into container near end of build process. No effect on prior steps for changes made only to application code during development.
- combined RUN, COPY and ADD commands since they add layers
- option to remove Jupyter Notebook files if you are not using container for data science
- virtualenv for isolation
- non-root user (least privilege principle)
- container to run application meant for end user. No write permission. No shell access.
- healthcheck for working (not just running) container
- no secrets stored in code, in environment, during build-time, in build history, in secrets manager. No logs.
- Alpine Linux's base image is very small. However,
- it uses some different components, e.g. musl libc instead of glibc
- Size is small because many dependencies are absent. Downloading takes time and adds bloat.
- risk of breaking when running or updating/changing libraries during development.
- tag images properly. :latest is NOT recommended.
- set memory and CPU limits
- secure network for running container