Docker best practices - bullets and assignee

Question

Docker best practices - bullets and assignee

goldbergyoni opened this issue 4 years ago · 13 comments

We've gathered a comprehensive list of ideas for docker best practices in Node.js, see #620 . We should be ready to start writing now! 🎉

In order to harmonize our work, see below a list of practices and assignees. If you're interested in writing a bullet or more, please respond to this thread and I'll update the list.

The work process:

[ ] Choose authors - In this thread, we assign bullets to writers
[ ] TOC - Each author shares an abstract TOC in a dedicated issue. This allows to brainstorm a bit and collect ideas before writing
[ ] TOC - Each writes his/her bullet and PR to the docker-best-practices branch

Best practices list and their assignee

✅ Title: Clean npm cache
Gist: 'npm ci --production && npm cache clean' shaves tens of MBs from the image
Assignee: 🙋‍♀️ @goldbergyoni
Abstract: TBD

✅ Title: Bootstrap the code using 'node' command, avoid 'npm run' scripts
Gist: 'npm start' won't pass KILL signal to the process which is very frequent at environments with dynamic scheduling like k8s, this will prevent a graceful shutdown
Assignee: 🙋‍♀️ @kevynb
Abstract: #724

✅ Title: Install packages for production
Gist: When running npm install in the docker image, we should make sure to only install needed packages by running with the --production flag
Assignee: 🙋‍♀️ @goldbergyoni
Abstract: #699

✅ Title: Lint your dockefile
Gist: On the errors that linters can prevent
Assignee: 🙋‍♀️ @js-kyle
Abstract: TBD

✅ Title: Utilize caching for better build time
Gist: On the benefit of layers, practical examples like copying package.json first and then the rest
Assignee: 🙋‍♀️ @kevynb
Abstract: #734

✅ Title: Set Docker memory limits which are in-par with v8 memory limit
Gist: In recent version s,v8 memory allocation is configurable, Docker & k8s also allows setting quotas, this should now be synchronized
Assignee: 🙋‍♀️ @goldbergyoni
Abstract: TBD

✅ Title: Scan your image for vulnerabilities
Gist: Explain why we need another thing beyond npm scanning
Assignee: 🙋‍♀️ @goldbergyoni
Abstract: #698

✅ Title: Use multistage builds
Gist: All the benefits of multi-stage, for example to remove secrets and dev tools
Assignee: 🙋‍♀️ Bruno Scheufler @BrunoScheufler
Abstract: #711

✅ Title: Don't use "latest", use a digest
Gist: On the need for an explicit image reference
Assignee: @js-kyle

✅ Title: Prefer smaller images
Gist: It's hard to make a strict call between slim and alpine, but explain about the need for smaller images and reduced attack surface
Assignee: 🙋‍♀️ Bruno Scheufler @BrunoScheufler
Abstract: #713

✅ Title: Graceful shutdown
Gist: When dockerized runtime kills a container, exiting efficiently makes the difference between disappointing ~1000 users vs zero errors
Assignee: 🙋‍♀️ Yoni Goldberg @goldbergyoni
Abstract: #705

✅ Title: Avoid sending secrets as build time arguments
Gist: On why this is an anti-pattern as it stays within the image, instead use multi-stage build
Assignee: 🙋‍♀️ @goldbergyoni
Abstract: #700

✅ Title: On the importance of docker ignore
Gist: How to prevent dev artifacts from leaking into production
Assignee: 🙋‍♀️ @goldbergyoni
Abstract: #270

✅ Title: Avoid inconsistent images
Gist: On why to avoid 'apt get udpate' style of dockerfile command which will produce different images all the time
Assignee: 🙋‍♀️ @goldbergyoni
Abstract: TBD

✅ Title: Avoiding any process managers
Gist: On why it is bad to hide errors from the underlying orchestrator (e.g. k8s)
Assignee: 🙋‍♀️ @goldbergyoni
Abstract: #704

✅ Title: A generic list of ideas
Gist: Good practices that are none Node-related like avoiding unpriviliged containers, prefer COPY over ADD
Assignee: 🙋‍♀️ @goldbergyoni
Abstract: #708

cc' buddies from the original thread:
@BrunoScheufler @js-kyle @kevynb @sagirk @bobaaaaa @sylvainar @pawelangelow

Answer 1 · 2020-05-15T09:31:39.000Z

I'll take Bootsrap the code using 'node' command, avoid 'npm run' scripts and Utilize caching for better build time.

Answer 2 · 2020-05-17T06:29:46.000Z

@kevynb Perfect, updated the list.

@BrunoScheufler @js-kyle @sagirk See if you want to take some bullet? I'll write the rest

Answer 3 · 2020-05-23T02:57:16.000Z

Assigned myself a couple

Answer 4 · 2020-05-31T08:59:00.000Z

@js-kyle @kevynb @BrunoScheufler Plan is ready, Let's go down on it!

I suggest sharing an abstract TOC to solicit feedback before writing, here's mine for example #698

This way, we may inspire each other with ideas and then the writing process will become the easier part

Answer 5 · 2020-06-06T03:57:57.000Z

Do we need a base branch set up for this? I could do that?

Answer 6 · 2020-06-06T11:17:10.000Z

Do we need a base branch set up for this? I could do that?

Yes! 🍹

@js-kyle

Answer 7 · 2020-06-07T05:28:04.000Z

Cool, I've pushed a branch called docker_section which has all the Docker bullet points created, with their sections.

At some point after we've finished writing we can tweak the ordering, we probably want the highest impact & best quality bullets nearer the top

Answer 8 · 2020-06-07T06:55:03.000Z

@js-kyle Great and makes sense. I'll start writing today - Shall we PR to this branch or push with no revision and then conduct a review cycle on PRing to master?

At the end, let's also, copy these bullets to a Medium article?

@BrunoScheufler @kevynb

Answer 9 · 2020-06-07T08:21:51.000Z

@goldbergyoni I think PRing to the feature branch makes sense 👍 Then, once all content is added, we can go over it once more to organize the bullet points in order as @js-kyle mentioned and extract it to the article

Answer 10 · 2020-07-26T19:34:23.000Z

@js-kyle @kevynb @BrunoScheufler I suggest here a sort for the bullets which is based on importance and logical dependencies. Let me know your thoughts?

Use multistage builds
Bootstrap the code using 'node' command, avoid 'npm run' scripts
Graceful shutdown
Set Docker memory limits
...
Utilize caching for better build time
Don't use "latest", use a digest or specific tag
Get rid of secrets
Install packages for production
Scan your image for vulnerabilities
Prefer smaller images
Dockerignore
Clean npm cache
A generic list of ideas
Last: Lint your dockefile

Answer 11 · 2020-07-29T17:46:50.000Z

I would put dockerignore higher because it's an easy thing to do.

    Use multistage builds
    Bootstrap the code using 'node' command, avoid 'npm run' scripts
    Install packages for production
    Dockerignore
    Graceful shutdown
    Set Docker memory limits
    Utilize caching for better build time
    Don't use "latest", use a digest or specific tag
    Prefer smaller images
    Get rid of secrets
    Scan your image for vulnerabilities
    Clean npm cache
    A generic list of ideas
    Last: Lint your dockefile

Answer 12 · 2020-08-16T08:51:30.000Z

@kevynb Will follow your suggestion

Answer 13 · 2020-11-15T18:12:20.000Z

Hello there! 👋
This issue has gone silent. Eerily silent. ⏳
We currently close issues after 100 days of inactivity. It has been 90 days since the last update here.
If needed, you can keep it open by replying here.
Thanks for being a part of the Node.js Best Practices community! 💚