curlbut not both DOK-DL4001
Don't install two tools that have the same effect to avoid the additional cruft.
function_name() and refer to passed parameters as
$2 etc. Shell script functions behave just like scripts and other commands: - They always take 0 to N parameters, referred to by
$2 etc. They cannot declare parameters by name.
apt-getlists after installing anything DOK-DL3009
Cleaning up the apt cache and removing
/var/lib/apt/lists helps keep the image size down. Since the
RUN statement starts with
apt-get update, the package cache will always be refreshed prior to
By using absolute paths you will not run into problems when a previous
WORKDIR instruction changes. You also often don't know the
WORKDIR context of your base container.
For some POSIX commands it makes no sense to run them in a Docker container because they are bound to the host or are otherwise dangerous (like ´shutdown´, ´service´, ´ps´, ´free´, ´top´, ´kill´, ´mount´, ´ifconfig´). Interactive utilities also don't make much sense (´nano´, ´vim´).
rootwhen the Dockerfile completes DOK-DL3002
Switching to the root
USER opens up certain security risks if an attacker gets access to the container. In order to mitigate this, switch back to a non privileged user after running the commands you need as root.
WORKDIRto switch to a directory DOK-DL3003
cd in a subshell. Most commands can work with absolute paths and in most cases, it is not necessary to change directories. Docker provides the
WORKDIR instruction if you really need to change the current working directory.
latest tag can cause breakages when a new version of an image is released. You can never rely on the assumption that the
latest tag points to a specific version of an image.
Version pinning forces the build to retrieve a particular version regardless of what’s in the cache. This technique can also reduce failures due to unanticipated changes in required packages. You can read more about version pinning here.
--assume-yes option it might be possible for the build to break without human intervention.
You can never rely on the assumption that the
latest tag points to a specific version of an image. Explicitly tagging the image with a specific version (e.g. ubuntu:12.04) ensures that your application will not break due to random changes across different versions of an image you depend on.
COPY --fromshould reference a previously defined
Trying to copy from a missing image alias results in an error.
COPY --fromcannot reference its own
Trying to copy from the same image the instruction is running in results in an error.
FROMaliases (stage names) must be unique DOK-DL3024
Defining duplicate stage names results in an error.
ENTRYPOINTinstructions detected DOK-DL4004
If you list more than one
ENTRYPOINT then only the last
ENTRYPOINT command will be setup, making prior
ENTRYPOINT setups redundant.
Do not use
apt as it is meant to be an end-user tool.
apt is discouraged by the linux distributions as an unattended tool as its interface may suffer changes between versions. Better use the more stable
Once a package is installed, it does not need to be re-installed and the Docker cache can be leveraged instead. Since the pip cache makes the images larger and is not needed, it's better to disable it.
yarn cache cleanafter
yarn keeps a local cache of downloaded packages. Not cleaning cached package data after installation can result in higher image sizes.
It is always recommended to clean the cached packages after installing them.
A keyword is found immediately following a
#. In order for the
# to start a comment, it needs to come after a word boundary such as a space.