Docker

A keyword is found immediately following a #. In order for the # to start a comment, it needs to come after a word boundary such as a space.

This warning is triggered when an unquoted literal string is found suspiciously sandwiched between two double quoted strings.

Unlike Perl or PHP, $ is not used when assigning to a variable.

cat is a tool for concatenating files. Reading a single file as input to a program is considered a Useless Use Of Cat (UUOC). It's more efficient and less roundabout to simply use redirection. This is especially true for programs that can benefit from seekable input, like tail or tar. Many tools also accept optional filenames, e.g. grep -q foo file instead of cat file | grep -q foo.

You can never rely on the assumption that the latest tag points to a specific version of an image. Explicitly tagging the image with a specific version (e.g. ubuntu:12.04) ensures that your application will not break due to random changes across different versions of an image you depend on.

Version pinning forces the build to retrieve a particular version regardless of what’s in the cache. This technique can also reduce failures due to unanticipated changes changes between different versions in required packages.

== is being used in an unexpected way. The two most common reasons for this is: - You wanted to assign a value but accidentally used == instead of =.

Cleaning up the apt cache and removing /var/lib/apt/lists helps keep the image size down. Since the RUN statement starts with apt-get update, the package cache will always be refreshed prior to apt-get install.

By using absolute paths you will not run into problems when a previous WORKDIR instruction changes. You also often don't know the WORKDIR context of your base container.

For some POSIX commands it makes no sense to run them in a Docker container because they are bound to the host or are otherwise dangerous (like ´shutdown´, ´service´, ´ps´, ´free´, ´top´, ´kill´, ´mount´, ´ifconfig´). Interactive utilities also don't make much sense (´nano´, ´vim´).

Switching to the root USER opens up certain security risks if an attacker gets access to the container. In order to mitigate this, switch back to a non privileged user after running the commands you need as root.

Using the latest tag can cause breakages when a new version of an image is released. You can never rely on the assumption that the latest tag points to a specific version of an image.

Without the -y/--assume-yes option it might be possible for the build to break without human intervention.

Trying to copy from a missing image alias results in an error.

Trying to copy from the same image the instruction is running in results in an error.

Defining duplicate stage names results in an error.

If you list more than one ENTRYPOINT then only the last ENTRYPOINT command will be setup, making prior ENTRYPOINT setups redundant.

Shells differ widely in how they handle unescaped parentheses in eval expressions. eval foo=bar is allowed by dash, bash and ksh.