This is the demo repository for the talk "From Dockerfail to Dockerfile". It is based on the wordsmith repository. The purpose is to show how teams can start from minimal dockerized app to a production-ready deployment.
Disclaimer: the code is intentionally left agnostic to tools and vendors, and is NOT suited for production use.
Code is divided in 11 folders, each bringing an improvement on the previous one.
- minimal viable container running wordsmith demo
- syntaxic check of Dockerfile with hadolint
- semantic checks of resulting Docker image with container-structure-test
- speed and network gains with cache good practices
- security and image size fixes with multi stage Dockerfile
- storing secrets away from code
- auditable track of dependencies
- increasing resiliency with healthchecks
- splitting demo app in multi-container deployment
- signing images to enforce trusted origin
- doing it all without Docker tooling
- shell
- docker 20+
- a docker hub account to push images (free)
- ggshield (client with valid API key)
- snyk (connected via docker scan --login)
rename/copy .env-dist to .env
open .env to complete configuration
export GITGUARDIAN_API_KEY=<xyz>
export REGISTRY=dockerfail
Apple M1 Chip: you need to force platform type like this:
export DOCKER_DEFAULT_PLATFORM=linux/arm64
- choose between on of the 10 "dockerfails" to run the demo:
cd <dockerfail folder>
./build-ship-run.sh- check running containers
docker ps
OR
docker service ls
- study diffs from one stage to the other folders to understand how each step fixes the previous defect. For instance:
diff 00-base 01-hadolint
- set image tags by content and not by timestamp
- set labels on all resources to clean more easily
There are more Dockerfails out there! If you feel like contributing, feel free to submit a PR.
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
