Docker best practices - bullets and assignee #682
Description
We've gathered a comprehensive list of ideas for docker best practices in Node.js, see #620 . We should be ready to start writing now! 🎉
In order to harmonize our work, see below a list of practices and assignees. If you're interested in writing a bullet or more, please respond to this thread and I'll update the list.
The work process:
[ ] Choose authors - In this thread, we assign bullets to writers
[ ] TOC - Each author shares an abstract TOC in a dedicated issue. This allows to brainstorm a bit and collect ideas before writing
[ ] TOC - Each writes his/her bullet and PR to the docker-best-practices branch
Best practices list and their assignee
✅ Title: Clean npm cache
Gist: 'npm ci --production && npm cache clean' shaves tens of MBs from the image
Assignee: 🙋♀️ @goldbergyoni
Abstract: TBD
✅ Title: Bootstrap the code using 'node' command, avoid 'npm run' scripts
Gist: 'npm start' won't pass KILL signal to the process which is very frequent at environments with dynamic scheduling like k8s, this will prevent a graceful shutdown
Assignee: 🙋♀️ @kevynb
Abstract: #724
✅ Title: Install packages for production
Gist: When running npm install in the docker image, we should make sure to only install needed packages by running with the --production flag
Assignee: 🙋♀️ @goldbergyoni
Abstract: #699
✅ Title: Lint your dockefile
Gist: On the errors that linters can prevent
Assignee: 🙋♀️ @js-kyle
Abstract: TBD
✅ Title: Utilize caching for better build time
Gist: On the benefit of layers, practical examples like copying package.json first and then the rest
Assignee: 🙋♀️ @kevynb
Abstract: #734
✅ Title: Set Docker memory limits which are in-par with v8 memory limit
Gist: In recent version s,v8 memory allocation is configurable, Docker & k8s also allows setting quotas, this should now be synchronized
Assignee: 🙋♀️ @goldbergyoni
Abstract: TBD
✅ Title: Scan your image for vulnerabilities
Gist: Explain why we need another thing beyond npm scanning
Assignee: 🙋♀️ @goldbergyoni
Abstract: #698
✅ Title: Use multistage builds
Gist: All the benefits of multi-stage, for example to remove secrets and dev tools
Assignee: 🙋♀️ Bruno Scheufler @BrunoScheufler
Abstract: #711
✅ Title: Don't use "latest", use a digest
Gist: On the need for an explicit image reference
Assignee: @js-kyle
✅ Title: Prefer smaller images
Gist: It's hard to make a strict call between slim and alpine, but explain about the need for smaller images and reduced attack surface
Assignee: 🙋♀️ Bruno Scheufler @BrunoScheufler
Abstract: #713
✅ Title: Graceful shutdown
Gist: When dockerized runtime kills a container, exiting efficiently makes the difference between disappointing ~1000 users vs zero errors
Assignee: 🙋♀️ Yoni Goldberg @goldbergyoni
Abstract: #705
✅ Title: Avoid sending secrets as build time arguments
Gist: On why this is an anti-pattern as it stays within the image, instead use multi-stage build
Assignee: 🙋♀️ @goldbergyoni
Abstract: #700
✅ Title: On the importance of docker ignore
Gist: How to prevent dev artifacts from leaking into production
Assignee: 🙋♀️ @goldbergyoni
Abstract: #270
✅ Title: Avoid inconsistent images
Gist: On why to avoid 'apt get udpate' style of dockerfile command which will produce different images all the time
Assignee: 🙋♀️ @goldbergyoni
Abstract: TBD
✅ Title: Avoiding any process managers
Gist: On why it is bad to hide errors from the underlying orchestrator (e.g. k8s)
Assignee: 🙋♀️ @goldbergyoni
Abstract: #704
✅ Title: A generic list of ideas
Gist: Good practices that are none Node-related like avoiding unpriviliged containers, prefer COPY over ADD
Assignee: 🙋♀️ @goldbergyoni
Abstract: #708
cc' buddies from the original thread:
@BrunoScheufler @js-kyle @kevynb @sagirk @bobaaaaa @sylvainar @pawelangelow