← 返回首页
📝

Dockerfile最佳实践

📂 devops ⏱ 2 min 319 words
dockerdockerfile最佳实践优化进阶

Dockerfile最佳实践

优化构建层缓存

Docker按层构建镜像,每条指令创建一层。合理安排指令顺序可以利用缓存。

层缓存原则

# 不好的写法(每改动代码就重新安装依赖)
COPY . /app
RUN npm install

# 好的写法(先复制依赖文件,再复制代码)
COPY package.json package-lock.json /app/
RUN npm install
COPY . /app

多阶段构建

# 阶段1:构建
FROM node:18 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

# 阶段2:运行
FROM node:18-alpine
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
EXPOSE 3000
CMD ["node", "dist/index.js"]

减小镜像体积

使用Alpine基础镜像

# 使用Alpine
FROM node:18-alpine

# 或使用distroless
FROM gcr.io/distroless/nodejs18-debian12

清理缓存

# 合并RUN指令,清理缓存
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    package1 \
    package2 && \
    rm -rf /var/lib/apt/lists/*

使用.dockerignore

node_modules
.git
*.md
.env
.env.*

安全最佳实践

使用非root用户

FROM node:18-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
WORKDIR /app

扫描漏洞

# 使用Trivy扫描
trivy image myapp:v1

# 使用Docker Scout
docker scout cves myapp:v1

固定版本

# 不好:使用latest
FROM node:latest

# 好:固定版本
FROM node:18.17.0-alpine

# 更好:使用SHA256
FROM node@sha256:abc123...

构建上下文优化

减小上下文大小

# 指定构建上下文
docker build -t myapp -f Dockerfile ./context

# 使用.dockerignore
docker build --no-cache -t myapp .

从URL构建

# 从Git仓库构建
docker build -t myapp https://github.com/user/repo.git#main

# 从压缩包构建
docker build -t myapp https://example.com/archive.tar.gz

实践:Node.js应用Dockerfile

# 阶段1:依赖
FROM node:18-alpine AS deps
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci --only=production

# 阶段2:构建
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

# 阶段3:生产
FROM node:18-alpine AS runner
WORKDIR /app

RUN addgroup --system --gid 1001 nodejs
RUN adduser --system --uid 1001 appuser

COPY --from=deps /app/node_modules ./node_modules
COPY --from=builder /app/dist ./dist
COPY package.json ./

ENV NODE_ENV=production

USER appuser

EXPOSE 3000
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD node --check ./dist/index.js

CMD ["node", "dist/index.js"]

实践:Python应用Dockerfile

# 使用多阶段构建
FROM python:3.11-slim AS builder

WORKDIR /app
COPY requirements.txt .
RUN pip install --user --no-cache-dir -r requirements.txt

FROM python:3.11-slim

WORKDIR /app

RUN groupadd -r appgroup && useradd -r -g appgroup appuser

COPY --from=builder /root/.local /root/.local
COPY . .

ENV PATH=/root/.local/bin:$PATH
ENV PYTHONUNBUFFERED=1

USER appuser

EXPOSE 8000

CMD ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]

总结

Dockerfile的最佳实践直接影响镜像的安全性、大小和构建效率。遵循这些原则,可以构建高质量的容器镜像。