Dockerfile Cheatsheet

The FROM instruction initializes a new build stage and sets the base image for subsequent instructions. A valid Dockerfile must start with a FROM instruction. Selecting the right base image is crucial for security, size optimization, and application compatibility.

Labels provide metadata for Docker images, enabling better organization, filtering, and automation. The MAINTAINER instruction is deprecated in favor of the LABEL instruction with the "maintainer" key.

ARG variables provide build-time parameters to Dockerfiles, allowing customization of the build process without modifying the Dockerfile itself. Unlike ENV variables, ARGs only exist during image build and don't persist in the final container.

WORKDIR sets the working directory for subsequent instructions in the Dockerfile. It affects RUN, CMD, ENTRYPOINT, COPY, and ADD commands. Using WORKDIR properly helps maintain clean, predictable directory structures and avoids path-related issues.

Environment variables in Dockerfiles define key-value pairs that persist in the built image and are available to processes running in containers. They provide configuration that can be accessed at both build and runtime.

The COPY instruction copies files and directories from the build context to the image filesystem. It's the preferred way to transfer files into your Docker image while maintaining proper permissions and without any additional processing.

The ADD instruction copies files, directories, or remote files from a source to a container's filesystem. It offers extended functionality beyond COPY, including automatic archive extraction and remote URL handling, but should be used selectively due to potential security risks.

The USER instruction in Dockerfile sets the user and optionally the user group that will be used when running the container and executing RUN, CMD, and ENTRYPOINT instructions. Using non-root users is a security best practice that follows the principle of least privilege.

The RUN instruction executes commands during the image build process, creating a new layer in the Docker image. It's primarily used for installing packages, setting up the environment, and preparing the container for execution.

The CMD instruction defines the default command to run when a container starts. Unlike RUN which executes during build, CMD executes at container runtime. It can be overridden by command-line arguments when running the container.

The ENTRYPOINT instruction defines the executable that will run when a container starts. Unlike CMD, which provides default arguments that can be overridden, ENTRYPOINT commands are always executed unless explicitly overridden with --entrypoint.

The SHELL instruction in Dockerfiles sets the default shell used for shell form commands. This affects how RUN, CMD, and ENTRYPOINT instructions execute when using shell form rather than exec form. By default, Linux containers use /bin/sh -c and Windows containers use cmd /S /C.

STOPSIGNAL configures which signal will be used to stop the container, while HEALTHCHECK allows Docker to verify if a container is still working properly. These instructions help manage container lifecycle and ensure robust, self-healing containerized applications.

The EXPOSE instruction informs Docker that the container listens on specific network ports at runtime. It serves as documentation and works with port publishing to make container services accessible from outside.

The VOLUME instruction creates a mount point in the container for data that persists beyond the container lifecycle. Volumes are the preferred mechanism for data persistence in Docker, providing better performance and portability than bind mounts.

Docker containers use various storage strategies to manage data persistence, temporary storage, and volume management. Understanding these strategies helps optimize container performance and ensures data integrity across container lifecycles.

Multi-stage builds allow you to create smaller, more secure Docker images by using multiple FROM statements in a single Dockerfile. Each FROM instruction begins a new stage that can selectively copy artifacts from previous stages, leaving behind build dependencies and reducing final image size.

Docker images are built in layers, with each instruction creating a new layer. Understanding how to optimize these layers improves build speed, reduces image size, and enhances deployment efficiency. Proper layer management is crucial for CI/CD pipelines and container orchestration.

Image optimization is crucial for Docker deployments, focusing on reducing size, improving security, and enhancing performance. Smaller images download faster, use less storage, and have reduced attack surface.

Security scanning is a critical part of container image lifecycle management. It helps identify vulnerabilities in your Docker images, ensures compliance with security policies, and provides mechanisms to verify image authenticity.

Managing secrets in Docker involves handling sensitive information like API keys, passwords, and certificates. The goal is to prevent secrets from being embedded in images or exposed in container runtime while making them available when needed.

Dockerfile linting is the process of analyzing Dockerfiles for style, best practices, and potential errors. Linting tools help maintain consistent standards across teams, detect common mistakes before runtime, and improve security and efficiency of container images.