Back to Details

docker

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Docker Skill

Docker 技能指南

This skill provides comprehensive guidance for working with Docker, covering containerization concepts, practical workflows, and best practices across all major technology stacks.
本技能提供了关于Docker使用的全面指导,涵盖容器化概念、实用工作流以及适用于所有主要技术栈的最佳实践。

When to Use This Skill

适用场景

Use this skill when:
  • Containerizing applications for any language or framework
  • Creating or optimizing Dockerfiles and Docker Compose configurations
  • Setting up development environments with Docker
  • Deploying containerized applications to production
  • Implementing CI/CD pipelines with Docker
  • Managing container networking, storage, and security
  • Troubleshooting Docker-related issues
  • Building multi-platform images
  • Implementing microservices architectures
在以下场景中使用本技能:
  • 为任意语言或框架的应用实现容器化
  • 创建或优化Dockerfile与Docker Compose配置
  • 使用Docker搭建开发环境
  • 将容器化应用部署到生产环境
  • 基于Docker实现CI/CD流水线
  • 管理容器网络、存储与安全
  • 排查Docker相关问题
  • 构建多平台镜像
  • 实现微服务架构

Core Docker Concepts

Docker核心概念

Containers

容器

  • Lightweight, isolated processes that bundle applications with all dependencies
  • Provide filesystem isolation via union filesystems and namespace technology
  • Ephemeral by default - changes are lost when container stops (unless persisted to volumes)
  • Single responsibility principle: each container should do one thing well
  • Multiple identical containers can run from same immutable image without conflicts
  • 轻量、隔离的进程,打包了应用及其所有依赖
  • 通过联合文件系统与命名空间技术实现文件系统隔离
  • 默认具有临时性:容器停止后,未持久化到卷的更改会丢失
  • 单一职责原则:每个容器应专注完成一件事
  • 多个相同容器可基于同一个不可变镜像运行,且互不冲突

Images

镜像

  • Blueprint/template for containers - read-only filesystems + configuration
  • Composed of layered filesystem (immutable, reusable layers)
  • Built from Dockerfile instructions or committed from running containers
  • Stored in registries (Docker Hub, ECR, ACR, GCR, private registries)
  • Image naming: 
    REGISTRY/NAMESPACE/REPOSITORY:TAG
    (e.g., 
    docker.io/library/nginx:latest
    )
  • 容器的蓝图/模板:包含只读文件系统与配置
  • 分层文件系统构成(不可变、可复用的层)
  • 可通过Dockerfile指令构建,或从运行中的容器提交生成
  • 存储在镜像仓库中(Docker Hub、ECR、ACR、GCR、私有仓库)
  • 镜像命名规则
    REGISTRY/NAMESPACE/REPOSITORY:TAG
    (例如:
    docker.io/library/nginx:latest

Volumes & Storage

卷与存储

  • Volumes: Docker-managed persistent storage that survives container deletion
  • Bind mounts: Direct mapping of host filesystem paths into containers
  • tmpfs mounts: In-memory storage for temporary data
  • Enable data sharing between containers and persist beyond container lifecycle
  • 卷(Volumes):由Docker管理的持久化存储,容器删除后仍可保留
  • 绑定挂载(Bind mounts):将主机文件系统路径直接映射到容器内
  • tmpfs挂载:基于内存的临时存储
  • 支持容器间数据共享,且数据可在容器生命周期外持久化

Networks

网络

  • Default bridge network connects containers on same host
  • Custom networks allow explicit container communication with DNS resolution
  • Host network removes network isolation for performance
  • Overlay networks enable multi-host container communication (Swarm)
  • MACVLAN/IPvlan for containers needing direct L2/L3 network access
  • 默认桥接网络:连接同一主机上的容器
  • 自定义网络:支持容器间显式通信并提供DNS解析
  • 主机网络:移除网络隔离以提升性能
  • 覆盖网络:支持多主机间的容器通信(Swarm模式)
  • MACVLAN/IPvlan:为容器提供直接的L2/L3网络访问

Dockerfile Best Practices

Dockerfile最佳实践

Essential Instructions

核心指令

dockerfile
FROM <image>:<tag>                        # Base image (use specific versions, not 'latest')
WORKDIR /app                              # Working directory for subsequent commands
COPY package*.json ./                     # Copy dependency files first (for caching)
RUN npm install --production              # Execute build commands
COPY . .                                  # Copy application code
ENV NODE_ENV=production                   # Environment variables
EXPOSE 3000                               # Document exposed ports
USER node                                 # Run as non-root user (security)
CMD ["node", "server.js"]                 # Default command when container starts
dockerfile
FROM <image>:<tag>                        # 基础镜像(使用特定版本,而非'latest'
WORKDIR /app                              # 后续命令的工作目录
COPY package*.json ./                     # 先复制依赖文件(用于缓存)
RUN npm install --production              # 执行构建命令
COPY . .                                  # 复制应用代码
ENV NODE_ENV=production                   # 环境变量
EXPOSE 3000                               # 声明暴露的端口
USER node                                 # 以非root用户运行(安全考量)
CMD ["node", "server.js"]                 # 容器启动时的默认命令

Multi-Stage Builds (Critical for Production)

多阶段构建(生产环境必备)

Separate build environment from runtime environment to reduce image size and improve security:
dockerfile
undefined
将构建环境与运行环境分离,以减小镜像体积并提升安全性:
dockerfile
undefined

Stage 1: Build

阶段1:构建

FROM node:20-alpine AS build WORKDIR /app COPY package*.json ./ RUN npm install COPY . . RUN npm run build
FROM node:20-alpine AS build WORKDIR /app COPY package*.json ./ RUN npm install COPY . . RUN npm run build

Stage 2: Production

阶段2:生产环境

FROM node:20-alpine AS production WORKDIR /app COPY --from=build /app/dist ./dist COPY --from=build /app/node_modules ./node_modules USER node EXPOSE 3000 CMD ["node", "dist/server.js"]

**Benefits**: Compiled assets without build tools in final image, smaller size, improved security
FROM node:20-alpine AS production WORKDIR /app COPY --from=build /app/dist ./dist COPY --from=build /app/node_modules ./node_modules USER node EXPOSE 3000 CMD ["node", "dist/server.js"]

**优势**:最终镜像仅包含编译后的资产,无构建工具,体积更小、安全性更高

Layer Caching Optimization

分层缓存优化

Order matters! Docker reuses layers if instruction unchanged:
  1. Dependencies first (COPY package.json, RUN npm install)
  2. Application code last (COPY . .)
  3. This way, code changes don't invalidate dependency layers
指令顺序很重要! Docker会复用未更改的指令对应的层:
  1. 先处理依赖(COPY package.json、RUN npm install)
  2. 最后复制应用代码(COPY . .)
  3. 这样代码变更不会导致依赖层失效

Security Hardening

安全加固

dockerfile
undefined
dockerfile
undefined

Use specific versions

使用特定版本

FROM node:20.11.0-alpine3.19
FROM node:20.11.0-alpine3.19

Create non-root user

创建非root用户

RUN addgroup -g 1001 -S nodejs &&
adduser -S nodejs -u 1001
RUN addgroup -g 1001 -S nodejs &&
adduser -S nodejs -u 1001

Set ownership

设置文件所有权

COPY --chown=nodejs:nodejs . .
COPY --chown=nodejs:nodejs . .

Switch to non-root

切换到非root用户

USER nodejs
USER nodejs

Read-only root filesystem (when possible)

只读根文件系统(若可行)

Add --read-only flag when running container

运行容器时添加--read-only参数

undefined
undefined

.dockerignore File

.dockerignore文件

Exclude unnecessary files from build context:
node_modules
.git
.env
.env.local
*.log
.DS_Store
README.md
docker-compose.yml
.dockerignore
Dockerfile
dist
coverage
.vscode
排除构建上下文中的不必要文件:
node_modules
.git
.env
.env.local
*.log
.DS_Store
README.md
docker-compose.yml
.dockerignore
Dockerfile
dist
coverage
.vscode

Common Workflows

常见工作流

Building Images

构建镜像

bash
undefined
bash
undefined

Build with tag

带标签构建

docker build -t myapp:1.0 .
docker build -t myapp:1.0 .

Build targeting specific stage

针对特定阶段构建

docker build -t myapp:dev --target build .
docker build -t myapp:dev --target build .

Build with build arguments

带构建参数构建

docker build --build-arg NODE_ENV=production -t myapp:1.0 .
docker build --build-arg NODE_ENV=production -t myapp:1.0 .

Build for multiple platforms

为多平台构建

docker buildx build --platform linux/amd64,linux/arm64 -t myapp:1.0 .
docker buildx build --platform linux/amd64,linux/arm64 -t myapp:1.0 .

View image layers and size

查看镜像层与大小

docker image history myapp:1.0
docker image history myapp:1.0

List all images

列出所有镜像

docker image ls
undefined
docker image ls
undefined

Running Containers

运行容器

bash
undefined
bash
undefined

Basic run

基础运行

docker run myapp:1.0
docker run myapp:1.0

Run in background (detached)

后台运行(分离模式)

docker run -d --name myapp myapp:1.0
docker run -d --name myapp myapp:1.0

Port mapping (host:container)

端口映射(主机:容器)

docker run -p 8080:3000 myapp:1.0
docker run -p 8080:3000 myapp:1.0

Environment variables

设置环境变量

docker run -e NODE_ENV=production -e API_KEY=secret myapp:1.0
docker run -e NODE_ENV=production -e API_KEY=secret myapp:1.0

Volume mount (named volume)

卷挂载(命名卷)

docker run -v mydata:/app/data myapp:1.0
docker run -v mydata:/app/data myapp:1.0

Bind mount (development)

绑定挂载(开发环境)

docker run -v $(pwd)/src:/app/src myapp:1.0
docker run -v $(pwd)/src:/app/src myapp:1.0

Custom network

自定义网络

docker run --network my-network myapp:1.0
docker run --network my-network myapp:1.0

Resource limits

资源限制

docker run --memory 512m --cpus 0.5 myapp:1.0
docker run --memory 512m --cpus 0.5 myapp:1.0

Interactive terminal

交互式终端

docker run -it myapp:1.0 /bin/sh
docker run -it myapp:1.0 /bin/sh

Override entrypoint/command

覆盖入口点/命令

docker run --entrypoint /bin/sh myapp:1.0 docker run myapp:1.0 custom-command --arg
undefined
docker run --entrypoint /bin/sh myapp:1.0 docker run myapp:1.0 custom-command --arg
undefined

Container Management

容器管理

bash
undefined
bash
undefined

List running containers

列出运行中的容器

docker ps
docker ps

List all containers (including stopped)

列出所有容器(包括已停止的)

docker ps -a
docker ps -a

View logs

查看日志

docker logs myapp docker logs -f myapp # Follow logs docker logs --tail 100 myapp # Last 100 lines
docker logs myapp docker logs -f myapp # 实时跟踪日志 docker logs --tail 100 myapp # 查看最后100行日志

Execute command in running container

在运行中的容器内执行命令

docker exec myapp ls /app docker exec -it myapp /bin/sh # Interactive shell
docker exec myapp ls /app docker exec -it myapp /bin/sh # 交互式shell

Stop container (graceful)

停止容器(优雅停止)

docker stop myapp
docker stop myapp

Kill container (immediate)

强制终止容器(立即停止)

docker kill myapp
docker kill myapp

Remove container

删除容器

docker rm myapp docker rm -f myapp # Force remove running container
docker rm myapp docker rm -f myapp # 强制删除运行中的容器

View container details

查看容器详情

docker inspect myapp
docker inspect myapp

Monitor resource usage

监控资源使用情况

docker stats myapp
docker stats myapp

View container processes

查看容器进程

docker top myapp
docker top myapp

Copy files to/from container

在容器与主机间复制文件

docker cp myapp:/app/logs ./logs docker cp ./config.json myapp:/app/config.json
undefined
docker cp myapp:/app/logs ./logs docker cp ./config.json myapp:/app/config.json
undefined

Image Management

镜像管理

bash
undefined
bash
undefined

Tag image

为镜像打标签

docker tag myapp:1.0 registry.example.com/myapp:1.0
docker tag myapp:1.0 registry.example.com/myapp:1.0

Push to registry

推送镜像到仓库

docker login registry.example.com docker push registry.example.com/myapp:1.0
docker login registry.example.com docker push registry.example.com/myapp:1.0

Pull from registry

从仓库拉取镜像

docker pull nginx:alpine
docker pull nginx:alpine

Remove image

删除镜像

docker image rm myapp:1.0
docker image rm myapp:1.0

Remove unused images

删除未使用的镜像

docker image prune
docker image prune

Remove all unused resources (images, containers, volumes, networks)

删除所有未使用的资源(镜像、容器、卷、网络)

docker system prune -a
docker system prune -a

View disk usage

查看磁盘使用情况

docker system df
undefined
docker system df
undefined

Volume Management

卷管理

bash
undefined
bash
undefined

Create named volume

创建命名卷

docker volume create mydata
docker volume create mydata

List volumes

列出所有卷

docker volume ls
docker volume ls

Inspect volume

查看卷详情

docker volume inspect mydata
docker volume inspect mydata

Remove volume

删除卷

docker volume rm mydata
docker volume rm mydata

Remove unused volumes

删除未使用的卷

docker volume prune
undefined
docker volume prune
undefined

Network Management

网络管理

bash
undefined
bash
undefined

Create network

创建网络

docker network create my-network docker network create --driver bridge my-bridge
docker network create my-network docker network create --driver bridge my-bridge

List networks

列出所有网络

docker network ls
docker network ls

Inspect network

查看网络详情

docker network inspect my-network
docker network inspect my-network

Connect container to network

将容器连接到网络

docker network connect my-network myapp
docker network connect my-network myapp

Disconnect container from network

将容器从网络断开

docker network disconnect my-network myapp
docker network disconnect my-network myapp

Remove network

删除网络

docker network rm my-network
undefined
docker network rm my-network
undefined

Docker Compose

Docker Compose

When to Use Compose

适用场景

  • Multi-container applications (web + database + cache)
  • Consistent development environments across team
  • Simplifying complex docker run commands
  • Managing application dependencies and startup order
  • 多容器应用(Web应用 + 数据库 + 缓存)
  • 团队内一致的开发环境
  • 简化复杂的docker run命令
  • 管理应用依赖与启动顺序

Basic Compose File Structure

基础Compose文件结构

yaml
version: '3.8'

services:
  web:
    build: .
    ports:
      - "3000:3000"
    environment:
      - NODE_ENV=production
      - DATABASE_URL=postgresql://user:pass@db:5432/app
    depends_on:
      - db
      - redis
    volumes:
      - ./src:/app/src      # Development: live code reload
    networks:
      - app-network
    restart: unless-stopped

  db:
    image: postgres:15-alpine
    environment:
      POSTGRES_USER: user
      POSTGRES_PASSWORD: pass
      POSTGRES_DB: app
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - app-network
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U user"]
      interval: 10s
      timeout: 5s
      retries: 5

  redis:
    image: redis:7-alpine
    networks:
      - app-network
    volumes:
      - redis_data:/data

volumes:
  postgres_data:
  redis_data:

networks:
  app-network:
    driver: bridge
yaml
version: '3.8'

services:
  web:
    build: .
    ports:
      - "3000:3000"
    environment:
      - NODE_ENV=production
      - DATABASE_URL=postgresql://user:pass@db:5432/app
    depends_on:
      - db
      - redis
    volumes:
      - ./src:/app/src      # 开发环境:代码热重载
    networks:
      - app-network
    restart: unless-stopped

  db:
    image: postgres:15-alpine
    environment:
      POSTGRES_USER: user
      POSTGRES_PASSWORD: pass
      POSTGRES_DB: app
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - app-network
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U user"]
      interval: 10s
      timeout: 5s
      retries: 5

  redis:
    image: redis:7-alpine
    networks:
      - app-network
    volumes:
      - redis_data:/data

volumes:
  postgres_data:
  redis_data:

networks:
  app-network:
    driver: bridge

Compose Commands

Compose命令

bash
undefined
bash
undefined

Start all services

启动所有服务

docker compose up
docker compose up

Start in background

后台启动

docker compose up -d
docker compose up -d

Build images before starting

启动前先构建镜像

docker compose up --build
docker compose up --build

Scale specific service

扩容指定服务

docker compose up -d --scale web=3
docker compose up -d --scale web=3

Stop all services

停止所有服务

docker compose down
docker compose down

Stop and remove volumes

停止并删除卷

docker compose down --volumes
docker compose down --volumes

View logs

查看日志

docker compose logs docker compose logs -f web # Follow specific service
docker compose logs docker compose logs -f web # 实时跟踪指定服务的日志

Execute command in service

在服务容器内执行命令

docker compose exec web sh docker compose exec db psql -U user -d app
docker compose exec web sh docker compose exec db psql -U user -d app

List running services

列出运行中的服务

docker compose ps
docker compose ps

Restart service

重启服务

docker compose restart web
docker compose restart web

Pull latest images

拉取最新镜像

docker compose pull
docker compose pull

Validate compose file

验证Compose文件

docker compose config
undefined
docker compose config
undefined

Development vs Production Compose

开发与生产环境Compose配置

compose.yml (base configuration):
yaml
services:
  web:
    build: .
    ports:
      - "3000:3000"
    environment:
      - DATABASE_URL=postgresql://user:pass@db:5432/app
compose.override.yml (development overrides, loaded automatically):
yaml
services:
  web:
    volumes:
      - ./src:/app/src      # Live code reload
    environment:
      - NODE_ENV=development
      - DEBUG=true
    command: npm run dev
compose.prod.yml (production overrides):
yaml
services:
  web:
    image: registry.example.com/myapp:1.0
    restart: always
    environment:
      - NODE_ENV=production
    deploy:
      replicas: 3
      resources:
        limits:
          cpus: '0.5'
          memory: 512M
Usage:
bash
undefined
compose.yml(基础配置):
yaml
services:
  web:
    build: .
    ports:
      - "3000:3000"
    environment:
      - DATABASE_URL=postgresql://user:pass@db:5432/app
compose.override.yml(开发环境覆盖配置,自动加载):
yaml
services:
  web:
    volumes:
      - ./src:/app/src      # 代码热重载
    environment:
      - NODE_ENV=development
      - DEBUG=true
    command: npm run dev
compose.prod.yml(生产环境覆盖配置):
yaml
services:
  web:
    image: registry.example.com/myapp:1.0
    restart: always
    environment:
      - NODE_ENV=production
    deploy:
      replicas: 3
      resources:
        limits:
          cpus: '0.5'
          memory: 512M
使用方式
bash
undefined

Development (uses compose.yml + compose.override.yml automatically)

开发环境(自动使用compose.yml + compose.override.yml)

docker compose up
docker compose up

Production (explicit override)

生产环境(显式指定覆盖配置)

docker compose -f compose.yml -f compose.prod.yml up -d
undefined
docker compose -f compose.yml -f compose.prod.yml up -d
undefined

Language-Specific Dockerfiles

各语言专属Dockerfile示例

Node.js

Node.js

dockerfile
FROM node:20-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

FROM node:20-alpine AS production
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=build /app/node_modules ./node_modules
COPY package*.json ./
USER node
EXPOSE 3000
CMD ["node", "dist/server.js"]
dockerfile
FROM node:20-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

FROM node:20-alpine AS production
WORKDIR /app
COPY --from=build /app/dist ./dist
COPY --from=build /app/node_modules ./node_modules
COPY package*.json ./
USER node
EXPOSE 3000
CMD ["node", "dist/server.js"]

Python

Python

dockerfile
FROM python:3.11-slim AS build
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

FROM python:3.11-slim AS production
WORKDIR /app
COPY --from=build /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY . .
RUN adduser --disabled-password --gecos '' appuser && \
    chown -R appuser:appuser /app
USER appuser
EXPOSE 8000
CMD ["python", "app.py"]
dockerfile
FROM python:3.11-slim AS build
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

FROM python:3.11-slim AS production
WORKDIR /app
COPY --from=build /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY . .
RUN adduser --disabled-password --gecos '' appuser && \
    chown -R appuser:appuser /app
USER appuser
EXPOSE 8000
CMD ["python", "app.py"]

Go

Go

dockerfile
FROM golang:1.21-alpine AS build
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -o main .

FROM scratch
COPY --from=build /app/main /main
EXPOSE 8080
CMD ["/main"]
dockerfile
FROM golang:1.21-alpine AS build
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -o main .

FROM scratch
COPY --from=build /app/main /main
EXPOSE 8080
CMD ["/main"]

Java (Spring Boot)

Java(Spring Boot)

dockerfile
FROM eclipse-temurin:21-jdk-alpine AS build
WORKDIR /app
COPY pom.xml .
COPY src ./src
RUN ./mvnw clean package -DskipTests

FROM eclipse-temurin:21-jre-alpine AS production
WORKDIR /app
COPY --from=build /app/target/*.jar app.jar
RUN addgroup -g 1001 -S spring && \
    adduser -S spring -u 1001
USER spring
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]
dockerfile
FROM eclipse-temurin:21-jdk-alpine AS build
WORKDIR /app
COPY pom.xml .
COPY src ./src
RUN ./mvnw clean package -DskipTests

FROM eclipse-temurin:21-jre-alpine AS production
WORKDIR /app
COPY --from=build /app/target/*.jar app.jar
RUN addgroup -g 1001 -S spring && \
    adduser -S spring -u 1001
USER spring
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]

React/Vue/Angular (Static SPA)

React/Vue/Angular(静态SPA)

dockerfile
FROM node:20-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

FROM nginx:alpine AS production
COPY --from=build /app/dist /usr/share/nginx/html
COPY nginx.conf /etc/nginx/nginx.conf
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
dockerfile
FROM node:20-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

FROM nginx:alpine AS production
COPY --from=build /app/dist /usr/share/nginx/html
COPY nginx.conf /etc/nginx/nginx.conf
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

Production Deployment

生产环境部署

Health Checks

健康检查

In Dockerfile:
dockerfile
HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1
In Compose:
yaml
services:
  web:
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
      interval: 30s
      timeout: 3s
      start-period: 40s
      retries: 3
在Dockerfile中配置
dockerfile
HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1
在Compose中配置
yaml
services:
  web:
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
      interval: 30s
      timeout: 3s
      start-period: 40s
      retries: 3

Resource Limits

资源限制

yaml
services:
  web:
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 256M
yaml
services:
  web:
    deploy:
      resources:
        limits:
          cpus: '0.5'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 256M

Restart Policies

重启策略

yaml
services:
  web:
    restart: unless-stopped    # Restart unless manually stopped
    # Other options: "no", "always", "on-failure"
yaml
services:
  web:
    restart: unless-stopped    # 除非手动停止,否则自动重启
    # 其他选项:"no", "always", "on-failure"

Logging Configuration

日志配置

yaml
services:
  web:
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
yaml
services:
  web:
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

Environment Variables & Secrets

环境变量与密钥管理

Using .env file:
bash
undefined
使用.env文件
bash
undefined

.env

.env

DATABASE_URL=postgresql://user:pass@db:5432/app API_KEY=secret

```yaml
services:
  web:
    env_file:
      - .env
Using Docker secrets (Swarm):
yaml
services:
  web:
    secrets:
      - db_password

secrets:
  db_password:
    external: true
DATABASE_URL=postgresql://user:pass@db:5432/app API_KEY=secret

```yaml
services:
  web:
    env_file:
      - .env
使用Docker密钥(Swarm模式):
yaml
services:
  web:
    secrets:
      - db_password

secrets:
  db_password:
    external: true

Production Checklist

生产环境检查清单

  • ✅ Use specific image versions (not 
    latest
    )
  • ✅ Run as non-root user
  • ✅ Multi-stage builds to minimize image size
  • ✅ Health checks implemented
  • ✅ Resource limits configured
  • ✅ Restart policy set
  • ✅ Logging configured
  • ✅ Secrets managed securely (not in environment variables)
  • ✅ Vulnerability scanning (Docker Scout)
  • ✅ Read-only root filesystem when possible
  • ✅ Network segmentation
  • ✅ Regular image updates
  • ✅ 使用特定镜像版本(而非
    latest
  • ✅ 以非root用户运行容器
  • ✅ 使用多阶段构建以最小化镜像体积
  • ✅ 配置健康检查
  • ✅ 设置资源限制
  • ✅ 配置重启策略
  • ✅ 配置日志
  • ✅ 安全管理密钥(不存储在环境变量中)
  • ✅ 漏洞扫描(Docker Scout)
  • ✅ 尽可能使用只读根文件系统
  • ✅ 网络分段
  • ✅ 定期更新镜像

CI/CD Integration

CI/CD集成

GitHub Actions Example

GitHub Actions示例

yaml
name: Docker Build and Push

on:
  push:
    branches: [ main ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: user/app:latest,user/app:${{ github.sha }}
          cache-from: type=registry,ref=user/app:buildcache
          cache-to: type=registry,ref=user/app:buildcache,mode=max

      - name: Run vulnerability scan
        uses: docker/scout-action@v1
        with:
          command: cves
          image: user/app:${{ github.sha }}
yaml
name: Docker Build and Push

on:
  push:
    branches: [ main ]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: user/app:latest,user/app:${{ github.sha }}
          cache-from: type=registry,ref=user/app:buildcache
          cache-to: type=registry,ref=user/app:buildcache,mode=max

      - name: Run vulnerability scan
        uses: docker/scout-action@v1
        with:
          command: cves
          image: user/app:${{ github.sha }}

Security Best Practices

安全最佳实践

Scan for Vulnerabilities

漏洞扫描

bash
undefined
bash
undefined

Using Docker Scout

使用Docker Scout

docker scout cves myapp:1.0 docker scout recommendations myapp:1.0
docker scout cves myapp:1.0 docker scout recommendations myapp:1.0

Quick view

快速概览

docker scout quickview myapp:1.0
undefined
docker scout quickview myapp:1.0
undefined

Run Containers Securely

安全运行容器

bash
undefined
bash
undefined

Read-only root filesystem

只读根文件系统

docker run --read-only -v /tmp --tmpfs /run myapp:1.0
docker run --read-only -v /tmp --tmpfs /run myapp:1.0

Drop all capabilities, add only needed ones

移除所有权限,仅添加必要权限

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp:1.0
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp:1.0

No new privileges

禁止获取新权限

docker run --security-opt=no-new-privileges myapp:1.0
docker run --security-opt=no-new-privileges myapp:1.0

Use security profiles

使用安全配置文件

docker run --security-opt apparmor=docker-default myapp:1.0
docker run --security-opt apparmor=docker-default myapp:1.0

Limit resources

限制资源

docker run --memory=512m --cpus=0.5 --pids-limit=100 myapp:1.0
undefined
docker run --memory=512m --cpus=0.5 --pids-limit=100 myapp:1.0
undefined

Image Security Checklist

镜像安全检查清单

  • ✅ Start with minimal base images (Alpine, Distroless)
  • ✅ Use specific versions, not 
    latest
  • ✅ Scan for vulnerabilities regularly
  • ✅ Run as non-root user
  • ✅ Don't include secrets in images (use runtime secrets)
  • ✅ Minimize attack surface (only install needed packages)
  • ✅ Use multi-stage builds (no build tools in final image)
  • ✅ Sign and verify images
  • ✅ Keep images updated
  • ✅ 使用轻量基础镜像(Alpine、Distroless)
  • ✅ 使用特定版本,而非
    latest
  • ✅ 定期扫描漏洞
  • ✅ 以非root用户运行
  • ✅ 不在镜像中存储密钥(使用运行时密钥)
  • ✅ 最小化攻击面(仅安装必要包)
  • ✅ 使用多阶段构建(最终镜像不含构建工具)
  • ✅ 签名并验证镜像
  • ✅ 保持镜像更新

Networking Patterns

网络模式

Bridge Network (Default)

桥接网络(默认)

bash
undefined
bash
undefined

Create custom bridge network

创建自定义桥接网络

docker network create my-bridge
docker network create my-bridge

Run containers on custom bridge

在自定义桥接网络上运行容器

docker run -d --name web --network my-bridge nginx docker run -d --name db --network my-bridge postgres
docker run -d --name web --network my-bridge nginx docker run -d --name db --network my-bridge postgres

Containers can communicate via container name

容器可通过容器名称通信

web can connect to: http://db:5432

web可连接到:http://db:5432

undefined
undefined

Container Communication

容器间通信

yaml
services:
  web:
    depends_on:
      - db
    environment:
      # Use service name as hostname
      - DATABASE_URL=postgresql://user:pass@db:5432/app

  db:
    image: postgres:15-alpine
yaml
services:
  web:
    depends_on:
      - db
    environment:
      # 使用服务名称作为主机名
      - DATABASE_URL=postgresql://user:pass@db:5432/app

  db:
    image: postgres:15-alpine

Port Publishing

端口发布

bash
undefined
bash
undefined

Publish single port

发布单个端口

docker run -p 8080:80 nginx
docker run -p 8080:80 nginx

Publish range of ports

发布端口范围

docker run -p 8080-8090:8080-8090 myapp
docker run -p 8080-8090:8080-8090 myapp

Publish to specific interface

发布到指定网卡

docker run -p 127.0.0.1:8080:80 nginx
docker run -p 127.0.0.1:8080:80 nginx

Publish all exposed ports to random ports

将所有暴露的端口发布到随机端口

docker run -P nginx
undefined
docker run -P nginx
undefined

Storage Patterns

存储模式

Named Volumes (Recommended for Data)

命名卷(推荐用于数据持久化)

bash
undefined
bash
undefined

Create and use named volume

创建并使用命名卷

docker volume create app-data docker run -v app-data:/app/data myapp
docker volume create app-data docker run -v app-data:/app/data myapp

Automatic creation

自动创建(若不存在)

docker run -v app-data:/app/data myapp # Creates if doesn't exist
undefined
docker run -v app-data:/app/data myapp # 若卷不存在则自动创建
undefined

Bind Mounts (Development)

绑定挂载(开发环境)

bash
undefined
bash
undefined

Live code reload during development

开发环境代码热重载

docker run -v $(pwd)/src:/app/src myapp
docker run -v $(pwd)/src:/app/src myapp

Read-only bind mount

只读绑定挂载

docker run -v $(pwd)/config:/app/config:ro myapp
undefined
docker run -v $(pwd)/config:/app/config:ro myapp
undefined

tmpfs Mounts (Temporary In-Memory)

tmpfs挂载(内存临时存储)

bash
undefined
bash
undefined

Store temporary data in memory

将临时数据存储在内存中

docker run --tmpfs /tmp myapp
undefined
docker run --tmpfs /tmp myapp
undefined

Volume Backup & Restore

卷备份与恢复

bash
undefined
bash
undefined

Backup volume

备份卷

docker run --rm -v app-data:/data -v $(pwd):/backup alpine
tar czf /backup/backup.tar.gz /data
docker run --rm -v app-data:/data -v $(pwd):/backup alpine
tar czf /backup/backup.tar.gz /data

Restore volume

恢复卷

docker run --rm -v app-data:/data -v $(pwd):/backup alpine
tar xzf /backup/backup.tar.gz -C /data
undefined
docker run --rm -v app-data:/data -v $(pwd):/backup alpine
tar xzf /backup/backup.tar.gz -C /data
undefined

Troubleshooting

故障排查

Debug Running Container

排查运行中的容器

bash
undefined
bash
undefined

View logs

查看日志

docker logs -f myapp docker logs --tail 100 myapp
docker logs -f myapp docker logs --tail 100 myapp

Interactive shell

进入交互式shell

docker exec -it myapp /bin/sh
docker exec -it myapp /bin/sh

Inspect container

查看容器详情

docker inspect myapp
docker inspect myapp

View processes

查看容器进程

docker top myapp
docker top myapp

Monitor resource usage

监控资源使用

docker stats myapp
docker stats myapp

View changes to filesystem

查看文件系统变更

docker diff myapp
undefined
docker diff myapp
undefined

Debug Build Issues

排查构建问题

bash
undefined
bash
undefined

Build with verbose output

带详细输出构建

docker build --progress=plain -t myapp .
docker build --progress=plain -t myapp .

Build specific stage for testing

构建特定阶段用于测试

docker build --target build -t myapp:build .
docker build --target build -t myapp:build .

Run failed build stage

运行构建失败的阶段容器

docker run -it myapp:build /bin/sh
docker run -it myapp:build /bin/sh

Check build context

禁用缓存构建

docker build --no-cache -t myapp .
undefined
docker build --no-cache -t myapp .
undefined

Common Issues

常见问题

Container exits immediately:
bash
undefined
容器立即退出
bash
undefined

Check logs

查看日志

docker logs myapp
docker logs myapp

Run with interactive shell

以交互式shell运行

docker run -it myapp /bin/sh
docker run -it myapp /bin/sh

Override entrypoint

覆盖入口点

docker run -it --entrypoint /bin/sh myapp

**Cannot connect to container**:
```bash
docker run -it --entrypoint /bin/sh myapp

**无法连接到容器**:
```bash

Check port mapping

检查端口映射

docker ps docker port myapp
docker ps docker port myapp

Check network

检查网络

docker network inspect bridge docker inspect myapp | grep IPAddress
docker network inspect bridge docker inspect myapp | grep IPAddress

Check if service is listening

检查服务是否在监听

docker exec myapp netstat -tulpn

**Out of disk space**:
```bash
docker exec myapp netstat -tulpn

**磁盘空间不足**:
```bash

Check disk usage

检查磁盘使用

docker system df
docker system df

Clean up

清理资源

docker system prune -a docker volume prune docker image prune -a

**Build cache issues**:
```bash
docker system prune -a docker volume prune docker image prune -a

**构建缓存问题**:
```bash

Force rebuild without cache

强制不使用缓存构建

docker build --no-cache -t myapp .
docker build --no-cache -t myapp .

Clear build cache

清理构建缓存

docker builder prune
undefined
docker builder prune
undefined

Advanced Topics

高级主题

Multi-Platform Builds

多平台构建

bash
undefined
bash
undefined

Setup buildx

初始化buildx

docker buildx create --use
docker buildx create --use

Build for multiple platforms

为多平台构建并推送

docker buildx build --platform linux/amd64,linux/arm64
-t myapp:1.0 --push .
undefined
docker buildx build --platform linux/amd64,linux/arm64
-t myapp:1.0 --push .
undefined

Build Optimization

构建优化

bash
undefined
bash
undefined

Use BuildKit (enabled by default in recent versions)

使用BuildKit(新版本默认启用)

DOCKER_BUILDKIT=1 docker build -t myapp .
DOCKER_BUILDKIT=1 docker build -t myapp .

Use build cache from registry

使用仓库中的构建缓存

docker build --cache-from myapp:latest -t myapp:1.0 .
docker build --cache-from myapp:latest -t myapp:1.0 .

Export cache to registry

将缓存推送到仓库

docker build --cache-to type=registry,ref=myapp:buildcache
--cache-from type=registry,ref=myapp:buildcache
-t myapp:1.0 .
undefined
docker build --cache-to type=registry,ref=myapp:buildcache
--cache-from type=registry,ref=myapp:buildcache
-t myapp:1.0 .
undefined

Docker Contexts

Docker上下文

bash
undefined
bash
undefined

List contexts

列出上下文

docker context ls
docker context ls

Create remote context

创建远程上下文

docker context create remote --docker "host=ssh://user@remote"
docker context create remote --docker "host=ssh://user@remote"

Use context

使用远程上下文

docker context use remote docker ps # Now runs on remote host
docker context use remote docker ps # 此时命令会在远程主机执行

Switch back to default

切换回默认上下文

docker context use default
undefined
docker context use default
undefined

Quick Reference

速查手册

Most Common Commands

最常用命令

TaskCommand
Build image
docker build -t myapp:1.0 .
Run container
docker run -d -p 8080:3000 myapp:1.0
View logs
docker logs -f myapp
Shell into container
docker exec -it myapp /bin/sh
Stop container
docker stop myapp
Remove container
docker rm myapp
Start Compose
docker compose up -d
Stop Compose
docker compose down
View Compose logs
docker compose logs -f
Clean up all
docker system prune -a
任务命令
构建镜像
docker build -t myapp:1.0 .
运行容器
docker run -d -p 8080:3000 myapp:1.0
查看日志
docker logs -f myapp
进入容器shell
docker exec -it myapp /bin/sh
停止容器
docker stop myapp
删除容器
docker rm myapp
启动Compose服务
docker compose up -d
停止Compose服务
docker compose down
查看Compose日志
docker compose logs -f
清理所有未使用资源
docker system prune -a

Recommended Base Images

推荐基础镜像

Language/FrameworkRecommended Base
Node.js
node:20-alpine
Python
python:3.11-slim
Java
eclipse-temurin:21-jre-alpine
Go
scratch
(for compiled binary)
.NET
mcr.microsoft.com/dotnet/aspnet:8.0-alpine
PHP
php:8.2-fpm-alpine
Ruby
ruby:3.2-alpine
Static sites
nginx:alpine
语言/框架推荐基础镜像
Node.js
node:20-alpine
Python
python:3.11-slim
Java
eclipse-temurin:21-jre-alpine
Go
scratch
(用于编译后的二进制文件)
.NET
mcr.microsoft.com/dotnet/aspnet:8.0-alpine
PHP
php:8.2-fpm-alpine
Ruby
ruby:3.2-alpine
静态站点
nginx:alpine

Additional Resources

额外资源

Summary

总结

Docker containerization provides:
  • Consistency across development, testing, and production
  • Isolation for applications and dependencies
  • Portability across different environments
  • Efficiency through layered architecture and caching
  • Scalability for microservices and distributed systems
Follow multi-stage builds, run as non-root, use specific versions, implement health checks, scan for vulnerabilities, and configure resource limits for production-ready containerized applications.
Docker容器化提供了:
  • 一致性:开发、测试与生产环境一致
  • 隔离性:应用与依赖相互隔离
  • 可移植性:跨不同环境运行
  • 高效性:分层架构与缓存机制
  • 可扩展性:适用于微服务与分布式系统
遵循多阶段构建、以非root用户运行、使用特定版本、配置健康检查、漏洞扫描与资源限制等最佳实践,构建生产就绪的容器化应用。