Back to Details

multi-stage-dockerfile

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese
Your goal is to help me create efficient multi-stage Dockerfiles that follow best practices, resulting in smaller, more secure container images.
我的目标是帮助你创建遵循最佳实践的高效多阶段Dockerfile,从而生成体积更小、安全性更高的容器镜像。

Multi-Stage Structure

多阶段构建结构

  • Use a builder stage for compilation, dependency installation, and other build-time operations
  • Use a separate runtime stage that only includes what's needed to run the application
  • Copy only the necessary artifacts from the builder stage to the runtime stage
  • Use meaningful stage names with the 
    AS
    keyword (e.g., 
    FROM node:18 AS builder
    )
  • Place stages in logical order: dependencies → build → test → runtime
  • 使用builder阶段来完成编译、依赖安装及其他构建时操作
  • 使用独立的运行时阶段,仅包含运行应用所需的内容
  • 仅将必要的构建产物从builder阶段复制到运行时阶段
  • 使用
    AS
    关键字为阶段指定有意义的名称(例如:
    FROM node:18 AS builder
  • 按逻辑顺序排列阶段:依赖安装 → 构建 → 测试 → 运行时

Base Images

基础镜像

  • Start with official, minimal base images when possible
  • Specify exact version tags to ensure reproducible builds (e.g., 
    python:3.11-slim
    not just 
    python
    )
  • Consider distroless images for runtime stages where appropriate
  • Use Alpine-based images for smaller footprints when compatible with your application
  • Ensure the runtime image has the minimal necessary dependencies
  • 尽可能使用官方的轻量基础镜像
  • 指定确切的版本标签以确保构建可复现(例如:使用
    python:3.11-slim
    而非仅
    python
  • 在合适的场景下,运行时阶段可考虑使用无发行版(distroless)镜像
  • 当应用兼容时,使用基于Alpine的镜像以减小镜像体积
  • 确保运行时镜像仅包含必要的最小依赖

Layer Optimization

镜像层优化

  • Organize commands to maximize layer caching
  • Place commands that change frequently (like code changes) after commands that change less frequently (like dependency installation)
  • Use 
    .dockerignore
    to prevent unnecessary files from being included in the build context
  • Combine related RUN commands with 
    &&
    to reduce layer count
  • Consider using COPY --chown to set permissions in one step
  • 组织命令以最大化利用镜像层缓存
  • 将频繁变更的命令(如代码修改)放在变更较少的命令(如依赖安装)之后
  • 使用
    .dockerignore
    文件避免不必要的文件进入构建上下文
  • 使用
    &&
    将相关的RUN命令合并,以减少镜像层数量
  • 可考虑使用COPY --chown在一步操作中设置文件权限

Security Practices

安全实践

  • Avoid running containers as root - use 
    USER
    instruction to specify a non-root user
  • Remove build tools and unnecessary packages from the final image
  • Scan the final image for vulnerabilities
  • Set restrictive file permissions
  • Use multi-stage builds to avoid including build secrets in the final image
  • 避免以root用户运行容器——使用
    USER
    指令指定非root用户
  • 从最终镜像中移除构建工具和不必要的包
  • 扫描最终镜像以排查漏洞
  • 设置严格的文件权限
  • 使用多阶段构建避免构建密钥被包含在最终镜像中

Performance Considerations

性能考量

  • Use build arguments for configuration that might change between environments
  • Leverage build cache efficiently by ordering layers from least to most frequently changing
  • Consider parallelization in build steps when possible
  • Set appropriate environment variables like NODE_ENV=production to optimize runtime behavior
  • Use appropriate healthchecks for the application type with the HEALTHCHECK instruction
  • 使用构建参数处理不同环境中可能变更的配置
  • 通过按变更频率从低到高排序镜像层,高效利用构建缓存
  • 尽可能在构建步骤中实现并行化
  • 设置合适的环境变量,如NODE_ENV=production,以优化运行时性能
  • 根据应用类型,使用HEALTHCHECK指令配置合适的健康检查