docker
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseDocker
Docker
Overview
概述
Docker packages applications into isolated containers that run consistently across environments. A Dockerfile defines the image build steps, Compose orchestrates multi-container services, and production patterns ensure small, secure, performant images.
When to use: Containerizing applications, creating reproducible dev environments, orchestrating multi-service stacks, deploying to container platforms (ECS, Kubernetes, Fly.io, Railway, Coolify).
When NOT to use: Simple static sites with no backend (use CDN deploy), single-binary CLI tools (distribute the binary), or when the target platform has native buildpacks (Heroku, Vercel) and you don't need container control.
Docker将应用打包到隔离的容器中,确保其在不同环境中一致运行。Dockerfile定义镜像的构建步骤,Compose用于编排多容器服务,而生产环境模式则保障镜像体积小、安全且性能优异。
适用场景:容器化应用、创建可复现的开发环境、编排多服务栈、部署到容器平台(ECS、Kubernetes、Fly.io、Railway、Coolify)。
不适用场景:无后端的简单静态站点(使用CDN部署)、单二进制CLI工具(直接分发二进制文件)、目标平台提供原生buildpacks(Heroku、Vercel)且无需容器控制权的场景。
Quick Reference
快速参考
| Pattern | Approach | Key Points |
|---|---|---|
| Multi-stage build | Separate | 80%+ image size reduction, no dev deps in production |
| Layer caching | Copy lockfile first, install, then copy source | Dependency layer cached across builds |
| Non-root user | | Never run production containers as root |
| Health check | | Enables orchestrator restart on failure |
| Exclude | Smaller build context, faster builds |
| Compose services | | Dev environment in one command |
| Compose override | | Environment-specific config without duplication |
| Named volumes | | Survives container recreation |
| Build cache mount | | Persistent cache across builds |
| Secrets in build | | Never bake secrets into image layers |
| Image pinning | Pin to major.minor or digest | Reproducible builds, avoid surprise breakage |
| Container networking | Custom bridge networks with service discovery | Containers resolve each other by service name |
| Compose watch | | Live reload without volume mounts |
| Init process | | Proper signal handling and zombie reaping |
| Multi-platform | | ARM (Apple Silicon, Graviton) + x86 in one image |
| Monorepo prune | | Minimal build context from workspace dependencies |
| CI layer caching | | Avoid full rebuilds in CI pipelines |
| Debug containers | | Inspect running containers and image layers |
| 模式 | 实现方式 | 核心要点 |
|---|---|---|
| 多阶段构建 | 分离 | 镜像体积减少80%以上,生产环境不含开发依赖 |
| 层缓存 | 先复制锁文件,安装依赖,再复制源码 | 依赖层可在多次构建间缓存 |
| 非root用户运行 | 最终阶段使用 | 生产环境容器绝不要以root用户运行 |
| 健康检查 | | 支持编排器在容器故障时自动重启 |
| 排除 | 缩小构建上下文,提升构建速度 |
| Compose服务 | 使用 | 一条命令启动完整开发环境 |
| Compose环境覆盖 | 用 | 环境专属配置,避免代码重复 |
| 命名卷 | 在Compose中通过 | 容器重建后数据依然保留 |
| 构建缓存挂载 | | 多次构建间保留持久化缓存 |
| 构建时密钥管理 | | 绝不要将密钥嵌入镜像层中 |
| 镜像版本固定 | 固定到主版本.次版本或摘要值 | 可复现构建,避免意外故障 |
| 容器网络 | 带服务发现的自定义桥接网络 | 容器可通过服务名称互相解析 |
| Compose热重载 | | 无需卷挂载即可实现实时重载 |
| 初始化进程 | | 正确处理信号,清理僵尸进程 |
| 多平台构建 | | 单镜像同时支持ARM(Apple Silicon、Graviton)和x86架构 |
| 单仓多包裁剪 | | 从工作区依赖中提取最小构建上下文 |
| CI层缓存 | 结合GHA或镜像仓库使用 | 避免CI流水线中完全重建镜像 |
| 容器调试 | | 检查运行中容器和镜像层 |
Common Mistakes
常见错误
| Mistake | Correct Pattern |
|---|---|
| Installing dev dependencies in production image | Multi-stage build: install in builder, copy artifacts to runtime |
| Copying source before installing dependencies | Copy lockfile first, |
| Running as root in production | Create non-root user, |
| Hardcoding secrets in Dockerfile or ENV | Use build secrets ( |
Using | Pin to specific version ( |
No | Exclude |
Using | |
| HEALTHCHECK missing | Add health check for orchestrator integration |
Large base images ( | Use alpine variants ( |
Ignoring | |
| Building entire monorepo for one service | Use |
| No layer caching in CI | Use |
| Building only for x86 when deploying to ARM | Use |
| 错误做法 | 正确实践 |
|---|---|
| 在生产镜像中安装开发依赖 | 多阶段构建:在builder阶段安装依赖,仅将产物复制到运行时阶段 |
| 先复制源码再安装依赖 | 先复制锁文件,执行 |
| 生产环境中以root用户运行容器 | 创建非root用户,在最终阶段使用 |
| 在Dockerfile或ENV中硬编码密钥 | 使用构建时密钥( |
基础镜像使用 | 固定到具体版本(如 |
未配置 | 排除 |
使用 | 使用 |
| 未配置健康检查 | 添加健康检查以集成编排器功能 |
使用大型基础镜像(如 | 使用alpine变体(如 |
忽略Compose中 | Compose中的 |
| 为单个服务构建整个单仓多包项目 | 使用 |
| CI中未配置层缓存 | 结合GHA或镜像仓库后端使用 |
| 部署到ARM环境却仅构建x86架构镜像 | 使用 |
Delegation
任务委托
- Dockerfile review: Use agent to audit Dockerfiles for size, security, and caching
Task - Compose exploration: Use agent to discover existing Docker configurations
Explore - Architecture decisions: Use agent for container orchestration strategy
Plan
If theskill is available, delegate CI/CD pipeline and deployment strategy to it. If theci-cd-architectureskill is available, delegate container security scanning and hardening review to it.application-security
- Dockerfile审核:使用代理审核Dockerfile的体积、安全性和缓存策略
Task - Compose配置探索:使用代理发现现有Docker配置
Explore - 架构决策:使用代理制定容器编排策略
Plan
若技能可用,将CI/CD流水线和部署策略委托给该技能处理。 若ci-cd-architecture技能可用,将容器安全扫描和加固审核委托给该技能处理。application-security
References
参考资料
- Dockerfile patterns: multi-stage builds, layer caching, and image optimization
- Compose: services, networking, volumes, and environment management
- Security: non-root users, secrets, scanning, and production hardening
- Buildx: multi-platform builds for ARM and x86
- CI: GitHub Actions caching, registry push, and automated builds
- Monorepo: Turborepo prune, pnpm workspaces, and selective builds
- Debugging: logs, exec, inspect, layer analysis, and network troubleshooting
- Dockerfile模式:多阶段构建、层缓存与镜像优化
- Compose:服务、网络、卷与环境管理
- 安全:非root用户、密钥、扫描与生产环境加固
- Buildx:面向ARM与x86的多平台构建
- CI:GitHub Actions缓存、镜像仓库推送与自动化构建
- 单仓多包:Turborepo裁剪、pnpm工作区与选择性构建
- 调试:日志、exec、inspect、层分析与网络故障排查