Container Best Practices π
Core Principles Matrix π
ββββββββββββββββββββββββββββββ
β CONTAINER BEST PRACTICES β
β β
β 1. Security First β
β 2. Resource Efficiency β
β 3. Maintainability β
β 4. Scalability β
β 5. Monitoring β
ββββββββββββββββββββββββββββββ
Image Best Practices πΌοΈ
DO's β
# Use versΓ΅es especΓficas
FROM node:18.12.1-alpine
# Multi-stage builds
FROM node:18.12.1-alpine AS builder
WORKDIR /app
COPY . .
RUN npm ci && npm run build
FROM node:18.12.1-alpine
COPY --from=builder /app/dist ./dist
CMD ["node", "dist/main.js"]
# Agrupar comandos RUN
RUN apt-get update && \
apt-get install -y \
package1 \
package2 && \
rm -rf /var/lib/apt/lists/*
DON'Ts β
# Evite latest tag
FROM node:latest
# Evite mΓΊltiplos RUN
RUN apt-get update
RUN apt-get install package1
RUN apt-get install package2
# NΓ£o armazene secrets
ENV API_KEY="secret123"
Security Guidelines π
Container Hardening
# Use non-root user
FROM alpine
RUN adduser -D appuser
USER appuser
# Read-only root filesystem
docker run --read-only nginx
Secrets Management
# Use Docker secrets
docker secret create app_secret secret.txt
docker service create \
--secret app_secret \
myapp
# Evite environment variables para secrets
docker run -e "API_KEY=secret" myapp
Resource Management π
Resource Limits
# Set resource limits
docker run \
--cpus=".5" \
--memory="512m" \
--memory-swap="1g" \
nginx
Monitoring Setup
# Health checks
HEALTHCHECK --interval=5m --timeout=3s \
CMD curl -f http://localhost/ || exit 1
# Resource monitoring
docker stats --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}"
Networking Best Practices π
Network Security
# Use redes customizadas
docker network create --driver bridge mynetwork
# Isole containers
docker run --network mynetwork nginx
Network Configuration
version: '3.8'
services:
web:
networks:
frontend:
backend:
networks:
frontend:
driver: bridge
backend:
driver: bridge
internal: true
Storage Best Practices πΎ
Volume Management
# Named volumes
docker volume create mydata
docker run -v mydata:/data nginx
# Backup volumes
docker run --rm -v mydata:/data \
-v $(pwd):/backup alpine \
tar cvf /backup/backup.tar /data
Logging Best Practices π
Log Configuration
# JSON log driver
docker run --log-driver json-file \
--log-opt max-size=10m \
--log-opt max-file=3 \
nginx
Log Aggregation
logging:
driver: "fluentd"
options:
fluentd-address: localhost:24224
tag: docker.{{.Name}}
Development Workflow π
Development Environment
version: '3.8'
services:
dev:
build:
context: .
target: development
volumes:
- .:/app
- /app/node_modules
command: npm run dev
Testing Environment
version: '3.8'
services:
test:
build:
context: .
target: test
command: npm test
Production Checklist β
Pre-Deployment
[ ] Imagem otimizada
[ ] Security scan realizado
[ ] Resources limits definidos
[ ] Health checks implementados
[ ] Logs configurados
[ ] Backups planejados
[ ] Monitoring setup
Post-Deployment
[ ] Performance verificada
[ ] Logs analisados
[ ] Métricas coletadas
[ ] Alertas configurados
[ ] Backup testado
Best Practices Matrix π
Security
Prática | Descrição | Prioridade |
|---|---|---|
Non-root user | Execute como usuário não-root | Alta |
Read-only FS | Use filesystem read-only | Alta |
Scan images | Scanner de vulnerabilidades | Alta |
Secrets | Use Docker secrets | Alta |
Performance
Prática | Descrição | Prioridade |
|---|---|---|
Resource limits | Defina limites de recursos | Alta |
Multi-stage | Use multi-stage builds | Média |
Layer caching | Otimize cache de layers | Média |
Compression | Comprima artefatos | Baixa |
Waifu Best Practice Tips π‘
Quick Reference π
Essential Commands
# Security scan
docker scan myimage
# Resource monitoring
docker stats
# Health check
docker inspect --format='{{.State.Health.Status}}' container_name
# Network inspect
docker network inspect bridge
Next Steps π―
16 abril 2025