Skip to content

Docker — Operations

Scope

Production container operations, image management, networking, storage, security hardening, and monitoring.

Image Management

Build Optimization

# Multi-stage build (reduce image size by 80%+)
FROM node:22-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

FROM node:22-alpine AS runtime
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER node
CMD ["node", "dist/main.js"]
Strategy Impact Notes
Multi-stage builds 50-90% size reduction Separate build and runtime stages
Alpine base images 70% smaller than Debian May have musl libc issues
.dockerignore Faster builds Exclude node_modules, .git, etc.
Layer caching 10x faster rebuilds Order COPY commands by change frequency
--mount=type=cache Persistent caches Package manager caches across builds

Image Security

# Scan for vulnerabilities
docker scout cves myimage:latest
trivy image myimage:latest

# Sign images
cosign sign --key cosign.key myregistry.io/myimage:latest

Container Runtime

Resource Limits

# Run with resource constraints
docker run -d \
  --memory=512m --memory-swap=1g \
  --cpus=2.0 \
  --pids-limit=100 \
  --read-only \
  --tmpfs /tmp:rw,noexec,nosuid,size=64m \
  myapp:latest

Health Checks

HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
  CMD curl -f http://localhost:8080/health || exit 1

Compose in Production

# docker-compose.prod.yml
services:
  web:
    image: myapp:${TAG}
    deploy:
      replicas: 3
      resources:
        limits:
          cpus: '2.0'
          memory: 512M
      restart_policy:
        condition: on-failure
        max_attempts: 3
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 5s
      retries: 3

Common Issues

Issue Diagnosis Fix
Container OOMKilled docker inspect --format='{{.State.OOMKilled}}' Increase memory limit or fix leak
Disk space exhausted docker system df docker system prune -a --volumes
DNS resolution fails docker exec -it app nslookup host Check Docker DNS (127.0.0.11)
Slow builds Layer cache invalidation Reorder Dockerfile, use BuildKit
Port conflict docker port <container> Change host port mapping

Monitoring

# Real-time resource usage
docker stats --format "table {{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.NetIO}}"

# Container logs
docker logs --since 1h --tail 100 -f <container>

# Events stream
docker events --since '2026-04-12T00:00:00' --filter type=container