Production

Best Practices

Follow Docker best practices for security, performance, and maintainability.

Security Best Practices

  • Don't run containers as root — create a non-root user
  • Use official, verified base images
  • Scan images for vulnerabilities (docker scout)
  • Keep images small (use Alpine base images)
  • Don't store secrets in Dockerfiles or images — use environment variables or secrets managers

Performance Best Practices

  • Leverage layer caching by ordering Dockerfile instructions
  • Use multi-stage builds to minimize image size
  • Use .dockerignore to exclude unnecessary files
  • Set resource limits (--memory, --cpus)

Production Tips

  • Tag images with specific versions, not just latest
  • Use health checks
  • Implement graceful shutdown
  • Log to stdout/stderr (not files)

Example

bash
# .dockerignore
node_modules
npm-debug.log
.git
.gitignore
.env
*.md
docs/
tests/
coverage/

# Security - non-root user in Dockerfile
RUN addgroup --system --gid 1001 nodejs &&     adduser --system --uid 1001 nextjs
USER nextjs

# Resource limits
docker run -d   --memory="512m"   --cpus="0.5"   my-app

# Health check in Dockerfile
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3   CMD curl -f http://localhost:3000/health || exit 1

# Image scanning
docker scout cves my-app:latest
docker scout recommendations my-app:latest

# Tagging for production
docker build -t my-app:1.2.3 .
docker tag my-app:1.2.3 registry.example.com/my-app:1.2.3
docker push registry.example.com/my-app:1.2.3

# Cleanup
docker system prune              # remove all unused resources
docker system prune -a           # also remove unused images
docker volume prune              # remove unused volumes
docker image prune               # remove dangling images

# View resource usage
docker stats                    # live resource usage
docker system df                # disk usage
Try it yourself — BASH