# Martin Heinz - Building Docker Images The Proper Way (Highlights)  ## Metadata **Cover**:: https://readwise-assets.s3.amazonaws.com/static/images/article3.5c705a01b476.png **Source**:: #from/readwise **Zettel**:: #zettel/fleeting **Status**:: #x **Authors**:: [[Martin Heinz]] **Full Title**:: Building Docker Images The Proper Way **Category**:: #articles #readwise/articles **Category Icon**:: 📰 **URL**:: [martinheinz.dev](https://martinheinz.dev/blog/42) **Host**:: [[martinheinz.dev]] **Highlighted**:: [[2021-02-21]] **Created**:: [[2022-09-26]] ## Highlights - Building Docker Images The Proper Way - Caching For Speedy Builds - Starting with system libraries and tools - Alternatively you could even extract all these out into separate Dockerfile to build your own base image. - After system libraries we usually want to install application dependencies. - we have to copy files in 2 steps: - First we add the file that lists all application dependencies and install them. - Only then we copy rest of the (modified) sources into the image - # syntax=docker/dockerfile:experimental - RUN --mount=type=cache,target=/root/.m2 - DOCKER_BUILDKIT=1 docker build name:tag . - you will need Docker daemon, that can be deployed using Docker in Docker (DinD) - Slimming Them Down - Another good approach is to use multi-step Docker builds - Locking Things Down - lock versions of all libraries, packages, tools and base images - it's best to avoid running containers as root. - You should therefore include USER 1001 in your Dockerfiles to signify that containers created from your Dockerfiles should and can run as non-root (ideally arbitrary) user. - One such image - or rather set of images - is Distroless made by Google. #further-reading #rl https://github.com/GoogleContainerTools/distroless - we should not allow Docker to run with root user, but rather use so-called rootless mode. There's whole guide on how one can set that up in Docker docs #further-reading #rl https://docs.docker.com/engine/security/rootless/