Mastering Docker: A Complete Guide to Containerization and Modern DevOps

📘 Chapter 2: Building and Managing Docker Images

🧠 What is a Docker Image?

A Docker image is a read-only template used to create containers. It includes everything your application needs to run:

• Code
• Runtime
• Libraries
• Environment variables
• Configuration files

Every container starts from an image. You can:

• Pull prebuilt images from Docker Hub
• Build your own custom images using a Dockerfile

🧱 Dockerfile: Your Image Blueprint

A Dockerfile is a plain text file with step-by-step instructions to build a Docker image. Think of it as a recipe for creating a container environment.

🔹 Basic Dockerfile Example

Dockerfile

# Start from the official Node.js image

FROM node:18

# Set the working directory inside the container

WORKDIR /app

# Copy package files and install dependencies

COPY package*.json ./

RUN npm install

# Copy the rest of your app

COPY . .

# Command to run the app

CMD ["node", "server.js"]

🔍 Explanation of Instructions

🛠️ Building Docker Images

To build an image from a Dockerfile:

bash

docker build -t my-node-app .

✅ Verify the Image

bash

docker images

You’ll see your image listed:

perl

REPOSITORY     TAG       IMAGE ID       CREATED          SIZE

my-node-app    latest    f3d20f3ab991   5 seconds ago    134MB

🔁 Understanding Image Layers and Caching

Each instruction in a Dockerfile creates a layer in the image. These layers:

• Are cached during builds
• Are reused across images to save space and time
• Stack on top of each other to form a complete image

🔹 Example Layer Flow

Dockerfile

FROM node:18         # Layer 1

WORKDIR /app         # Layer 2

COPY package.json .  # Layer 3

RUN npm install      # Layer 4

COPY . .             # Layer 5

CMD ["node", "app"]  # Layer 6

If you rebuild your image and only the code has changed, Docker can reuse layers up to npm install, saving time.

🧠 Best Practice: Put the most frequently changed instructions (like COPY . .) at the bottom of the Dockerfile to maximize cache usage.

🔒 Using .dockerignore

Just like .gitignore, the .dockerignore file prevents copying unnecessary files (like node_modules, .git, or local logs) into the Docker image.

📄 Example .dockerignore:

nginx

node_modules

.git

*.log

Dockerfile*

docker-compose.yml

This makes your image smaller, faster to build, and more secure.

🧪 Optimizing Builds with Multi-Stage Dockerfiles

Sometimes, your image ends up bloated because you include build tools, compilers, or test files — even though they’re not needed in production.

Multi-stage builds help solve this by separating the build and runtime environments, producing lean, production-ready images.

🔹 Example: Node.js App with Build + Runtime Separation

Dockerfile

# Stage 1: Build

FROM node:18 AS builder

WORKDIR /app

COPY . .

RUN npm install && npm run build

# Stage 2: Runtime

FROM node:18-slim

WORKDIR /app

COPY --from=builder /app/dist ./dist

COPY package.json .

RUN npm install --only=production

CMD ["node", "dist/app.js"]

🔍 What’s Happening:

• In the first stage, we run a full build.
• In the second stage, we only copy the final output (dist) and install minimal dependencies.
• Result: A much smaller, secure image with no dev dependencies or build tools.

📏 Comparing Image Sizes

🧠 Use node:alpine, python:slim, or golang:distroless for even smaller builds.

🏷️ Image Tagging and Versioning

Tagging helps track versions and environments (e.g., latest, v1.0.1, staging, dev).

🔹 Tag While Building

bash

docker build -t username/myapp:1.0.0 .

🔹 List All Tags Locally

bash

docker images

🔹 Rename an Image (Re-Tag)

bash

docker tag myapp myapp:latest

✅ Tagging Best Practices

🧠 Never rely solely on latest in production pipelines. Be explicit.

☁️ Pushing Images to Docker Hub

Once you’ve tagged your image, you can publish it to Docker Hub so others (or your CI/CD pipeline) can pull and use it.

🔹 Step 1: Log in

bash

docker login

🔹 Step 2: Tag Your Image

bash

docker tag myapp username/myapp:v1.0.0

🔹 Step 3: Push to Hub

bash

docker push username/myapp:v1.0.0

🔐 You can also set up private repositories on Docker Hub or use other registries like GitHub Container Registry, Amazon ECR, or Google Artifact Registry.

🔹 Pulling an Image

Anyone with access can now run:

bash

docker pull username/myapp:v1.0.0

🔎 Inspecting Image History and Layers

You can analyze how your image was built:

🔹 View Image History

bash

docker history myapp

Output:

css

IMAGE          CREATED        SIZE      COMMENT

<image_id>     1 minute ago   135MB     CMD ["node", "app.js"]

🔹 Dive into Image Layers (Tool)

Install and run dive to visualize and explore your image layer-by-layer for optimizations.

bash

dive myapp

🔐 Best Practices for Secure Docker Images

Security is crucial when building and distributing Docker images — especially for production use.

🔹 1. Use Trusted Base Images

Avoid random or unofficial images. Use verified or official base images from Docker Hub.

Example:

Dockerfile

FROM node:18-alpine   # Official lightweight Node image

✅ Alpine-based images are minimal and reduce surface area for attacks.

🔹 2. Avoid Running as Root

By default, containers run as root, which can be dangerous. Create a non-root user in your Dockerfile:

Dockerfile

RUN adduser -D appuser

USER appuser

🔹 3. Scan for Vulnerabilities

Use scanning tools to identify known CVEs (Common Vulnerabilities and Exposures).

Popular tools:

• docker scan (integrated CLI)
• Snyk
• Trivy

bash

docker scan myapp

🔹 4. Minimize Dependencies

• Use multi-stage builds
• Remove unnecessary files and development tools
• Combine commands with && to reduce image layers

🔹 5. Pin Package Versions

Avoid unexpected behavior by locking versions:

Dockerfile

RUN npm install express@4.17.1

🧹 Cleaning Up Docker Images and Layers

Docker can accumulate a lot of unused images, containers, and volumes. Here’s how to clean up:

🔹 Remove Stopped Containers

bash

docker container prune

🔹 Remove Unused Images

bash

docker image prune

Or, remove everything not in use:

bash

docker system prune -a

⚠️ Use prune -a with caution. It will delete a lot.

🔄 Automating Docker Image Builds in CI/CD

In modern DevOps workflows, you’ll want to build and push Docker images automatically after each code change.

🔹 Example: GitHub Actions Docker Workflow

yaml

name: Build & Push Docker Image

on:

  push:

    branches: [ main ]

jobs:

  build:

    runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v3

      - name: Log in to Docker Hub

        run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin

      - name: Build the Docker image

        run: docker build -t username/myapp:${{ github.sha }} .

      - name: Push to Docker Hub

        run: docker push username/myapp:${{ github.sha }}

🔐 Store credentials as GitHub Secrets (DOCKER_USERNAME and DOCKER_PASSWORD)

🧰 Real-World Docker Image Examples

🧪 Python App

Dockerfile

FROM python:3.11-slim

WORKDIR /app

COPY requirements.txt .

RUN pip install --no-cache-dir -r requirements.txt

COPY . .

CMD ["python", "main.py"]

• Uses slim base
• Avoids pip cache
• Reduces final image size significantly

🌐 Nginx Static Site

Dockerfile

FROM nginx:alpine

COPY ./public /usr/share/nginx/html

• Fast and efficient for static frontend deployment

📏 Image Size Optimization Comparison

🧠 Always optimize images before pushing to production or CI/CD workflows.

✅ Summary: Chapter 2 Wrap-Up