參考教程：https://docs.docker.com/develop/develop-images/dockerfile_best-practices/

環境

1. virtual box 6.1
2. centos 7.8
3. docker 19.03

概述

This document covers recommended best practices and methods for building efficient images.

本文件介紹了用於構建有效映象的推薦最佳實踐和方法。

Docker builds images automatically by reading the instructions from a Dockerfile

Docker 通過讀取 Dockerfile 中的指令自動構建映象，Dockerfile 是一個文字檔案，其中依次包含構建給定映象所需的所有命令。Dockerfile 遵循特定的格式和指令集，您可以在 Dockerfile參考

A Docker image consists of read-only layers each of which represents a Dockerfile instruction. The layers are stacked and each one is a delta of the changes from the previous layer. Consider this Dockerfile:

Docker 映象由只讀層組成，每個只讀層代表一個 Dockerfile 指令。這些層是堆疊的，每個層都是上一層的變化的增量。考慮一下這個 Dockerfile：

FROM ubuntu:18.04
COPY . /app
RUN make /app
CMD python /app/app.py
 

Each instruction creates one layer:

• FROM creates a layer from the ubuntu:18.04 Docker image.
• COPY adds files from your Docker client’s current directory.
• RUN builds your application with make.
• CMD specifies what command to run within the container.

每條指令建立一層：

• FROM 從 Docker 映象 ubuntu:18.04 建立一個層。
• COPY 從 Docker 客戶端的當前目錄新增檔案。
• RUN 使用 make 構建您的應用程式。
• CMD 指定在容器中執行什麼命令。

When you run an image and generate a container, you add a new writable layer (the “container layer”) on top of the underlying layers. All changes made to the running container, such as writing new files, modifying existing files, and deleting files, are written to this thin writable container layer.

執行映象並生成容器時，可以在基礎層之上新增一個新的 writable layer（也叫容器層）。對執行中的容器所做的所有更改（例如寫入新檔案，修改現有檔案和刪除檔案）都將寫入此薄可寫容器層。

For more on image layers (and how Docker builds and stores images), see About storage drivers.

有關映象層（以及Docker 如何構建和儲存映象）的更多資訊，請參閱關於儲存驅動程式。

一般準則和建議

建立臨時容器

The image defined by your Dockerfile should generate containers that are as ephemeral as possible. By “ephemeral”, we mean that the container can be stopped and destroyed, then rebuilt and replaced with an absolute minimum set up and configuration.

您的 Dockerfile 定義的映象應生成儘可能短暫的容器。“短暫”是指可以停止並銷燬容器，然後對其進行重建和替換，並採用絕對的最低限度的設定和配置。

Refer to Processes under The Twelve-factor App methodology to get a feel for the motivations of running containers in such a stateless fashion.

請參閱“十二因子應用程式”方法下的 Processes，以瞭解以這種無狀態方式執行容器的動機。

瞭解構建上下文

When you issue a docker build command, the current working directory is called the build context. By default, the Dockerfile is assumed to be located here, but you can specify a different location with the file flag (-f). Regardless of where the Dockerfile actually lives, all recursive contents of files and directories in the current directory are sent to the Docker daemon as the build context.

發出 docker build 命令時，當前工作目錄稱為 build context。預設情況下，假定 Dockerfile 位於此處，但是您可以使用檔案標誌（-f）指定其他位置。無論 Dockerfile 實際位於何處，當前目錄中檔案和目錄的所有遞迴內容都將作為構建上下文傳送到 Docker 守護程式。

Build context example
構建示例

Create a directory for the build context and cd into it. Write “hello” into a text file named hello and create a Dockerfile that runs cat on it. Build the image from within the build context (.):

為構建上下文建立目錄，並在其中 cd 進入。將“hello”寫入名為 hello 的文字檔案，並建立一個在其上執行 cat 的 Dockerfile。從構建上下文（.）中構建映象：

mkdir myproject && cd myproject
echo "hello" > hello
echo -e "FROM busybox\nCOPY /hello /\nRUN cat /hello" > Dockerfile
docker build -t helloapp:v1 .

Move Dockerfile and hello into separate directories and build a second version of the image (without relying on cache from the last build). Use -f to point to the Dockerfile and specify the directory of the build context:
將 Dockerfile 和 hello 移到單獨的目錄中，並構建映象的第二個版本（不依賴於上次構建的快取）。使用 -f 指向 Dockerfile 並指定構建上下文的目錄：

mkdir -p dockerfiles context
mv Dockerfile dockerfiles && mv hello context
docker build --no-cache -t helloapp:v2 -f dockerfiles/Dockerfile context

Inadvertently including files that are not necessary for building an image results in a larger build context and larger image size. This can increase the time to build the image, time to pull and push it, and the container runtime size. To see how big your build context is, look for a message like this when building your Dockerfile:

無意間包含了構建映象所不需要的檔案會導致較大的構建上下文和較大的映象大小。這會增加生成映象的時間，拉取和推送映象的時間以及容器執行時的大小。要檢視您的構建上下文有多大，請在構建 Dockerfile 時查詢如下訊息：

Sending build context to Docker daemon  187.8MB

總結

介紹了 Dockerfile 最佳實踐的概述和一般性準則。