【Docker】Docker 開發最佳實踐
參考教程:https://docs.docker.com/develop/dev-best-practices/
環境
- virtual box 6.1
- centos 7.8
- docker 19.03
如何保持映象較小
Small images are faster to pull over the network and faster to load into memory when starting containers or services. There are a few rules of thumb to keep image size small:
小映象在啟動容器或服務時更快地通過網路傳輸,更快地載入到記憶體中。有一些經驗法則可以使映象尺寸較小:
-
Start with an appropriate base image. For instance, if you need a JDK, consider basing your image on the official
openjdkimage, rather than starting with a genericubuntuimage and installingopenjdkas part of the Dockerfile. -
從適當的基礎映象開始。例如,如果您需要 JDK,請考慮將映象基於正式的
openjdk映象,而不是從通過ubuntu映象開始並在 Dockerfile 中安裝openjdk。 -
Use multistage builds. For instance, you can use the
mavenimage to build your Java application, then reset to thetomcatimage and copy the Java artifacts into the correct location to deploy your app, all in the same Dockerfile. This means that your final image doesn’t include all of the libraries and dependencies pulled in by the build, but only the artifacts and the environment needed to run them. -
使用多階段構建。例如,您可以使用
maven映象來構建 Java 應用程式,然後重置為tomcat映象並將 Java 構件複製到正確的位置以部署您的應用程式,所有這些都在同一 Dockerfile 中。這意味著您的最終映像不包括構建所引入的所有庫和依賴項,而僅包括執行它們所需的工件和環境。-
If you need to use a version of Docker that does not include multistage builds, try to reduce the number of layers in your image by minimizing the number of separate
RUNcommands in your Dockerfile. You can do this by consolidating multiple commands into a singleRUNline and using your shell’s mechanisms to combine them together. Consider the following two fragments. The first creates two layers in the image, while the second only creates one. -
如果您需要使用不包含多階段構建的 Docker 版本,請嘗試通過最小化 Dockerfile 中單獨的
RUN命令的數量來減少映象中的層數。為此,您可以將多個命令合併到一條 RUN 行中,並使用 Shell 的機制將它們組合在一起。考慮以下兩個片段。第一層在影象中建立兩層,而第二層僅建立一層。RUN apt-get -y update RUN apt-get install -y pythonRUN apt-get -y update && apt-get install -y python
-
-
If you have multiple images with a lot in common, consider creating your own base image with the shared components, and basing your unique images on that. Docker only needs to load the common layers once, and they are cached. This means that your derivative images use memory on the Docker host more efficiently and load more quickly.
-
如果多個映象有許多共同點,請考慮使用共享元件建立自己的基礎映象,然後定製你自己的映象。 Docker 只需要載入一次公共層,然後將它們快取。這意味著您的派生映象將更有效地使用 Docker 主機上的記憶體,並更快地載入。
-
To keep your production image lean but allow for debugging, consider using the production image as the base image for the debug image. Additional testing or debugging tooling can be added on top of the production image.
-
為使生產映象保持精簡但允許進行除錯,請考慮將生產映象用作除錯映象的基礎映象。可以在生產映象的頂部新增其他測試或除錯工具。
-
When building images, always tag them with useful tags which codify version information, intended destination (
prodortest, for instance), stability, or other information that is useful when deploying the application in different environments. Do not rely on the automatically-createdlatesttag. -
構建映象時,請始終使用有用的標籤對其進行標記,這些標籤可將版本資訊,預期的目標(例如
prod或者test),穩定性或其他在不同環境中部署應用程式時有用的資訊進行編碼。不要依賴自動建立的latest標籤。
在哪裡以及如何儲存應用程式資料
-
Avoid storing application data in your container’s writable layer using storage drivers. This increases the size of your container and is less efficient from an I/O perspective than using volumes or bind mounts.
-
避免使用儲存驅動程式將應用程式資料儲存在容器的可寫層中。這會增加容器的大小,並且從 I/O 角度來看,效率不如使用卷或繫結掛載。
-
Instead, store data using volumes.
-
而是使用 volumes 儲存資料。
-
One case where it is appropriate to use bind mounts is during development, when you may want to mount your source directory or a binary you just built into your container. For production, use a volume instead, mounting it into the same location as you mounted a bind mount during development.
-
一種在開發過程中適合使用 bind mounts 的情況,這時您可能想掛載源目錄或剛剛構建的二進位制檔案放入您的容器中。對於生產,請改用卷,將其安裝到與開發期間安裝繫結安裝結構相同的位置。
-
For production, use secrets to store sensitive application data used by services, and use configs for non-sensitive data such as configuration files. If you currently use standalone containers, consider migrating to use single-replica services, so that you can take advantage of these service-only features.
-
對於生產,請使用 secrets 儲存服務使用的敏感應用程式資料,並使用 configs 獲取非敏感資料,例如配置檔案。如果當前使用獨立容器,請考慮遷移以使用單一副本服務,以便可以利用這些僅服務功能。
使用 CI/CD 進行測試和部署
-
When you check in a change to source control or create a pull request, use Docker Hub or another CI/CD pipeline to automatically build and tag a Docker image and test it.
-
當您簽入對原始碼管理的更改或建立請求請求時,請使用 Docker Hub 或其他 CI/CD 管道自動生成並標記 Docker 映象並對其進行測試。
-
Take this even further by requiring your development, testing, and security teams to sign images before they are deployed into production. This way, before an image is deployed into production, it has been tested and signed off by, for instance, development, quality, and security teams.
-
通過要求您的開發,測試和安全團隊在部署到生產中之前,對它們進行簽名來進一步做到這一點。這樣,在將映象部署到生產中之前,它已由開發,質量和安全團隊進行了測試和簽名。
開發和生產環境中的差異
| Development | Production |
|---|---|
| Use bind mounts to give your container access to your source code. | Use volumes to store container data. |
| Use Docker Desktop for Mac or Docker Desktop for Windows. | Use Docker Engine, if possible with userns mapping for greater isolation of Docker processes from host processes. |
| Don’t worry about time drift. | Always run an NTP client on the Docker host and within each container process and sync them all to the same NTP server. If you use swarm services, also ensure that each Docker node syncs its clocks to the same time source as the containers. |
總結
介紹了在開發過程中,使用 Docker 的最佳實踐。