Optimize Docker Images with Multi-Stage Builds and Distroless Bases

🐳 Docker Best Practices for Software Engineers Containers are great, but they come with unique challenges. Here's what I've learned: 1️⃣ Use Minimal Base Images Start with alpine or distroless images. Smaller attack surface = fewer vulnerabilities. 2️⃣ Scan Regularly Trivy, Clair, or Snyk - pick one and automate it into your CI/CD pipeline. 3️⃣ Run as Non-Root Configure your containers to run with the least privileges. Update your Dockerfile. 4️⃣ Network Segmentation Use Docker networks to isolate containers. Default deny, then allow what you need. 5️⃣ Secrets Management Never hardcode credentials. Use external secret stores or docker secrets. 6️⃣ Image Signing Sign your images using cosign. Verify before pulling. 7️⃣ Multi-Stage Builds Keep final images small by building in separate stages. 💡 Golden rule: Don't run as root. Always specify users in your Dockerfile. Which Docker practice do you follow religiously? #Docker #Containers #SoftwareEngineering #DevOps #BestPractices

🐳 Six months after shipping, most teams are staring at 40 CVEs and a 1.2 GB image. The skipped steps add up. Things I keep seeing missed in production: 📦 Treat image size seriously — fewer packages = fewer things to patch later 🔧 RUN cleanup has to happen in the same layer, not a separate one 🏗️ Multi-stage builds aren't an optimization, they're just correct 🔒 Running as root because it's easier is a bad trade ❤️ A container can sit at "Up" status while completely stuck — add a HEALTHCHECK 🛠️ Debug images should be separate, versioned, pulled when needed. Not baked in. ⚙️ CI should catch this, not your memory — especially digest pinning Pick one to fix this sprint. No root, or nothing extra in the runtime image. That's a reasonable starting point. Wrote this up in full 👇 🔗 https://lnkd.in/gzvydtQg #Docker #DevOps #PlatformEngineering #Kubernetes #CloudNative #ContainerSecurity

Most production issues I’ve seen were not caused by bad code. They were caused by inconsistent environments. The hardest bugs to fix are the ones you cannot reproduce. Development looks perfect. Production behaves differently. And suddenly you’re debugging: Different libraries Missing environment variables Runtime mismatches OS differences Not logic problems. Environment problems. This is the real reason Docker became essential. Not containers. Consistency. Docker enforces a simple engineering discipline: Build once. Package everything. Run the same everywhere. Because: Writing code is development. Making it predictable is engineering. Docker didn’t just introduce containers. It introduced reproducibility. And reproducibility is what production systems actually depend on. What deployment issue made you start using Docker? #Docker #DevOps #SoftwareEngineering #SystemDesign

Ever had this moment where everything is running perfectly… and suddenly your Docker container just stops working? No code changes. No clear error. Just broken. Most of the time, it’s not a big failure—it’s something small hiding in the setup: Missing or incorrect environment variables A dependency not included inside the image A cached Docker layer not updating A version mismatch between services The frustrating part is Docker doesn’t always explain it clearly—it just fails quietly. So how do you actually fix it? You don’t guess—you isolate. Start with logs (docker logs <container>). Then check what’s actually inside the container using docker exec. If things still look off, rebuild without cache (--no-cache). And always verify versions and dependencies in your image. The real trick is simple: don’t look at Docker as “one system”—break it into small parts and test step by step. Once you do that, those “random issues” stop feeling random. #Docker #DevOps #Debugging #SoftwareEngineering #Containers

Docker is the line between "it works on my machine" and "it works." One Dockerfile. One image. Runs the same everywhere. Your laptop, a server, your teammate's setup. Doesn't matter. Same result every time. That's not a convenience thing. That's the difference between a team that ships reliably and a team that spends half its time debugging environment issues. Before containers, you'd set up a server manually. Install dependencies one by one. Hope that the versions match what's running in production. If something broke, good luck figuring out what changed between environments. Docker removes all of that. You define your environment once in a Dockerfile, build an image, and every container that runs from it is identical. No guessing. No surprises. You can learn every CI/CD tool out there. But if your environments aren't consistent, none of it matters. Containers fix that at the root. #DevOps #Docker #LearningInPublic #coderco

Most developers use Docker daily — but how many actually know what's happening under the hood? Here are the 6 core components that make Docker work: 🖼️ Images — Read-only blueprints containing your app code, libraries & dependencies 📦 Containers — Running instances of images. Isolated, lightweight, self-contained ⚙️ Docker Engine — The runtime: daemon + REST API + CLI working together 📄 Dockerfile — A script that tells Docker exactly how to build your image 🗄️ Volumes — Persistent storage that survives container restarts 🔧 Docker Daemon — The background brain managing all Docker objects Understanding these isn't just theory — it makes you better at debugging, optimizing builds, and writing cleaner pipelines. Which one tripped you up the most when you first started? Drop it below 👇 #Docker #DevOps #WebDevelopment #FullStack #100DaysOfCode #MuhammadAzhanBaig #ZState

Most people think containers are about running applications. They're not. 𝐓𝐡𝐞𝐲’𝐫𝐞 𝐚𝐛𝐨𝐮𝐭 𝐜𝐨𝐧𝐭𝐫𝐨𝐥𝐥𝐢𝐧𝐠 𝐰𝐡𝐚𝐭 𝐫𝐮𝐧𝐬 𝐭𝐡𝐞 𝐚𝐩𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧. That difference sounds small until you’ve spent hours debugging why something works on one machine and fails on another. This is the shift that finally clicks: A container image isn’t just code packaged nicely. It’s the entire environment: • OS • Libraries • Runtime • Application All locked into a single artifact. Nothing gets installed at runtime. 𝐍𝐨𝐭𝐡𝐢𝐧𝐠 𝐢𝐬 “𝐦𝐢𝐬𝐬𝐢𝐧𝐠” 𝐨𝐧 𝐚𝐧𝐨𝐭𝐡𝐞𝐫 𝐬𝐲𝐬𝐭𝐞𝐦. And that’s where the real power shows up. Because now: • You’re not deploying code • You’re deploying a known, repeatable environment That’s why: • Registries don’t run anything. They store the environments • Pulling an image doesn’t start an app. Instead it prepares it • An image isn’t a container. It’s the blueprint This model is true for Podman, OpenShift, and Kubernetes. I put together a visual breakdown of this (attached). #Containers #DevOps #OpenShift

🐳 𝐂𝐌𝐃 𝐯𝐬 𝐄𝐍𝐓𝐑𝐘𝐏𝐎𝐈𝐍𝐓 𝐢𝐧 𝐃𝐨𝐜𝐤𝐞𝐫 — 𝐨𝐯𝐞𝐫𝐰𝐫𝐢𝐭𝐞 𝐯𝐬 𝐚𝐩𝐩𝐞𝐧𝐝. Two instructions. Both define what runs when a container starts. But they behave very differently. 🔹𝐂𝐌𝐃 — 𝐨𝐯𝐞𝐫𝐰𝐫𝐢𝐭𝐞𝐬 𝐜𝐨𝐦𝐩𝐥𝐞𝐭𝐞𝐥𝐲. ➡️CMD defines the default command when the container starts. But pass anything at runtime and CMD is completely overwritten. Your new command takes over entirely — the original is gone. Think of it as a default setting on your phone. It works until you decide to change it. 🔹𝐄𝐍𝐓𝐑𝐘𝐏𝐎𝐈𝐍𝐓 — 𝐚𝐩𝐩𝐞𝐧𝐝𝐬, 𝐧ot 𝐨𝐯𝐞𝐫𝐰𝐫𝐢𝐭𝐞𝐬. ➡️ENTRYPOINT defines a fixed command that always runs. Whatever you pass at runtime does not overwrite it — it gets appended to it as an argument. Think of it as the application itself. You can give it different inputs but you cannot swap the application out. 🔹𝐄𝐍𝐓𝐑𝐘𝐏𝐎𝐈𝐍𝐓 + 𝐂𝐌𝐃 𝐭𝐨𝐠𝐞𝐭𝐡𝐞𝐫 — 𝐭𝐡𝐞 𝐬𝐰𝐞𝐞𝐭 𝐬𝐩𝐨𝐭. ➡️This is where it gets powerful. ENTRYPOINT holds the fixed command. CMD holds the default argument. At runtime you can overwrite the CMD argument freely while ENTRYPOINT stays untouched — only appending whatever you pass. This is the pattern you will see most in production Dockerfiles. 𝐎𝐧𝐞 𝐥𝐢𝐧𝐞 𝐬𝐮𝐦𝐦𝐚𝐫𝐲: 𝐂𝐌𝐃= overwritten entirely when you pass a command at runtime 𝐄𝐍𝐓𝐑𝐘𝐏𝐎𝐈𝐍𝐓= not overwritten — runtime input is always appended to it Huge thanks to Varun Joshi for an incredibly clear and practical explanation of this concept. The way he breaks makes everything click instantly. Highly recommend. 🙌 #Docker #CKA #Kubernetes #DevOps #LearningInPublic #Containers

Ever had your entire project architecture almost destroyed the day before the final review? That was me today with CodeRunner, where I am building a scalable contest hosting site and remote code execution engine. I spent weeks designing it with microservices, but a teammate accidentally refactored the whole thing into a monolith and tried to push it directly to the repo. The only reason our work survived is because I had locked down the main branch. By blocking force pushes and requiring mandatory PR reviews, the system automatically rejected their changes. You should also use GitHub rulesets in your repos to avoid such situations and protect your code! It provides many options to save your branches, as you can see in the pic below where I created a ruleset for main branch protection. #BuildInPublic #SystemDesign #DevOps #Microservices #CodeRunner

🐳 Debugging Docker doesn’t have to feel like guesswork. If you’ve ever spent hours stuck on a “works on my machine” issue, you know how tricky containers can get. The key isn’t doing more it’s doing the right things first. Here are a few Docker debugging habits that consistently save time: 🔍 Start with logs → docker logs often tells you exactly what’s wrong 🧩 Jump inside the container → use interactive mode to explore in real time ⚙️ Inspect configs → environment variables, mounts, and settings matter more than you think 🌐 Verify networking → many issues come from services not talking properly 🔁 Rebuild clean → --no-cache helps eliminate hidden layer issues 📊 Monitor resources → sometimes it’s just CPU or memory limits causing failures The biggest shift? Stop guessing. Start observing. Once you build this mindset, debugging becomes faster, calmer, and way more predictable 🚀 What’s one Docker issue that took you way too long to figure out? 👇 #Docker #DevOps #BackendDevelopment #Debugging #CloudNative