Revise Dockerfile with more best practices

[hawkrives]

From https://pythonspeed.com/docker

---

https://pythonspeed.com/articles/root-capabilities-docker-security/

FROM ubuntu:18.04
RUN useradd --create-home appuser
WORKDIR /home/appuser
USER appuser

---

https://pythonspeed.com/articles/docker-cache-insecure-images/

Once a week, or every night, rebuild your Docker image from scratch using docker build --pull --no-cache to ensure you have security updates.

[hawkrives]

Pin to a specific Debian release as the source docker image

[hawkrives]

Make it identifiable: via Docker

The problem with tags is that they’re not embedded into the image. So if you deployed yourimage:latest, you won’t know what other tags it used to have.

One solution is to embed the metadata as labels inside the image itself:

docker build -t myimage:latest --label git-commit=$GIT_COMMIT .

[hawkrives]

Make it identifiable: via logs and public API

You can also use build arguments to customize the build; this allows you to pass in the git commit, store it in the image as a file, and then your application can include it in a status API endpoint, or as part of application logging on startup.

FROM centos
ARG git_commit
RUN echo $git_commit > /git-commit.txt
The ARG is a build argument you expect the image to take.

And then we can pass it in:

$ docker build -t myimage --build-arg git_commit=$GIT_COMMIT .
$ docker run -it myimage
$ docker run -ti myimage
[root@6d9d99b56d9b /]# cat /git-commit.txt
45eefe3
Your code can then load git-commit.txt and put it in logs, or include as part of a /status API endpoint.

[hawkrives]

Smoke tests: https://pythonspeed.com/articles/test-your-docker-build/