# Docker Best Practices for ZEE Quiz Application ## 1. Multi-stage Builds ```dockerfile # Builder stage FROM golang:1.24.3-alpine AS builder WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . RUN CGO_ENABLED=0 GOOS=linux go build -o /zee-app # Final stage FROM alpine:3.18 WORKDIR /app COPY --from=builder /zee-app /app/ # Add non-root user RUN addgroup -S appgroup && adduser -S appuser -G appgroup USER appuser # Health check HEALTHCHECK --interval=30s --timeout=3s \ CMD wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1 EXPOSE 8080 ENTRYPOINT ["/app/zee-app"] ``` ## 2. Security Best Practices - **Non-root User**: Always run containers as non-root user - **Minimal Base Images**: Use `alpine` or `distroless` for smaller attack surface - **Multi-stage Builds**: Reduce final image size and remove build tools - **`.dockerignore`**: Exclude unnecessary files from build context - **Image Scanning**: Use `trivy` or `docker scan` for vulnerability scanning ## 3. Docker Compose Configuration ```yaml version: '3.8' services: app: build: context: . target: production ports: - "8080:8080" environment: - DATABASE_URL=postgres://user:pass@db:5432/zeedb depends_on: db: condition: service_healthy deploy: resources: limits: cpus: '1' memory: 1G healthcheck: test: ["CMD", "wget", "--spider", "http://localhost:8080/health"] interval: 30s timeout: 10s retries: 3 db: image: postgres:14-alpine environment: POSTGRES_USER: user POSTGRES_PASSWORD: pass POSTGRES_DB: zeedb volumes: - postgres_data:/var/lib/postgresql/data - ./migrations:/docker-entrypoint-initdb.d healthcheck: test: ["CMD-SHELL", "pg_isready -U user -d zeedb"] interval: 5s timeout: 5s retries: 5 redis: image: redis:7-alpine command: redis-server --requirepass your_secure_password volumes: - redis_data:/data healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 5s timeout: 3s retries: 5 volumes: postgres_data: redis_data: ``` ## 4. Development vs Production ### Development - Mount source code as volume for live reload - Enable debug mode - Include development tools ### Production - Use multi-stage builds - Remove debug tools - Set appropriate resource limits - Enable health checks - Configure logging drivers ## 5. Environment Variables ```env # Application APP_ENV=production PORT=8080 # Database DB_HOST=db DB_PORT=5432 DB_NAME=zeedb DB_USER=user DB_PASSWORD=pass DB_SSLMODE=disable # Redis REDIS_ADDR=redis:6379 REDIS_PASSWORD=your_secure_password # JWT JWT_SECRET=your_jwt_secret_key JWT_EXPIRATION=24h ``` ## 6. Volume Management - Use named volumes for persistent data - Set appropriate volume permissions - Backup volumes regularly - Consider volume encryption for sensitive data ## 7. Network Configuration - Use custom bridge networks - Isolate services in dedicated networks - Configure proper DNS resolution - Set up network policies ## 8. Logging & Monitoring - Configure log rotation - Use structured logging - Forward logs to centralized system - Monitor container metrics ## 9. CI/CD Integration ```yaml # .drone.yml kind: pipeline type: docker name: build-and-push steps: - name: test image: golang:1.24 commands: - go test -v ./... - name: build image: plugins/docker settings: repo: your-registry/zee-app tags: ${DRONE_COMMIT_SHA:0:8} dockerfile: Dockerfile target: production when: event: push branch: main ``` ## 10. Security Scanning ```bash # Scan for vulnerabilities docker scan zee-app # Check for secrets in code docker run --rm -v $(pwd):/src/ -v /var/run/docker.sock:/var/run/docker.sock zricethezav/gitleaks:latest detect --source=/src --report=/src/gitleaks.json # Scan Dockerfile docker run --rm -i hadolint/hadolint < Dockerfile