patterndockerfiledockerModeratepending
Docker Multi-Stage Builds for Minimal Production Images
Viewed 0 times
multi-stagedockeroptimizationscratchdistrolessproduction image
Problem
Docker images include build tools, dev dependencies, and source files not needed at runtime, resulting in bloated images (1GB+) with larger attack surface.
Solution
Use multi-stage builds to separate build and runtime:
For Go/Rust - use scratch or distroless:
Typical size reductions: Node 1.2GB -> 150MB, Go 800MB -> 10MB.
# Stage 1: Build
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
# Stage 2: Production
FROM node:20-alpine AS production
WORKDIR /app
ENV NODE_ENV=production
# Only copy what's needed
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/package*.json ./
RUN npm ci --omit=dev && npm cache clean --force
# Non-root user
RUN addgroup -g 1001 appgroup && \
adduser -u 1001 -G appgroup -s /bin/sh -D appuser
USER appuser
EXPOSE 3000
CMD ["node", "dist/index.js"]For Go/Rust - use scratch or distroless:
FROM golang:1.22-alpine AS builder
WORKDIR /app
COPY . .
RUN CGO_ENABLED=0 go build -ldflags='-s -w' -o server .
FROM scratch
COPY --from=builder /app/server /server
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
ENTRYPOINT ["/server"]Typical size reductions: Node 1.2GB -> 150MB, Go 800MB -> 10MB.
Why
Smaller images deploy faster, use less storage, and have fewer vulnerabilities. Build tools in production images are unnecessary attack surface.
Gotchas
- COPY --from can reference any earlier stage by name or index
- scratch images have no shell - can't use sh -c or debug interactively
Context
Optimizing Docker images for production
Revisions (0)
No revisions yet.