title
Top 8 Docker Best Practices for using Docker in Production

description
8 Docker Production Best Practices to improve security, reduce the image size and improve build time Full Docker course ► https://youtu.be/3c-iBn73dDE Follow me on IG for behind-the-scenes content 😊 ► https://bit.ly/2F3LXYJ ► This video is sponsored by Kasten 🙌🏼 ► Free Kubernetes Backup and Migration - Download Kasten's K10 and Get 10 nodes free forever: https://www.kasten.io/nana Docker adoption rises constantly, but not everyone is using Docker according to the best practices. So in this video I want to show you 8 ways you can use docker in a right way in your projects to improve security, optimize the image size and take advantage of some of the useful Docker features and also write cleaner and more maintainable Dockerfiles. ▬▬▬▬▬▬ T I M E S T A M P S ⏰ ▬▬▬▬▬▬ 0:00 - Intro 0:34 - BP 1: Use official and verified Docker Images as Base Image 1:13 - BP 2: Use Specific Docker Image Versions 2:12 - BP 3: Use Small-Sized Official Images 4:35 - BP 4: Optimize Caching Image Layers 10:09- BP 5: Use .dockerignore file 10:55 - BP 6: Make use of Multi-Stage Builds 14:15 - BP 7: Use the Least Privileged User 16:06 - BP 8: Scan your Images for Security Vulnerabilities 17:50 - Wrap Up ▬▬▬▬▬▬ Want to learn more? 🚀 ▬▬▬▬▬▬ Full Docker course ► https://youtu.be/3c-iBn73dDE Full Python course ► https://youtu.be/t8pPdKYpowI Full K8s course course ► https://youtu.be/X48VuDVv0do DevOps Tools, like Terraform, Prometheus ► https://bit.ly/2W9UEq6 ▬▬▬▬▬▬ Connect with me 👋 ▬▬▬▬▬▬ INSTAGRAM ► https://bit.ly/2F3LXYJ TWITTER ► https://bit.ly/3i54PUB LINKEDIN ► https://bit.ly/3hWOLVT FB group ► https://bit.ly/32UVSZP DEV ► https://bit.ly/3h2fqiO ▬▬▬▬▬▬ Courses & Bootcamp & Ebooks 🚀 ▬▬▬▬▬▬ ► Become a DevOps Engineer - full educational program 👉🏼 https://bit.ly/45mXaer ► High-Quality and Hands-On Courses 👉🏼 https://bit.ly/3BNS8Kv ► Kubernetes 101 - compact and easy-to-read ebook bundle 👉🏼 https://bit.ly/3Ozl28x

detail
{'title': 'Top 8 Docker Best Practices for using Docker in Production', 'heatmap': [{'end': 622.844, 'start': 607.967, 'weight': 0.876}, {'end': 664.778, 'start': 641.194, 'weight': 0.717}], 'summary': 'Covers 8 best practices for using docker in production, emphasizing the use of official and verified docker images, fixing image versions, and maintaining transparency and security. it also highlights the importance of choosing leaner docker images, optimizing image layer caching, and implementing best practices for optimizing docker images, resulting in reduced image size and increased security.', 'chapters': [{'end': 148.527, 'segs': [{'end': 49.947, 'src': 'embed', 'start': 26.106, 'weight': 0, 'content': [{'end': 35.075, 'text': 'optimize the image size and take advantage of some of the useful Docker features, and also write cleaner and more maintainable Docker files.', 'start': 26.106, 'duration': 8.969}, {'end': 43.042, 'text': 'The first best practice is to use an official and verified Docker image whenever available.', 'start': 35.435, 'duration': 7.607}, {'end': 49.947, 'text': "Let's say you are developing a Node.js application and want to build it and run it as a Docker image.", 'start': 43.823, 'duration': 6.124}], 'summary': 'Optimize image size, leverage docker features, use official docker images for node.js application development.', 'duration': 23.841, 'max_score': 26.106, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ26106.jpg'}, {'end': 148.527, 'src': 'embed', 'start': 104.638, 'weight': 1, 'content': [{'end': 106.779, 'text': "You don't know exactly which image you are getting.", 'start': 104.638, 'duration': 2.141}, {'end': 112.063, 'text': 'So instead of a random latest image tag, you want to fixate the version.', 'start': 107.099, 'duration': 4.964}, {'end': 119.749, 'text': 'And just like you deploy your own application with a specific version, you want to use the official image with a specific version.', 'start': 112.403, 'duration': 7.346}, {'end': 123.093, 'text': 'And the rule here is the more specific, the better.', 'start': 120.25, 'duration': 2.843}, {'end': 131.421, 'text': "This also gives you and your team a transparency to know exactly what version of the base image you're using in your Docker file.", 'start': 123.693, 'duration': 7.728}, {'end': 142.759, 'text': 'Now, looking at all the image tags or versions here, you see that for Node.js there are multiple official images,', 'start': 135.069, 'duration': 7.69}, {'end': 148.527, 'text': 'not only with different version numbers, but also with different operating system distributions.', 'start': 142.759, 'duration': 5.768}], 'summary': 'Fixate the version for transparency and specificity in using docker images.', 'duration': 43.889, 'max_score': 104.638, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ104638.jpg'}], 'start': 0.389, 'title': 'Docker best practices', 'summary': 'Discusses eight best practices for using docker in production, emphasizing the use of official and verified docker images, fixing image versions, and maintaining transparency and security.', 'chapters': [{'end': 148.527, 'start': 0.389, 'title': 'Best practices for using docker in production', 'summary': 'Discusses eight best practices for using docker in production, emphasizing the importance of using official and verified docker images, fixing the image version, and maintaining transparency and security.', 'duration': 148.138, 'highlights': ['Using official and verified Docker images Using official and verified Docker images helps in improving security, optimizing image size, and ensuring that the image is built with best practices.', 'Fixating the image version Fixating the image version ensures consistency and transparency, allowing for predictable behavior and improved control over the base image used in the Docker file.', 'Importance of transparency in version control Maintaining transparency in version control provides clarity on the specific version of the base image used in the Docker file, enabling better collaboration and understanding within the team.']}], 'duration': 148.138, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ389.jpg', 'highlights': ['Using official and verified Docker images helps in improving security, optimizing image size, and ensuring best practices.', 'Fixating the image version ensures consistency, transparency, predictable behavior, and improved control.', 'Maintaining transparency in version control provides clarity, enabling better collaboration and understanding.']}, {'end': 568.929, 'segs': [{'end': 248.407, 'src': 'embed', 'start': 170.167, 'weight': 0, 'content': [{'end': 178.394, 'text': 'In contrast, having smaller images means you need less storage space in image repository, as well as on a deployment server.', 'start': 170.167, 'duration': 8.227}, {'end': 184.916, 'text': 'And of course, you can transfer the images faster when pulling or pushing them from the repository.', 'start': 179.034, 'duration': 5.882}, {'end': 195.159, 'text': 'Now, in addition to the size, there is another issue with images based on full blown operating systems with lots of tools installed inside.', 'start': 185.256, 'duration': 9.903}, {'end': 197.9, 'text': 'And that is a security issue,', 'start': 195.559, 'duration': 2.341}, {'end': 208.744, 'text': 'because such base images usually contain hundreds of known vulnerabilities and basically create a larger attack surface to your application image.', 'start': 197.9, 'duration': 10.844}, {'end': 216.006, 'text': 'And this way, you basically end up introducing unnecessary security issues from the beginning to your image.', 'start': 209.424, 'duration': 6.582}, {'end': 217.667, 'text': 'In comparison.', 'start': 216.526, 'duration': 1.141}, {'end': 226.49, 'text': 'by using smaller images with leaner operating system distributions which only bundle the necessary system tools and libraries,', 'start': 217.667, 'duration': 8.823}, {'end': 232.112, 'text': "you're also minimizing the attack surface and making sure that you build more secure images.", 'start': 226.49, 'duration': 5.622}, {'end': 241.701, 'text': 'So the best practice here would be to select an image with a specific version based on a leaner operating system distribution, like Alpine,', 'start': 232.612, 'duration': 9.089}, {'end': 242.221, 'text': 'for example.', 'start': 241.701, 'duration': 0.52}, {'end': 248.407, 'text': 'Alpine has everything you need to start your application in a container, but is much more lightweight.', 'start': 242.802, 'duration': 5.605}], 'summary': 'Using smaller, leaner os images reduces storage, speeds up transfer, and minimizes security vulnerabilities for more secure containers.', 'duration': 78.24, 'max_score': 170.167, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ170167.jpg'}, {'end': 398.426, 'src': 'embed', 'start': 373.059, 'weight': 2, 'content': [{'end': 382.221, 'text': "So when you rebuild your image, if your Docker file hasn't changed, Docker will just use the cached layers to build the image.", 'start': 373.059, 'duration': 9.162}, {'end': 385.022, 'text': 'This of course makes building the image much faster.', 'start': 382.361, 'duration': 2.661}, {'end': 390.163, 'text': 'Caching is also useful and important when pulling and pushing an image.', 'start': 385.902, 'duration': 4.261}, {'end': 398.426, 'text': "So if I pull a new image version of the same application and let's say, two new layers have been added in the new version,", 'start': 390.543, 'duration': 7.883}], 'summary': 'Using cached layers in docker accelerates image rebuilding and makes the process faster.', 'duration': 25.367, 'max_score': 373.059, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ373059.jpg'}, {'end': 568.929, 'src': 'embed', 'start': 543.775, 'weight': 3, 'content': [{'end': 550.841, 'text': 'We have the information that a layer has been reused from cache or a layer has been rebuilt.', 'start': 543.775, 'duration': 7.066}, {'end': 568.929, 'text': 'So the rule here and the best practice is that you should order your commands in the Docker file from the least to the most frequently changing commands to take advantage of caching and this way optimize how fast the image gets built.', 'start': 551.461, 'duration': 17.468}], 'summary': 'Optimize dockerfile commands order to maximize caching and image build speed.', 'duration': 25.154, 'max_score': 543.775, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ543775.jpg'}], 'start': 148.987, 'title': 'Choosing leaner docker images and optimizing docker image layer caching', 'summary': 'Discusses the importance of choosing leaner docker images, emphasizing the benefits of smaller images in requiring less storage space, faster transfer, and minimizing security vulnerabilities, and recommends the use of leaner operating system distributions like alpine. additionally, it explains the concept of docker image layers, caching, and optimizing caching for faster image building, highlighting best practices for structuring dockerfile commands to take advantage of caching.', 'chapters': [{'end': 276.251, 'start': 148.987, 'title': 'Choosing leaner docker images', 'summary': 'Discusses the importance of choosing leaner docker images, highlighting that smaller images require less storage space, transfer faster, and minimize security vulnerabilities, recommending the use of leaner operating system distributions like alpine.', 'duration': 127.264, 'highlights': ['Smaller images require less storage space in image repository, as well as on a deployment server, and can be transferred faster when pulling or pushing them from the repository.', 'Using smaller images with leaner operating system distributions minimizes the attack surface and ensures the creation of more secure images.', 'Selecting an image with a specific version based on a leaner operating system distribution, like Alpine, is a best practice for starting applications in containers.', 'Alpine is recommended as it has everything needed to start an application in a container but is much more lightweight compared to full blown operating system distributions like Ubuntu or CentOS.']}, {'end': 568.929, 'start': 276.972, 'title': 'Optimizing docker image layer caching', 'summary': 'Explains the concept of docker image layers, caching, and optimizing caching for image layers, emphasizing the advantages of caching for faster image building and the best practices for structuring dockerfile commands to take advantage of caching.', 'duration': 291.957, 'highlights': ['Docker image layers and caching Docker images consist of layers created by commands in the Dockerfile, and caching allows Docker to reuse cached layers when rebuilding images, resulting in faster image building.', 'Advantages of caching Caching is beneficial for faster image building and when pulling or pushing an image, as only the newly added layers need to be downloaded, while the rest are reused from the cache.', 'Optimizing Dockerfile commands for caching Reordering commands from the least to the most frequently changing in the Dockerfile allows for better caching utilization, optimizing the speed of image building by reusing unchanged layers.']}], 'duration': 419.942, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ148987.jpg', 'highlights': ['Using smaller images with leaner operating system distributions minimizes the attack surface and ensures the creation of more secure images.', 'Alpine is recommended as it has everything needed to start an application in a container but is much more lightweight compared to full blown operating system distributions like Ubuntu or CentOS.', 'Advantages of caching Caching is beneficial for faster image building and when pulling or pushing an image, as only the newly added layers need to be downloaded, while the rest are reused from the cache.', 'Optimizing Dockerfile commands for caching Reordering commands from the least to the most frequently changing in the Dockerfile allows for better caching utilization, optimizing the speed of image building by reusing unchanged layers.', 'Smaller images require less storage space in image repository, as well as on a deployment server, and can be transferred faster when pulling or pushing them from the repository.']}, {'end': 1105.537, 'segs': [{'end': 639.393, 'src': 'heatmap', 'start': 607.967, 'weight': 0.876, 'content': [{'end': 608.871, 'text': "And now let's continue.", 'start': 607.967, 'duration': 0.904}, {'end': 617.541, 'text': "Now, usually when we build the image, we don't need everything we have in the project to run the application inside.", 'start': 611.038, 'duration': 6.503}, {'end': 622.844, 'text': "We don't need the auto generated folders like targets or build folder.", 'start': 618.222, 'duration': 4.622}, {'end': 625.225, 'text': "We don't need the readme file, et cetera.", 'start': 623.244, 'duration': 1.981}, {'end': 633.75, 'text': 'So how do we exclude such content from ending up in our application image in order to reduce the image size?', 'start': 625.846, 'duration': 7.904}, {'end': 639.393, 'text': "And that's our next best practice to use a dot Docker ignore file.", 'start': 634.23, 'duration': 5.163}], 'summary': 'Use a dot docker ignore file to exclude unnecessary content and reduce image size.', 'duration': 31.426, 'max_score': 607.967, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ607967.jpg'}, {'end': 671.163, 'src': 'heatmap', 'start': 623.244, 'weight': 3, 'content': [{'end': 625.225, 'text': "We don't need the readme file, et cetera.", 'start': 623.244, 'duration': 1.981}, {'end': 633.75, 'text': 'So how do we exclude such content from ending up in our application image in order to reduce the image size?', 'start': 625.846, 'duration': 7.904}, {'end': 639.393, 'text': "And that's our next best practice to use a dot Docker ignore file.", 'start': 634.23, 'duration': 5.163}, {'end': 641.134, 'text': "And it's pretty straightforward.", 'start': 639.853, 'duration': 1.281}, {'end': 644.055, 'text': 'We basically just create this Docker ignore file.', 'start': 641.194, 'duration': 2.861}, {'end': 649.157, 'text': 'We list all the files and folders that we want to be ignored.', 'start': 644.475, 'duration': 4.682}, {'end': 655.42, 'text': 'And when building the image, Docker will look at the contents and ignore anything specified inside.', 'start': 649.737, 'duration': 5.683}, {'end': 664.778, 'text': "But now let's say there are some contents in your project that you need for building the image.", 'start': 658.854, 'duration': 5.924}, {'end': 671.163, 'text': "So during the build process, but you don't need them in the final image itself to run the application.", 'start': 665.319, 'duration': 5.844}], 'summary': 'To reduce image size, use a .dockerignore file to exclude unnecessary content during the build process.', 'duration': 47.919, 'max_score': 623.244, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ623244.jpg'}, {'end': 722.114, 'src': 'embed', 'start': 694.318, 'weight': 1, 'content': [{'end': 701.462, 'text': "If you keep these artifacts in your final image, even though they're absolutely unnecessary for running the application,", 'start': 694.318, 'duration': 7.144}, {'end': 706.946, 'text': 'it will again result in an increased image size and increased attack surface.', 'start': 701.462, 'duration': 5.484}, {'end': 714.41, 'text': 'specific example for this is a package, json or pom.xml or any other dependencies file,', 'start': 707.646, 'duration': 6.764}, {'end': 722.114, 'text': 'which specifies all the dependencies for the project and are needed to install those dependencies.', 'start': 714.41, 'duration': 7.704}], 'summary': 'Unnecessary artifacts increase image size and attack surface, e.g. json or pom.xml.', 'duration': 27.796, 'max_score': 694.318, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ694318.jpg'}, {'end': 800.847, 'src': 'embed', 'start': 769.507, 'weight': 0, 'content': [{'end': 773.209, 'text': "Well, for that you can use what's called multi-stage builds.", 'start': 769.507, 'duration': 3.702}, {'end': 781.752, 'text': 'The multi-stage builds feature allows you to use multiple temporary images during the build process,', 'start': 773.909, 'duration': 7.843}, {'end': 785.835, 'text': 'but keep only the latest image as the final artifact.', 'start': 781.752, 'duration': 4.083}, {'end': 787.296, 'text': "Let's see how that works.", 'start': 786.356, 'duration': 0.94}, {'end': 790.979, 'text': 'This is an example Dockerfile with two build stages.', 'start': 787.997, 'duration': 2.982}, {'end': 800.847, 'text': 'The first stage, which we call build, specified like this, is used to build the Java application using Maven tool.', 'start': 791.62, 'duration': 9.227}], 'summary': 'Multi-stage builds help use temporary images in the build process and retain only the final artifact.', 'duration': 31.34, 'max_score': 769.507, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ769507.jpg'}, {'end': 934.211, 'src': 'embed', 'start': 880.75, 'weight': 2, 'content': [{'end': 882.931, 'text': 'And there is also a bad security practice.', 'start': 880.75, 'duration': 2.181}, {'end': 892.698, 'text': 'This basically introduces a security issue because When container starts on the host, it will potentially have root access on the Docker host.', 'start': 883.331, 'duration': 9.367}, {'end': 907.83, 'text': 'So, running an application inside the container with a root user will make it easier for an attacker to escalate privileges on the host and basically get hold of the underlying host and its processes,', 'start': 893.218, 'duration': 14.612}, {'end': 915.516, 'text': 'not only the container itself, especially if the application inside the container is vulnerable to exploitation.', 'start': 907.83, 'duration': 7.686}, {'end': 925.824, 'text': 'to avoid this, the best practice is to simply create a dedicated user and a dedicated group in the docker image to run the application.', 'start': 916.377, 'duration': 9.447}, {'end': 934.211, 'text': 'to create the user and its group, you can simply run user add and group add linux commands like this and once you have that user,', 'start': 925.824, 'duration': 8.387}], 'summary': 'Running an application with root access in a docker container can lead to security vulnerabilities and host exploitation; best practice is to create a dedicated user and group in the docker image.', 'duration': 53.461, 'max_score': 880.75, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ880750.jpg'}, {'end': 1017.941, 'src': 'embed', 'start': 989.449, 'weight': 4, 'content': [{'end': 994.431, 'text': 'Note that you have to be logged into Docker Hub to be able to scan your images,', 'start': 989.449, 'duration': 4.982}, {'end': 1003.874, 'text': 'so you can do a simple Docker login on your command line and then execute Docker scan command with image name as a parameter.', 'start': 994.431, 'duration': 9.443}, {'end': 1011.958, 'text': 'And in the background, Docker actually uses a service called sneak to do the vulnerability scanning of the images.', 'start': 1004.295, 'duration': 7.663}, {'end': 1017.941, 'text': 'The scan uses a database of vulnerabilities which gets constantly updated.', 'start': 1012.359, 'duration': 5.582}], 'summary': "Docker hub users can scan images using docker scan command, utilizing sneak's vulnerability database.", 'duration': 28.492, 'max_score': 989.449, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ989449.jpg'}], 'start': 569.529, 'title': 'Optimizing docker images and best practices', 'summary': 'Discusses best practices for optimizing docker images, including using a dot docker ignore file, excluding unnecessary artifacts, and implementing multi-stage builds to separate build dependencies from the final image, resulting in reduced image size and increased security. it also emphasizes the importance of creating dedicated users and groups, avoiding root user privileges, and scanning for security vulnerabilities to ensure leaner and more secure docker images.', 'chapters': [{'end': 849.691, 'start': 569.529, 'title': 'Optimizing docker images', 'summary': 'Discusses best practices for optimizing docker images, including using a dot docker ignore file, excluding unnecessary artifacts, and implementing multi-stage builds to separate build dependencies from the final image, resulting in reduced image size and increased security.', 'duration': 280.162, 'highlights': ['Using a dot Docker ignore file to exclude unnecessary content from ending up in the application image. Creating a dot Docker ignore file and listing all files and folders that need to be ignored, reducing the image size and enhancing security.', 'Excluding unnecessary artifacts, such as development tools, libraries, and dependencies, from the final image to reduce its size and attack surface. Explaining how keeping unnecessary artifacts in the final image increases its size and attack surface, providing specific examples such as package.json or pom.xml files, and highlighting the need to remove them after installing dependencies.', "Implementing multi-stage builds to separate build tools and dependencies from what's needed for runtime, resulting in a smaller final image and enhanced efficiency. Detailing the use of multi-stage builds to create temporary images during the build process, keeping only the latest image as the final artifact, and discarding the files and tools used in the first stage once the final image is created."]}, {'end': 1105.537, 'start': 850.311, 'title': 'Best practices for docker images', 'summary': 'Emphasizes the importance of creating dedicated users and groups, avoiding root user privileges, and scanning for security vulnerabilities to ensure leaner and more secure docker images.', 'duration': 255.226, 'highlights': ['Creating dedicated user and group in docker image to run the application Emphasizes the best practice of creating a dedicated user and group in the docker image to run the application, reducing the risk of security issues and potential vulnerabilities.', 'Avoiding running containers with root privileges Highlights the security risks associated with running containers with root privileges, stressing the importance of avoiding this practice to prevent potential privilege escalation and host compromise.', 'Scanning Docker images for security vulnerabilities using Docker scan command Emphasizes the importance of scanning Docker images for security vulnerabilities using the Docker scan command, which leverages a constantly updated database of vulnerabilities to ensure image security.']}], 'duration': 536.008, 'thumbnail': 'https://coursnap.oss-ap-southeast-1.aliyuncs.com/video-capture/8vXoMqWgbQQ/pics/8vXoMqWgbQQ569529.jpg', 'highlights': ["Implementing multi-stage builds to separate build tools and dependencies from what's needed for runtime, resulting in a smaller final image and enhanced efficiency.", 'Excluding unnecessary artifacts, such as development tools, libraries, and dependencies, from the final image to reduce its size and attack surface.', 'Creating dedicated user and group in docker image to run the application Emphasizes the best practice of creating a dedicated user and group in the docker image to run the application, reducing the risk of security issues and potential vulnerabilities.', 'Using a dot Docker ignore file to exclude unnecessary content from ending up in the application image. Creating a dot Docker ignore file and listing all files and folders that need to be ignored, reducing the image size and enhancing security.', 'Scanning Docker images for security vulnerabilities using Docker scan command Emphasizes the importance of scanning Docker images for security vulnerabilities using the Docker scan command, which leverages a constantly updated database of vulnerabilities to ensure image security.', 'Avoiding running containers with root privileges Highlights the security risks associated with running containers with root privileges, stressing the importance of avoiding this practice to prevent potential privilege escalation and host compromise.']}], 'highlights': ['Using official and verified Docker images helps in improving security, optimizing image size, and ensuring best practices.', 'Fixating the image version ensures consistency, transparency, predictable behavior, and improved control.', 'Maintaining transparency in version control provides clarity, enabling better collaboration and understanding.', 'Using smaller images with leaner operating system distributions minimizes the attack surface and ensures the creation of more secure images.', 'Alpine is recommended as it has everything needed to start an application in a container but is much more lightweight compared to full blown operating system distributions like Ubuntu or CentOS.', 'Caching is beneficial for faster image building and when pulling or pushing an image, as only the newly added layers need to be downloaded, while the rest are reused from the cache.', 'Optimizing Dockerfile commands for caching allows for better caching utilization, optimizing the speed of image building by reusing unchanged layers.', 'Smaller images require less storage space in image repository, as well as on a deployment server, and can be transferred faster when pulling or pushing them from the repository.', "Implementing multi-stage builds to separate build tools and dependencies from what's needed for runtime, resulting in a smaller final image and enhanced efficiency.", 'Excluding unnecessary artifacts from the final image to reduce its size and attack surface.', 'Creating dedicated user and group in docker image to run the application reduces the risk of security issues and potential vulnerabilities.', 'Using a dot Docker ignore file to exclude unnecessary content from ending up in the application image, reducing the image size and enhancing security.', 'Scanning Docker images for security vulnerabilities using Docker scan command leverages a constantly updated database of vulnerabilities to ensure image security.', 'Avoiding running containers with root privileges prevents potential privilege escalation and host compromise.']}