Docker容器化最佳实践指南
引言
Docker容器化技术已经成为现代应用部署的标准。本文将详细介绍Docker容器化的最佳实践。
镜像构建
基础镜像选择
dockerfile
# 使用官方轻量级基础镜像
FROM node:18-alpine
# 使用多阶段构建
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build
FROM nginx:alpine
COPY --from=builder /app/dist /usr/share/nginx/html镜像优化
dockerfile
# 优化层级
FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
# 使用.dockerignore
node_modules
npm-debug.log
Dockerfile
.dockerignore
.git
.gitignore
README.md安全实践
非root用户
dockerfile
FROM node:18-alpine
# 创建应用用户
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
WORKDIR /app
COPY --chown=appuser:appgroup . .安全扫描
yaml
# Docker Compose安全配置
version: '3.8'
services:
app:
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE资源管理
资源限制
yaml
version: '3.8'
services:
app:
deploy:
resources:
limits:
cpus: '0.50'
memory: 512M
reservations:
cpus: '0.25'
memory: 256M健康检查
dockerfile
HEALTHCHECK --interval=30s --timeout=3s \
CMD curl -f http://localhost/ || exit 1
# Docker Compose健康检查
version: '3.8'
services:
app:
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s网络配置
网络隔离
yaml
version: '3.8'
networks:
frontend:
driver: bridge
backend:
driver: bridge
internal: true
services:
web:
networks:
- frontend
api:
networks:
- frontend
- backend
db:
networks:
- backend服务发现
yaml
version: '3.8'
services:
web:
environment:
- API_HOST=api
- DB_HOST=db
depends_on:
api:
condition: service_healthy
db:
condition: service_healthy数据持久化
卷管理
yaml
version: '3.8'
volumes:
db_data:
driver: local
cache:
driver: local
services:
db:
volumes:
- db_data:/var/lib/mysql
- ./init.sql:/docker-entrypoint-initdb.d/init.sql:ro
redis:
volumes:
- cache:/data备份策略
bash
#!/bin/bash
# 数据库备份脚本
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
BACKUP_DIR="/backup"
# 创建备份
docker exec db mysqldump -u root -p${DB_PASSWORD} mydb > \
${BACKUP_DIR}/backup_${TIMESTAMP}.sql
# 保留最近7天的备份
find ${BACKUP_DIR} -type f -mtime +7 -delete监控与日志
日志配置
yaml
version: '3.8'
services:
app:
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"监控集成
yaml
version: '3.8'
services:
prometheus:
image: prom/prometheus
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml
ports:
- "9090:9090"
grafana:
image: grafana/grafana
depends_on:
- prometheus
ports:
- "3000:3000"CI/CD集成
自动构建
yaml
# GitHub Actions配置
name: Docker Build and Push
on:
push:
branches: [ main ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build and push
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: user/app:latest部署自动化
yaml
# Docker Stack部署配置
version: '3.8'
services:
app:
image: user/app:latest
deploy:
replicas: 3
update_config:
parallelism: 1
delay: 10s
restart_policy:
condition: on-failure最佳实践
镜像构建
- 使用多阶段构建
- 优化镜像大小
- 实现缓存策略
安全加固
- 使用非root用户
- 实现最小权限
- 定期安全扫描
资源管理
- 设置资源限制
- 实现健康检查
- 优化性能配置
运维管理
- 自动化部署
- 监控告警
- 日志管理
常见问题
性能问题
- 资源限制配置
- 网络优化
- 存储性能
安全隐患
- 权限控制
- 网络隔离
- 漏洞扫描
维护难题
- 版本管理
- 配置管理
- 日志收集
参考资料
- Docker官方文档
- Docker安全指南
- 容器化最佳实践
- DevOps实战指南
- 微服务容器化实践