SlideShare a Scribd company logo
1 of 53
Download to read offline
Creating Effective Images
Sr Technical Evangelist, AWS
@abbyfuller
Abby Fuller
• How do layers work?
• The basics for building minimal images
• High level best practices for Windows containers
• Dockerfiles:  the good, the bad, and the bloated
• Let’s get (language) specific
• Tools are here to help
• Looking forward to the future
Agenda
How do layers work?
What are container layers?
read-only container layers
Thin read-write layer
Why do I care how many layers I have?
More layers mean a larger image. The larger the image, the longer
that it takes to both build, and push and pull from a registry.
Smaller images mean faster builds and deploys. This also means a
smaller attack surface.
OK, so how can I reduce my layers?
Sharing is caring.
• Use shared base images where
possible
• Limit the data written to the
container layer
• Chain RUN statements
• Prevent cache misses at build for as
long as possible
Building minimal images: the basics
A Dockerfile is a series of
instructions for building images.
Cache rules everything around me
CACHE
Let’s start with a Dockerfile
FROM ubuntu:latest
LABEL maintainer abbyfull@amazon.com
RUN apt-get update -y && apt-get install -y python-pip
python-dev build-essential
COPY . /app
WORKDIR /app
RUN pip install –r requirements.txt
EXPOSE 5000
ENTRYPOINT ["python"]
CMD ["application.py"]
First step: choosing the right base
From the stock ubuntu image:
ubuntu              latest              2b1dc137b502   
    52 seconds ago      458 MB
From python:2.7-alpine:
alpine              latest              d3145c9ba1fa   
    2 minutes ago       86.8 MB
Slightly better- choose a different distro
alpine     latest        d3145c9ba1fa       3.9 MB
python     3.6.1-slim    60952d8b5aeb       200 MB
debian     latest        8cedef9d7368       123 MB
python     2.7-alpine    b63d02d8829b       71.5 MB
ubuntu     latest        0ef2e08ed3fa       130 MB
fedora     latest        4daa661b467f       231 MB
When do I want a full base OS?
(I do actually like Ubuntu!)
• Security
• Compliance
• Ease of development
Let’s look at our original Ubuntu image
FROM ubuntu:latest
RUN apt-get update -y && apt-get install -y python-pip
python-dev build-essential
LABEL maintainer abbyfull@amazon.com
COPY . /app
WORKDIR /app
RUN pip install –r requirements.txt
EXPOSE 5000
ENTRYPOINT ["python"]
CMD ["application.py"]
Simple changes, big results
FROM python:2.7-alpine
LABEL maintainer abbyfull@amazon.com
COPY . /app
WORKDIR /app
RUN pip install –r requirements.txt
EXPOSE 5000
ENTRYPOINT ["python"]
CMD ["application.py"]
Fewer cache invalidations=smaller images
FROM python:2.7-alpine
LABEL maintainer abbyfull@amazon.com
COPY requirements.txt /app
RUN pip install –r /app/requirements.txt
COPY . /app
WORKDIR /app
EXPOSE 5000
ENTRYPOINT ["python"]
CMD ["application.py"]
Got application code?
FROM python:2.7-alpine
LABEL maintainer abbyfull@amazon.com
ONBUILD ADD requirements.txt /app
ONBUILD RUN pip install –r /app/requirements.txt
ONBUILD COPY . /app
WORKDIR /app
EXPOSE 5000
ENTRYPOINT ["python"]
CMD ["application.py"]
Let’s recap.
TL;DR: layers represent filesystem differences.
Layers add up quickly with big consequences.
Some high-level best practices: Windows
Port over existing VM workloads
Convert an existing Windows image:
ConvertTo-Dockerfile -ImagePath c:dockermyimage.wim
Convert from VHD:
ConvertTo-Dockerfile -ImagePath c:vmstest.vhd -Artifact IIS -
ArtifactParam windows-container -OutputPath c:windows-container
cd c:windows-container
docker build -t windows-container .
docker run -d -p 80:80 windows-container
Some things to think about
Watch what you build: 
    c:   c:    /  /windows c:/windows
Building any of those PATHs will make your image very large!
Avoid installing packages with MSI
MSI installations are not space efficient. This is not
the same as Linux distros, where you can add, use,
and remove the installation files!
$  Windows/Installer/<package>.msi
Windows saves these files for uninstalls :(
Coming up soon
Run Linux containers “as-is” on
Windows Server!
Here’s whats really cool though
Build and run everything the same, regardless of
container OS, host OS, or tools. Just docker build
and docker run.
…but I’m not a Windows expert
So go to see Elton
instead! He’ll talk on
modernizing .NET apps at
17:10 for the Using Docker
track. He literally wrote
the book.
Dockerfiles: the good, the bad, and the
bloated
Let’s start out big
FROM ubuntu:latest
LABEL maintainer abbyfull@amazon.com
RUN apt-get update -y 
RUN apt-get install -y python-pip python-dev build-
essential
COPY . /app
WORKDIR /app
RUN pip install -r requirements.txt
EXPOSE 5000
ENTRYPOINT ["python"]
CMD ["application.py"]
A little bit better
FROM ubuntu:latest
LABEL maintainer abbyfull@amazon.com
RUN apt-get update -y && apt-get install -y python-
pip python-dev build-essential –no-install-recommends
COPY . /app
WORKDIR /app
RUN pip install -r requirements.txt
EXPOSE 5000
ENTRYPOINT ["python"]
CMD ["application.py"]
Let’s try a different base
FROM python:2.7-alpine
LABEL maintainer abbyfull@amazon.com
COPY . /app
WORKDIR /app
RUN pip install -r requirements.txt
EXPOSE 5000
ENTRYPOINT ["python"]
CMD ["application.py"]
Or, let’s try a custom base container
FROM 621169296726.dkr.ecr.us-
east-1.amazonaws.com/dockercon-base:latest
LABEL maintainer abbyfull@amazon.com
COPY . /app
WORKDIR /app
EXPOSE 5000
ENTRYPOINT ["python"]
CMD ["application.py"]
Use RUN statements effectively
RUN apt-get update && apt-get install -y 
    aufs-tools 
    automake 
    build-essential 
    ruby1.9.1 
    ruby1.9.1-dev 
    s3cmd=1.1.* 
&& rm -rf /var/lib/apt/lists/*
Switching USER adds layers
RUN groupadd –r dockercon && useradd –r –g
dockercon dockercon
USER dockercon
RUN apt-get update && apt-get install -y 
    aufs-tools 
    automake 
    build-essential
USER root
COPY . /app
Avoid ADDing large files
BAD:
ADD http://cruft.com/bigthing.tar.xz /app/cruft/
RUN tar -xvf /app/cruft/bigthing.tar.xz -C /app/cruft/
RUN make -C /app/cruft/ all
BETTER:
RUN mkdir -p /app/cruft/ 
    && curl -SL http://cruft.com/bigthing.tar.xz  | tar -xJC /
app/cruft/ && make -C /app/cruft/ all
BEST
RUN mkdir -p /app/cruft/ 
    && curl -SL http://cruft.com/
bigthing.tar.xz  | tar -xvf /app/
cruft/ 
   && make -C /app/cruft/ all && 
rm /app/cruft/bigthing.tar.xz
Let’s get (language) specific
A few language-specific best practices
Use the right tool: not every language needs to be built the
same way.
•Where possible, use two images:  one to build an artifact,
and one from base
•Official language images can be huge:  more space
effective to use a more minimal image, but there are
tradeoffs
First stop: Golang
Compile, then COPY binary:
$  go build -o dockercon .
$  docker build -t dockercon .
Dockerfile:
FROM scratch
COPY ./dockercon /dockercon
ENTRYPOINT ["/dockercon"]
Quick detour: what’s scratch?
Special, empty Dockerfile.
Use this to build your own base images.
Or, use to build minimal images that run a binary and nothing else:
FROM scratch
COPY hello /
CMD [ “/hello” ]
Want more on scratch? Start here.
Back to business: Ruby
Official images for Ruby are extra huge.  A new base + a little extra
work pays off.
FROM alpine:3.2
LABEL maintainer abbyfull@amazon.com
RUN apk update && apk upgrade && apk add 
    curl 
    bashruby 
    ruby-dev 
    ruby-bundler
RUN rm -rf /var/cache/apk/*
Next: node.js
If you love yourself, .dockerignore npm-debug.log. 
Seriously.
But most importantly, cache node_modules:
COPY package.json .
RUN npm install --production
COPY . .
This way, only run npm install if package.json changes. 
Java!
Multi-stage builds are your friend:
FROM maven:3.5-jdk-8 as BUILD
COPY --from=BUILD
Like, Golang, this let’s you build an artifact in one stage, and simply
run the binary in the second stage, resulting in more minimal final
images.
More on multistage builds up next.
Multi-stage builds
FROM ubuntu AS build-env
RUN apt-get install make
ADD . /src
RUN cd /src && make
And for the second Dockerfile, copy from #1:
FROM busybox
COPY --from=build-env /src/build/app /usr/local/bin/app
EXPOSE 80
ENTRYPOINT /usr/local/bin/app
Tools are here to help
With great containers comes great responsibility
• Document!
• Automate where possible
• AWS has a few tenants for
services: secure, resilient,
scaleable
• Lean on (the right) tools for a
helping hand
Docker Security Scan
Docker Security Scan
Docker Image + System Prune
Docker image prune:
$ docker image prune –a
Alternatively, go even further with Docker system prune:
$ docker system prune -a
The importance of garbage collection
• Clean up after your containers! Beyond
image and system prune:
• Make sure your orchestration platform
(like ECS or K8s) is garbage collecting:
• ECS
• Kubernetes
• 3rd party tools like spotify-gc
Looking forward to the future
But wait, there’s always more!
• Always new and better things coming
• Linux and Windows Server
• Official image are multi-platform
• Always new and better minimal
images and operating systems
coming out for containers
So what did we learn?
One takeaway:  less  layers is more.
•Share layers where possible
•Choose or build your base wisely
•Not all languages should build the same
•Keep it simple, avoid extras
•Tools are here to help
Useful links
Docker image documentation
Docker scratch
atsea sample app
Arun Gupta on smaller Java images
Elton Stoneman Windows Dockerfiles
Alpine (the base image from the examples)
Running Linux containers on Windows
Docker garbage collection
Image cleanup in Amazon ECS
Image cleanup in Kubernetes
spotify-gc
Thanks!
@abbyfuller

More Related Content

More from Docker, Inc.

Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
Docker, Inc.
 
Virtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Virtual Meetup Docker + Arm: Building Multi-arch Apps with BuildxVirtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Virtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Docker, Inc.
 

More from Docker, Inc. (20)

Hands-on Helm
Hands-on Helm Hands-on Helm
Hands-on Helm
 
Distributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at SalesforceDistributed Deep Learning with Docker at Salesforce
Distributed Deep Learning with Docker at Salesforce
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker HubThe First 10M Pulls: Building The Official Curl Image for Docker Hub
The First 10M Pulls: Building The Official Curl Image for Docker Hub
 
Monitoring in a Microservices World
Monitoring in a Microservices WorldMonitoring in a Microservices World
Monitoring in a Microservices World
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
 
Predicting Space Weather with Docker
Predicting Space Weather with DockerPredicting Space Weather with Docker
Predicting Space Weather with Docker
 
Become a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio CodeBecome a Docker Power User With Microsoft Visual Studio Code
Become a Docker Power User With Microsoft Visual Studio Code
 
How to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container RegistryHow to Use Mirroring and Caching to Optimize your Container Registry
How to Use Mirroring and Caching to Optimize your Container Registry
 
Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!Monolithic to Microservices + Docker = SDLC on Steroids!
Monolithic to Microservices + Docker = SDLC on Steroids!
 
Kubernetes at Datadog Scale
Kubernetes at Datadog ScaleKubernetes at Datadog Scale
Kubernetes at Datadog Scale
 
Labels, Labels, Labels
Labels, Labels, Labels Labels, Labels, Labels
Labels, Labels, Labels
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment ModelUsing Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
 
Build & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWSBuild & Deploy Multi-Container Applications to AWS
Build & Deploy Multi-Container Applications to AWS
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
 
Developing with Docker for the Arm Architecture
Developing with Docker for the Arm ArchitectureDeveloping with Docker for the Arm Architecture
Developing with Docker for the Arm Architecture
 
Sharing is Caring: How to Begin Speaking at Conferences
Sharing is Caring: How to Begin Speaking at ConferencesSharing is Caring: How to Begin Speaking at Conferences
Sharing is Caring: How to Begin Speaking at Conferences
 
Virtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Virtual Meetup Docker + Arm: Building Multi-arch Apps with BuildxVirtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
Virtual Meetup Docker + Arm: Building Multi-arch Apps with Buildx
 
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
DCSF 19 How Entergy is Mitigating Legacy Windows Operating System Vulnerabili...
 
DCSF 19 Developing Apps with Containers, Functions and Cloud Services
DCSF 19 Developing Apps with Containers, Functions and Cloud ServicesDCSF 19 Developing Apps with Containers, Functions and Cloud Services
DCSF 19 Developing Apps with Containers, Functions and Cloud Services
 
DCSF 19 eBPF Superpowers
DCSF 19 eBPF SuperpowersDCSF 19 eBPF Superpowers
DCSF 19 eBPF Superpowers
 

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 

Recently uploaded (20)

Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
ERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage IntacctERP Contender Series: Acumatica vs. Sage Intacct
ERP Contender Series: Acumatica vs. Sage Intacct
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024Extensible Python: Robustness through Addition - PyCon 2024
Extensible Python: Robustness through Addition - PyCon 2024
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The InsideCollecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
(Explainable) Data-Centric AI: what are you explaininhg, and to whom?
 

Creating Effective Docker Images

  • 1. Creating Effective Images Sr Technical Evangelist, AWS @abbyfuller Abby Fuller
  • 2. • How do layers work? • The basics for building minimal images • High level best practices for Windows containers • Dockerfiles:  the good, the bad, and the bloated • Let’s get (language) specific • Tools are here to help • Looking forward to the future Agenda
  • 4. What are container layers? read-only container layers Thin read-write layer
  • 5. Why do I care how many layers I have? More layers mean a larger image. The larger the image, the longer that it takes to both build, and push and pull from a registry. Smaller images mean faster builds and deploys. This also means a smaller attack surface.
  • 6. OK, so how can I reduce my layers? Sharing is caring. • Use shared base images where possible • Limit the data written to the container layer • Chain RUN statements • Prevent cache misses at build for as long as possible
  • 8. A Dockerfile is a series of instructions for building images.
  • 9. Cache rules everything around me CACHE
  • 10. Let’s start with a Dockerfile FROM ubuntu:latest LABEL maintainer abbyfull@amazon.com RUN apt-get update -y && apt-get install -y python-pip python-dev build-essential COPY . /app WORKDIR /app RUN pip install –r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]
  • 11. First step: choosing the right base From the stock ubuntu image: ubuntu              latest              2b1dc137b502        52 seconds ago      458 MB From python:2.7-alpine: alpine              latest              d3145c9ba1fa        2 minutes ago       86.8 MB
  • 12. Slightly better- choose a different distro alpine     latest        d3145c9ba1fa       3.9 MB python     3.6.1-slim    60952d8b5aeb       200 MB debian     latest        8cedef9d7368       123 MB python     2.7-alpine    b63d02d8829b       71.5 MB ubuntu     latest        0ef2e08ed3fa       130 MB fedora     latest        4daa661b467f       231 MB
  • 13. When do I want a full base OS? (I do actually like Ubuntu!) • Security • Compliance • Ease of development
  • 14. Let’s look at our original Ubuntu image FROM ubuntu:latest RUN apt-get update -y && apt-get install -y python-pip python-dev build-essential LABEL maintainer abbyfull@amazon.com COPY . /app WORKDIR /app RUN pip install –r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]
  • 15. Simple changes, big results FROM python:2.7-alpine LABEL maintainer abbyfull@amazon.com COPY . /app WORKDIR /app RUN pip install –r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]
  • 16. Fewer cache invalidations=smaller images FROM python:2.7-alpine LABEL maintainer abbyfull@amazon.com COPY requirements.txt /app RUN pip install –r /app/requirements.txt COPY . /app WORKDIR /app EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]
  • 17. Got application code? FROM python:2.7-alpine LABEL maintainer abbyfull@amazon.com ONBUILD ADD requirements.txt /app ONBUILD RUN pip install –r /app/requirements.txt ONBUILD COPY . /app WORKDIR /app EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]
  • 18. Let’s recap. TL;DR: layers represent filesystem differences. Layers add up quickly with big consequences.
  • 19. Some high-level best practices: Windows
  • 20. Port over existing VM workloads Convert an existing Windows image: ConvertTo-Dockerfile -ImagePath c:dockermyimage.wim Convert from VHD: ConvertTo-Dockerfile -ImagePath c:vmstest.vhd -Artifact IIS - ArtifactParam windows-container -OutputPath c:windows-container cd c:windows-container docker build -t windows-container . docker run -d -p 80:80 windows-container
  • 21. Some things to think about Watch what you build:      c:   c:    /  /windows c:/windows Building any of those PATHs will make your image very large!
  • 22. Avoid installing packages with MSI MSI installations are not space efficient. This is not the same as Linux distros, where you can add, use, and remove the installation files! $  Windows/Installer/<package>.msi Windows saves these files for uninstalls :(
  • 23. Coming up soon Run Linux containers “as-is” on Windows Server!
  • 24. Here’s whats really cool though Build and run everything the same, regardless of container OS, host OS, or tools. Just docker build and docker run.
  • 25. …but I’m not a Windows expert So go to see Elton instead! He’ll talk on modernizing .NET apps at 17:10 for the Using Docker track. He literally wrote the book.
  • 26. Dockerfiles: the good, the bad, and the bloated
  • 27. Let’s start out big FROM ubuntu:latest LABEL maintainer abbyfull@amazon.com RUN apt-get update -y  RUN apt-get install -y python-pip python-dev build- essential COPY . /app WORKDIR /app RUN pip install -r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]
  • 28. A little bit better FROM ubuntu:latest LABEL maintainer abbyfull@amazon.com RUN apt-get update -y && apt-get install -y python- pip python-dev build-essential –no-install-recommends COPY . /app WORKDIR /app RUN pip install -r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]
  • 29. Let’s try a different base FROM python:2.7-alpine LABEL maintainer abbyfull@amazon.com COPY . /app WORKDIR /app RUN pip install -r requirements.txt EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]
  • 30. Or, let’s try a custom base container FROM 621169296726.dkr.ecr.us- east-1.amazonaws.com/dockercon-base:latest LABEL maintainer abbyfull@amazon.com COPY . /app WORKDIR /app EXPOSE 5000 ENTRYPOINT ["python"] CMD ["application.py"]
  • 31. Use RUN statements effectively RUN apt-get update && apt-get install -y     aufs-tools     automake     build-essential     ruby1.9.1     ruby1.9.1-dev     s3cmd=1.1.* && rm -rf /var/lib/apt/lists/*
  • 32. Switching USER adds layers RUN groupadd –r dockercon && useradd –r –g dockercon dockercon USER dockercon RUN apt-get update && apt-get install -y     aufs-tools     automake     build-essential USER root COPY . /app
  • 33. Avoid ADDing large files BAD: ADD http://cruft.com/bigthing.tar.xz /app/cruft/ RUN tar -xvf /app/cruft/bigthing.tar.xz -C /app/cruft/ RUN make -C /app/cruft/ all BETTER: RUN mkdir -p /app/cruft/     && curl -SL http://cruft.com/bigthing.tar.xz | tar -xJC / app/cruft/ && make -C /app/cruft/ all
  • 34. BEST RUN mkdir -p /app/cruft/     && curl -SL http://cruft.com/ bigthing.tar.xz | tar -xvf /app/ cruft/    && make -C /app/cruft/ all && rm /app/cruft/bigthing.tar.xz
  • 36. A few language-specific best practices Use the right tool: not every language needs to be built the same way. •Where possible, use two images:  one to build an artifact, and one from base •Official language images can be huge:  more space effective to use a more minimal image, but there are tradeoffs
  • 37. First stop: Golang Compile, then COPY binary: $  go build -o dockercon . $  docker build -t dockercon . Dockerfile: FROM scratch COPY ./dockercon /dockercon ENTRYPOINT ["/dockercon"]
  • 38. Quick detour: what’s scratch? Special, empty Dockerfile. Use this to build your own base images. Or, use to build minimal images that run a binary and nothing else: FROM scratch COPY hello / CMD [ “/hello” ] Want more on scratch? Start here.
  • 39. Back to business: Ruby Official images for Ruby are extra huge.  A new base + a little extra work pays off. FROM alpine:3.2 LABEL maintainer abbyfull@amazon.com RUN apk update && apk upgrade && apk add     curl     bashruby     ruby-dev     ruby-bundler RUN rm -rf /var/cache/apk/*
  • 40. Next: node.js If you love yourself, .dockerignore npm-debug.log.  Seriously. But most importantly, cache node_modules: COPY package.json . RUN npm install --production COPY . . This way, only run npm install if package.json changes. 
  • 41. Java! Multi-stage builds are your friend: FROM maven:3.5-jdk-8 as BUILD COPY --from=BUILD Like, Golang, this let’s you build an artifact in one stage, and simply run the binary in the second stage, resulting in more minimal final images. More on multistage builds up next.
  • 42. Multi-stage builds FROM ubuntu AS build-env RUN apt-get install make ADD . /src RUN cd /src && make And for the second Dockerfile, copy from #1: FROM busybox COPY --from=build-env /src/build/app /usr/local/bin/app EXPOSE 80 ENTRYPOINT /usr/local/bin/app
  • 43. Tools are here to help
  • 44. With great containers comes great responsibility • Document! • Automate where possible • AWS has a few tenants for services: secure, resilient, scaleable • Lean on (the right) tools for a helping hand
  • 47. Docker Image + System Prune Docker image prune: $ docker image prune –a Alternatively, go even further with Docker system prune: $ docker system prune -a
  • 48. The importance of garbage collection • Clean up after your containers! Beyond image and system prune: • Make sure your orchestration platform (like ECS or K8s) is garbage collecting: • ECS • Kubernetes • 3rd party tools like spotify-gc
  • 49. Looking forward to the future
  • 50. But wait, there’s always more! • Always new and better things coming • Linux and Windows Server • Official image are multi-platform • Always new and better minimal images and operating systems coming out for containers
  • 51. So what did we learn? One takeaway:  less  layers is more. •Share layers where possible •Choose or build your base wisely •Not all languages should build the same •Keep it simple, avoid extras •Tools are here to help
  • 52. Useful links Docker image documentation Docker scratch atsea sample app Arun Gupta on smaller Java images Elton Stoneman Windows Dockerfiles Alpine (the base image from the examples) Running Linux containers on Windows Docker garbage collection Image cleanup in Amazon ECS Image cleanup in Kubernetes spotify-gc