Intro Guide to Dockerfile Best Practices

There are over one million Dockerfiles on GitHub today, but not all Dockerfiles are created equally. Efficiency is critical, and this blog series will cover five areas for Dockerfile best practices to help you write better Dockerfiles: incremental build time, image size, maintainability, security and repeatability. If you’re just beginning with Docker, this first blog post is for you! The next posts in the series will be more advanced.

Important note: the tips below follow the journey of ever-improving Dockerfiles for an example Java project based on Maven. The last Dockerfile is thus the recommended Dockerfile, while all intermediate ones are there only to illustrate specific best practices.

Incremental build time

In a development cycle, when building a Docker image, making code changes, then rebuilding, it is important to leverage caching. Caching helps to avoid running build steps again when they don’t need to.

Tip #1: Order matters for caching

However, the order of the build steps (Dockerfile instructions) matters, because when a step’s cache is invalidated by changing files or modifying lines in the Dockerfile, subsequent steps of their cache will break. Order your steps from least to most frequently changing steps to optimize caching.

Tip #2: More specific COPY to limit cache busts

Only copy what’s needed. If possible, avoid “COPY  .” When copying files into your image, make sure you are very specific about what you want to copy. Any changes to the files being copied will break the cache. In the example above, only the pre-built jar application is needed inside the image, so only copy that. That way unrelated file changes will not affect the cache.

Tip #3: Identify cacheable units such as apt-get update & install

Each RUN instruction can be seen as a cacheable unit of execution. Too many of them can be unnecessary, while chaining all commands into one RUN instruction can bust the cache easily, hurting the development cycle. When installing packages from package managers, you always want to update the index and install packages in the same RUN: they form together one cacheable unit. Otherwise you risk installing outdated packages.

Reduce Image size

Image size can be important because smaller images equal faster deployments and a smaller attack surface.

Tip #4: Remove unnecessary dependencies

Remove unnecessary dependencies and do not install debugging tools. If needed debugging tools can always be installed later. Certain package managers such as apt, automatically install packages that are recommended by the user-specified package, unnecessarily increasing the footprint. Apt has the –no-install-recommends flag which ensures that dependencies that were not actually needed are not installed. If they are needed, add them explicitly.

Tip #5: Remove package manager cache

Package managers maintain their own cache which may end up in the image. One way to deal with it is to remove the cache in the same RUN instruction that installed packages. Removing it in another RUN instruction would not reduce the image size.

There are further ways to reduce image size such as multi-stage builds which will be covered at the end of this blog post. The next set of best practices will look at how we can optimize for maintainability, security, and repeatability of the Dockerfile.

Maintainability

Tip #6: Use official images when possible

Official images can save a lot of time spent on maintenance because all the installation stamps are done and best practices are applied. If you have multiple projects, they can share those layers because they use exactly the same base image.

Tip #7: Use more specific tags

Do not use the latest tag. It has the convenience of always being available for official images on Docker Hub but there can be breaking changes over time. Depending on how far apart in time you rebuild the Dockerfile without cache, you may have failing builds.

Instead, use more specific tags for your base images. In this case, we’re using openjdk. There are a lot more tags available so check out the Docker Hub documentation for that image which lists all the existing variants.

Tip #8: Look for minimal flavors

Some of those tags have minimal flavors which means they are even smaller images. The slim variant is based on a stripped down Debian, while the alpine variant is based on the even smaller Alpine Linux distribution image. A notable difference is that debian still uses GNU libc while alpine uses musl libc which, although much smaller, may in some cases cause compatibility issues. In the case of openjdk, the jre flavor only contains the java runtime, not the sdk; this also drastically reduces the image size.

Reproducibility

So far the Dockerfiles above have assumed that your jar artifact was built on the host. This is not ideal because you lose the benefits of the consistent environment provided by containers. For instance if your Java application depends on specific libraries it may introduce unwelcome inconsistencies depending on which computer the application is built.

Tip #9: Build from source in a consistent environment

The source code is the source of truth from which you want to build a Docker image. The Dockerfile is simply the blueprint.

You should start by identifying all that’s needed to build your application. Our simple Java application requires Maven and the JDK, so let’s base our Dockerfile off of a specific minimal official maven image from Docker Hub, that includes the JDK. If you needed to install more dependencies, you could do so in a RUN step.

The pom.xml and src folders are copied in as they are needed for the final RUN step that produces the app.jar application with mvn package. (The -e flag is to show errors and -B to run in non-interactive aka “batch” mode).

We solved the inconsistent environment problem, but introduced another one: every time the code is changed, all the dependencies described in pom.xml are fetched. Hence the next tip.

Tip #10: Fetch dependencies in a separate step

By again thinking in terms of cacheable units of execution, we can decide that fetching dependencies is a separate cacheable unit that only needs to depend on changes to pom.xml and not the source code. The RUN step between the two COPY steps tells Maven to only fetch the dependencies.

There is one more problem that got introduced by building in consistent environments: our image is way bigger than before because it includes all the build-time dependencies that are not needed at runtime.

Tip #11: Use multi-stage builds to remove build dependencies (recommended Dockerfile)

Multi-stage builds are recognizable by the multiple FROM statements. Each FROM starts a new stage. They can be named with the AS keyword which we use to name our first stage “builder” to be referenced later. It will include all our build dependencies in a consistent environment.

The second stage is our final stage which will result in the final image. It will include the strict necessary for the runtime, in this case a minimal JRE (Java Runtime) based on Alpine. The intermediary builder stage will be cached but not present in the final image. In order to get build artifacts into our final image, use COPY --from=STAGE_NAME. In this case, STAGE_NAME is builder.

Multi-stage builds is the go-to solution to remove build-time dependencies.

We went from building bloated images inconsistently to building minimal images in a consistent environment while being cache-friendly. In the next blog post, we will dive more into other uses of multi-stage builds.


New blog from #Docker: Intro guide to Dockerfile best practices
Click To Tweet


Additional Resources:  

The post Intro Guide to Dockerfile Best Practices appeared first on Docker Blog.

via Docker Blog
Intro Guide to Dockerfile Best Practices

How to make any Laravel application multi-tenant in 5 minutes

We will be implementing a multi-database tenancy package of mine, stancl/tenancy into a simple Laravel blog example I found on GitHub.

The main feature of the package is that you don’t have to make any changes to your app’s code. After it identifies the tenant using the hostname, it automatically configures database, Redis, cache and the filesystem for that tenant.

This tutorial explains the basics of making an app multi-tenant using this package. For a real-world production application, you should read the documentation. It’s not long.

Installing the tenancy package

The package supports Laravel 5.7 and 5.8.

You will also need Redis and phpredis.

composer require stancl/tenancy

Adding middleware

Open app/Http/Kernel.php and make the Stancl\Tenancy\Middleware\InitializeTenancy middleware top priority, to make sure everything is configured for tenancy before any code is run.

protected $middlewarePriority = [ \Stancl\Tenancy\Middleware\InitializeTenancy::class, // ... ];

Making the routes multi-tenant

The package lets you have tenant routes in routes/tenant.php and shared routes in routes/web.php. When someone visits a tenant route, the InitializeMiddleware will configure everything for tenancy. If you have some content you don’t want to apply tenany for, such as landing pages, sign up pages, etc, put those into web.php.

Since we don’t have any shared content, we’ll just rename routes/web.php to routes/tenant.php and create an empty routes/web.php file.

Configuration

First you need to publish the configuration file of the package. Run

php artisan vendor:publish --provider='Stancl\Tenancy\TenancyServiceProvider' --tag=config

and you should see something along the lines of Copied File [...] to [/config/tenancy.php].

This lets us make changes to the configuration file of the tenancy package. I don’t want to use MySQL for this simple repository, so I will change the DB driver for the application in .env and for the package in config/tenancy.php:

// .env DB_CONNECTION=sqlite // config/tenancy.php 'database' => [ 'based_on' => 'sqlite', // ... ],

Creating a Redis connection

By default, the package uses Redis as the "central" storage — for storing data about tenants. Redis is ideal for this thanks to its high performance. You don’t really need to use a relational database for this.

Add this to database.redis config:

'tenancy' => [ 'host' => env('TENANCY_REDIS_HOST', '127.0.0.1'), 'password' => env('TENANCY_REDIS_PASSWORD', null), 'port' => env('TENANCY_REDIS_PORT', 6379), 'database' => env('TENANCY_REDIS_DB', 3), ],

Make sure you use a unique database number — Redis supports 16 databases which let you have multiple applications use the same Redis instance without any conflicts.

Creating tenants

We’ll create two tenants to see that the data separation works correctly. We’ll be using php artisan tinker to keep it simple. For your app, you should create a page that does this.

We’ll use these two subdomains:

  • tenant1.localhost
  • tenant2.localhost

Anything under the .localhost TLD is automatically redirected to 127.0.0.1, so we don’t have to make any changes to /etc/hosts.

Open php artisan tinker and run these two functions:

>>> tenant()->create('tenant1.localhost') => [ "uuid" => "e5611150-9a9e-11e9-8315-b9eb127de2b8", "domain" => "tenant1.localhost", ] >>> tenant()->create('tenant2.localhost') => [ "uuid" => "e8002ec0-9a9e-11e9-8095-51e64ce28359", "domain" => "tenant2.localhost", ]

Migrations

We’ll move all migrations from database/migrations to database/migrations/tenant so that we can run them for our tenants.

touch database/migrations/tenant mv database/migrations/*.php database/migrations/tenant

Now we run php artisan tenants:migrate:

php artisan tenants:migrate Tenant: e8002ec0-9a9e-11e9-8095-51e64ce28359 (tenant2.localhost) Migrating: 2014_10_12_000000_create_users_table Migrated: 2014_10_12_000000_create_users_table Migrating: 2014_10_12_100000_create_password_resets_table Migrated: 2014_10_12_100000_create_password_resets_table Migrating: 2017_03_04_131126_create_posts_table Migrated: 2017_03_04_131126_create_posts_table Migrating: 2017_03_04_131334_create_categories_table Migrated: 2017_03_04_131334_create_categories_table Migrating: 2017_03_04_131558_create_tags_table Migrated: 2017_03_04_131558_create_tags_table Migrating: 2017_03_04_131702_create_post_tag_table Migrated: 2017_03_04_131702_create_post_tag_table Migrating: 2017_03_04_131909_create_comments_table Migrated: 2017_03_04_131909_create_comments_table Migrating: 2017_03_04_133429_add_columns_to_user Migrated: 2017_03_04_133429_add_columns_to_user Tenant: e5611150-9a9e-11e9-8315-b9eb127de2b8 (tenant1.localhost) Migrating: 2014_10_12_000000_create_users_table Migrated: 2014_10_12_000000_create_users_table Migrating: 2014_10_12_100000_create_password_resets_table Migrated: 2014_10_12_100000_create_password_resets_table Migrating: 2017_03_04_131126_create_posts_table Migrated: 2017_03_04_131126_create_posts_table Migrating: 2017_03_04_131334_create_categories_table Migrated: 2017_03_04_131334_create_categories_table Migrating: 2017_03_04_131558_create_tags_table Migrated: 2017_03_04_131558_create_tags_table Migrating: 2017_03_04_131702_create_post_tag_table Migrated: 2017_03_04_131702_create_post_tag_table Migrating: 2017_03_04_131909_create_comments_table Migrated: 2017_03_04_131909_create_comments_table Migrating: 2017_03_04_133429_add_columns_to_user Migrated: 2017_03_04_133429_add_columns_to_user

Note: If you’re using the same sample blog repository as I chose, you might have to tweak the 2017_03_04_133429_add_columns_to_user migration (make the API key nullable). This is not an issue with the tenancy package but with the blog repository. I have submitted a PR so by the time you’re reading this, this should no longer be an issue.

Seeding the database

php artisan tenants:seed --class DummyDataSeeder Tenant: e8002ec0-9a9e-11e9-8095-51e64ce28359 (tenant2.localhost) Database seeding completed successfully. Tenant: e5611150-9a9e-11e9-8315-b9eb127de2b8 (tenant1.localhost) Database seeding completed successfully.

Visiting the sites

I didn’t want to set up Apache or Nginx just for a simple demonstration, so I used:

php artisan serve

Now we can visit the sites. If we visit tenant1.localhost:8000 and tenant2.localhost:8000, we can see two same applications, running from the same source code, but with different content.

First blog

First site

Second blog

Second site

Closing

My package makes it very easy to implement multi-tenancy into any Laravel application in a way that the application code doesn’t have to be aware of any tenancy. The magic is automatically identifying tenants based on the subdomain when a route in the routes/tenant.php file is visited (those routes have the InitializeTenancy middleware applied on them) and then accordingly switching the database and Redis connections and making some changes to the cache and filesystem.

If you’re building a multi-tenant app, I highly recommend using this package. Implementing tenancy on your own can be painful, which is why I created this package — any Laravel application I make can be made multi-tenant in 5 minutes using this package.

Thanks for reading. If you have any questions or suggestions about the package, feel free to open Issues on the GitHub page.

via Laravel News Links
How to make any Laravel application multi-tenant in 5 minutes

Danny DeVito and Danny Glover Dive Into the Hilarious First Trailer for Jumanji: The Next Level

“Did anyone pack my pill case?”
Image: Sony (YouTube)
Trailer FrenzyA special place to find the newest trailers for movies and TV shows you’re craving.  

If you thought Dwayne Johnson channeling a teenage boy in the video game version of “Jumaaanjee,” you ain’t seen nothing yet. Check out the first trailer for Jumanji: The Next Level.

Jumanji: The Next Level is the sequel to the surprise hit Jumanji: Welcome to the Jungle and the story picks up some time after the events of the previous movie, when four teenagers ended up in the bodies of video game avatars (played by Johnson, Kevin Hart, Karen Gillan, and Jack Black), forced to play the game to get out alive.

Spencer (Alex Wolff) has seemingly gone missing inside the now-malfunctioning video game, and it’s up to his three friends to go in after him. Once our heroes step inside, they quickly realize something’s wrong. Bethany’s nowhere to be found, characters are switching places…and two old guys have shown up! That’s right, Danny DeVito and Danny Glover are playing the game too. DeVito’s character is in Johnson’s avatar, and Hart is channeling Glover.

I will say: Watching Johnson and Hart play two old guys is more of a delight than I anticipated. Johnson’s got that Nor’Easter accent down. However, it’ll be sad not seeing Black perfectly channeling Bethany, as Fridge (Ser’Darius Blain) is now in his body.

Jumanji: The Next Level sees the return of Nick Jonas, Madison Iseman, and Morgan Turner, along with a new character played by Awkwafina. The movie debuts on December 13.


For more, make sure you’re following us on our new Instagram @io9dotcom.

via Gizmodo
Danny DeVito and Danny Glover Dive Into the Hilarious First Trailer for Jumanji: The Next Level

Florida Sheriff: ‘If You Need to Shoot Somebody, Shoot ’em a Lot’

Polk County, FL — County Sheriff Grady Judd is a peace officer who knows and appreciates the value of armed citizens. In this short video, he encourages people to get guns and become good at using them.

If you’re not afraid of a gun, get one. Become proficient. Get a concealed firearms license and carry it.

And if you need to shoot somebody, shoot ’em a lot.

He also notes that “the armed assailant doesn’t plan on you fighting back. He plans on having a gun, doing all the shooting, and you’re just the sitting duck.”

Well the ducks need to shoot back.

Good advice. It worked for the guy who was attacked at a gas pump last month. He put one bad guy in the hospital and walked away. Don’t you just love a happy ending?

Enjoy the video; it won’t take much of your time.

Sheriff Judd: Prepare yourself, fight back

Sheriff Judd says everyone needs to prepare for an active shooter. If you’re comfortable with a gun, arm yourself, he says. "And if you need to shoot somebody, shoot ’em a lot." MORE: fox13news.com/news/local-news/262968643-story

Posted by FOX 13 News – Tampa Bay on Wednesday, June 21, 2017

The post Florida Sheriff: ‘If You Need to Shoot Somebody, Shoot ’em a Lot’ appeared first on AllOutdoor.com.

via All Outdoor
Florida Sheriff: ‘If You Need to Shoot Somebody, Shoot ’em a Lot’