https://github.com/koniz-dev/docker-cookbook
A comprehensive collection of production-grade Dockerfile best practices, optimizations, and security patterns for Java, Python, Node.js, Go, and React.
https://github.com/koniz-dev/docker-cookbook
best-practices devops distroless docker dockerfile go golang java node nodejs optimization python react security
Last synced: 2 days ago
JSON representation
A comprehensive collection of production-grade Dockerfile best practices, optimizations, and security patterns for Java, Python, Node.js, Go, and React.
- Host: GitHub
- URL: https://github.com/koniz-dev/docker-cookbook
- Owner: koniz-dev
- License: mit
- Created: 2025-12-29T03:49:11.000Z (6 months ago)
- Default Branch: main
- Last Pushed: 2026-05-25T17:10:22.000Z (about 1 month ago)
- Last Synced: 2026-05-25T18:31:01.570Z (about 1 month ago)
- Topics: best-practices, devops, distroless, docker, dockerfile, go, golang, java, node, nodejs, optimization, python, react, security
- Language: Dockerfile
- Size: 251 KB
- Stars: 1
- Watchers: 0
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# 🐳 Docker Cookbook
> **A collection of production-grade Dockerfile best practices, optimization patterns, and advanced techniques.**
This project provides comprehensive guides, ranging from fundamentals to advanced (and extreme) optimization techniques, helping you build Docker images that are:
- 📉 **Smallest** (Size optimization)
- 🚀 **Fastest Startup** (Startup optimization)
- 🛡️ **Most Secure** (Security hardening)
- ⚡ **Most Efficient** (Build caching & CI/CD)
---
## 📂 Project Structure
The project is organized into modules based on popular languages/frameworks:
### 1. 📘 [COOKBOOK.md](./COOKBOOK.md) (Core Guide)
The foundational guide applicable to all stacks:
- **Fundamentals**: Containers vs VMs, Layers, OCI standards.
- **Size Optimization**: Multi-stage builds, UPX, Brotli.
- **Security**: Non-root users, distroless images, vulnerability scanning.
- **BuildKit**: Cache mounts, secrets, SSH agents.
- **CI/CD & Compose**: Standard patterns for DevOps.
### 2. ☕ [Java / Spring Boot](./java/README.md)
Optimized for the Java ecosystem:
- **Zero-waste**: Custom JRE with `jlink` (~40MB JRE).
- **Fast Startup**: JVM Tuning, CDS, Spring Boot Layertools.
- **Security**: Distroless images, auto-dependency updates.
- **Native**: GraalVM Native Image compilation.
### 3. 🐍 [Python / FastAPI](./python/README.md)
Optimized for Python backends:
- **Performance**: `uv` package manager (10-100x faster than pip), `PYTHONOPTIMIZE`.
- **Compatibility**: Solving `glibc` vs `musl` (Alpine) issues.
- **Security**: Multi-arch Distroless, CVE auto-patching.
- **Structure**: Virtual environment patterns.
### 4. 🟩 [Node.js / Express](./node/README.md)
Optimized for Node.js Backends/APIs:
- **Stability**: `tini` for proper signal handling (PID 1).
- **Security**: non-root user enforcement, distroless options.
- **Efficiency**: `pnpm deploy` for ultimate dependency pruning.
- **Production**: Multi-stage builds with minimal final image.
### 5. 🐹 [Golang](./go/README.md)
Optimized for Go Applications:
- **Static**: `CGO_ENABLED=0` pure Go builds.
- **Extreme**: `FROM scratch` + UPX compression (~2-5MB final image).
- **Self-contained**: Inject SSL certs and user data into scratch.
- **Security**: Zero-OS images for maximum hardening.
### 6. ⚛️ [React / Vite](./react/README.md)
Optimized for Frontend SPAs:
- **Extreme Size**: Scratch image with statically compiled Nginx (~5MB).
- **Performance**: Pre-compression (Gzip), Nginx caching strategy.
- **Routing**: SPA fallback patterns.
### 7. 🦀 [Rust / Axum](./rust/README.md)
Optimized for Rust services:
- **cargo-chef**: cached dependency builds.
- **Static musl**: portable single binary.
- **Distroless static**: ~9 MB final image.
### 8. 🥟 [Bun](./bun/README.md)
Optimized for Bun runtimes:
- **`bun install`**: 5-20× faster than npm.
- **`--compile`**: standalone executable for distroless deploys.
### 9. 🟣 [.NET / ASP.NET Core](./dotnet/README.md)
Optimized for .NET 9 services:
- **Chiseled Ubuntu**: distroless-style runtime, glibc-based.
- **Non-root by default** (UID 1654, `app` user).
- **`CreateSlimBuilder`**: trim-friendly minimal API host.
---
## 🚀 Quick Start
### Check out Examples
Each module contains ready-to-run `Dockerfile` examples:
```bash
# All variants in one shot via the Makefile
make build # build every cookbook-* image
make sizes # print a Markdown table of real measured sizes
make sizes.md # write SIZES.md
./scripts/bench.sh # cold start + RSS + throughput → BENCHMARKS.md
# Or build individually
docker build -t java-app ./java
docker build -f java/Dockerfile.distroless -t java-secure ./java
docker build -f go/Dockerfile.scratch -t go-extreme ./go
# ...etc
```
> **Sample apps** are included in each language folder (a minimal HTTP server
> with `/` and `/health`). So `docker build ./go` works end-to-end against the
> sample; swap in your own app code by replacing the sources.
See [`SIZES.md`](./SIZES.md) and [`BENCHMARKS.md`](./BENCHMARKS.md) for live measurements, and [`docs/distroless-debugging.md`](./docs/distroless-debugging.md) for surviving when something breaks inside a shell-less image.
### Copy and Apply
1. Navigate to the directory matching your stack.
2. Read the `README.md` to understand the concepts.
3. Copy the sample `Dockerfile`.
4. Adjust filenames, ports, and build commands to fit your project.
---
## 💡 Philosophy
1. **Defaults to Secure**: Always run as non-root, read-only filesystem where possible.
2. **Every Byte Counts**: No waste, no redundant caches in production images.
3. **Build Once, Run Anywhere**: Leverage multi-platform builds.
4. **Fail Fast**: Proper healthchecks and signal handling.
---
## 🤝 Contributing
All contributions (PRs, Issues) are welcome! Please open an issue if you'd like to request a guide for another framework (Golang, Rust, Node.js API, etc.).
---
*© 2025 Koniz Dev. Open source under MIT License.*