Tips for writing Dockerfile

Started using Docker yet? Here are some tips on writing dockerfile for your application.
While may be obvious to docker experts, these tips might help you avoid common issues.

1. Minimize the number of layers.

FROM ubuntu:16.04
RUN apt-get update
RUN apt-get install node
RUN apt-get install npm
RUN apt-get install curl

Apt-get would be the most used command in all docker files command. While the above dockerfile looks fine, it has a couple of issues.

  1. apt-get update and apt-get install’s are on different lines, which would lead to caching of apt-get update command. Read more on docker build cache.
  2. Each of the RUN statements creates a layer in docker image, this leads to a bulkier image, try clubbing RUN commands logically.

A Better build would start like –

FROM ubuntu:16.04
RUN apt-get update && apt-get install -y curl \

2. Use .dockerignore

Continue reading

Making of a container: Cgroups and Namespaces

Let me clear out one thing – Containers are not a thing. VMs are a thing FreeBSDs Jails and Solaris containers are primitive concepts, Containers are almost a clever trickery over Linux
kernel features.

Most of the container management tool out there including docker are made up from Linux kernel primitives C-groups and namespace;(yes they have a lot of tooling and patches that make the environment more consistent and stable).

C-groups and namespaces
Cgroups and namespace applied on process groups allow the container to have an isolated and accounted environment.


Namespaces provides the necessary isolation on subsystems. This allows the processes to run in their own bubble.
Some of the namespace are listed.

  • pid – Allows processes to see only processes inside the group
  • net – Namespace for the network.Everything from ip tables to routing rules.
  • uts – namespace hostname
  • ipc
  • mnt
  • user

Convenient utility to run process in new namespace UNSHARE(1)
unshare -p -f /bin/bash


Control groups allow for accounting and throttling of sub-systems like io, memory, cpu.

  • Memory cgroup – memory group
  • CPU cgroup
  • CPUset cgroup
  • BlockIo cgroups
  • Network io cgroup
  • Device cgroups

Control groups have a file based Api and can be accessed through /sys/fs/cgroup/. Though its is advised to use a higher level abstraction than directly writing to files.
# tree -L 1 -d /sys/fs/cgroup/

|– blkio
|– cpu -> cpu,cpuacct
|– cpuacct -> cpu,cpuacct
|– cpu,cpuacct
|– cpuset
|– devices
|– freezer
|– hugetlb
|– memory
|– net_cls -> net_cls,net_prio
|– net_cls,net_prio
|– net_prio -> net_cls,net_prio
|– perf_event
|– pids
|– systemd