원클릭으로 Manus에서 모든 스킬 실행

docker

Docker best practices: image security, build efficiency, runtime hardening, Compose, local tooling (Colima, OrbStack). Use when writing or reviewing Dockerfiles and Compose files.

Manus에서 실행

스타48

포크10

업데이트2026년 5월 22일 03:10

출처

SumonMSelim

SumonMSelim/agentguard

GitHub 저장소 열기 Creator 저장소 보기

설치 명령

다운로드

Manus에서 실행

유용한 대상SOC

소프트웨어 개발자컴퓨터 및 수학직15-1252L4

SKILL.md

readonly

name	docker
description	Docker best practices: image security, build efficiency, runtime hardening, Compose, local tooling (Colima, OrbStack). Use when writing or reviewing Dockerfiles and Compose files.

Docker

Image security

Never run as root. Prefer images with built-in non-root user: distroless nonroot, node user in Node images, nobody in Alpine. Otherwise add non-root user and switch: USER appuser
Minimal base: distroless, alpine, or official slim variants
Pin by digest or immutable tag. Never FROM node:latest or image: myapp:latest in Compose
Multi-stage builds: build in full image, copy only artifact to minimal runtime image
No build tools in final image
Scan with Trivy or Grype in CI. Fail on critical/high CVEs
Multi-arch: build with --platform linux/amd64,linux/arm64 for cross-platform targets

Dockerfile

One process per container
Enable BuildKit: DOCKER_BUILDKIT=1. Use --mount=type=cache for dependency caches, --mount=type=secret for build-time secrets
COPY specific files. Avoid COPY . . when targeted copy suffices
Layer order: least → most frequently changed. COPY package.json before COPY src/
.dockerignore: exclude .git, node_modules, test files, secrets, .env
Explicit WORKDIR. No implicit root working dir
ENTRYPOINT for executable, CMD for default args
No secrets in ENV, ARG, or RUN — persist in layer history. Use --mount=type=secret
HEALTHCHECK on all long-running services

Runtime

Read-only root filesystem where possible: --read-only
Drop all capabilities, re-add only what's needed: --cap-drop ALL --cap-add NET_BIND_SERVICE
No --privileged in production
Set resource limits: --memory, --cpus
Named volumes for persistent data. No bind mounts in production
No secrets via env vars. Use Docker secrets or mounted secret files
Log rotation: set --log-opt max-size=10m --log-opt max-file=3. Unbounded logs fill disks

Compose

compose.yml for local dev only. Production: Kubernetes, ECS, or equivalent
Explicit dependencies: depends_on + condition: service_healthy
Named volumes for persistent data. Never rely on container filesystem
env_file for local config. Never commit .env with real secrets
restart: unless-stopped for crash-resilient services
Custom networks per service group. Avoid default bridge
profiles: for optional services (e.g. debug tools, mock servers). Keep default startup lean

Maintenance

docker system prune -f regularly. Dangling images and stopped containers accumulate fast
docker image prune -a to remove unused images. Run in CI after builds
Inspect layer bloat with dive before pushing large images

Local tooling

Colima: colima start --cpu 4 --memory 8 --disk 60. Default VM is undersized
Switch context after start: docker context use colima
colima stop when not in use. Idle VM still consumes resources
OrbStack: preferred on Apple Silicon — lower memory overhead, faster mounts
Both are license-free alternatives to Docker Desktop for teams
Lima/Colima: use ~/.lima/<profile> for multiple VM profiles (e.g. arm64, rosetta)

이 저장소의 다른 Skills

같은 저장소

aws

SumonMSelim/agentguard

AWS best practices: IAM, secrets, networking, security, compute, IaC, ops. Use when building, reviewing, or modifying AWS resources.

2026-05-2248

gcp

SumonMSelim/agentguard

GCP best practices: IAM, secrets, networking, security, compute, IaC, ops. Use when building, reviewing, or modifying GCP resources.

2026-05-2248

SumonMSelim/agentguard

Idiomatic Go 1.25 practices: errors, interfaces, concurrency, generics, testing, security, tooling. Use when writing or reviewing Go code.

2026-05-2248

java

SumonMSelim/agentguard

Modern Java practices: design, errors, concurrency, security, testing, tooling. Targets Java 21 LTS baseline; Java 25 LTS features called out explicitly. Use when writing or reviewing Java code.

2026-05-2248

karpathy-guidelines

SumonMSelim/agentguard

Behavioral guidelines to reduce common LLM coding mistakes. Use when writing, reviewing, or refactoring code to avoid overcomplication, make surgical changes, surface assumptions, and define verifiable success criteria.

2026-05-2248

kubernetes

SumonMSelim/agentguard

Kubernetes best practices: security, workloads, networking, config, operations, GitOps. Use when writing or reviewing K8s manifests and configurations.

2026-05-2248

Docker

Image security

Never run as root. Prefer images with built-in non-root user: distroless nonroot, node user in Node images, nobody in Alpine. Otherwise add non-root user and switch: USER appuser

Minimal base: distroless, alpine, or official slim variants

Pin by digest or immutable tag. Never FROM node:latest or image: myapp:latest in Compose

Multi-stage builds: build in full image, copy only artifact to minimal runtime image

No build tools in final image

Scan with Trivy or Grype in CI. Fail on critical/high CVEs

Multi-arch: build with --platform linux/amd64,linux/arm64 for cross-platform targets

Dockerfile

One process per container

Enable BuildKit: DOCKER_BUILDKIT=1. Use --mount=type=cache for dependency caches, --mount=type=secret for build-time secrets

COPY specific files. Avoid COPY . . when targeted copy suffices

Layer order: least → most frequently changed. COPY package.json before COPY src/

.dockerignore: exclude .git, node_modules, test files, secrets, .env

Explicit WORKDIR. No implicit root working dir

ENTRYPOINT for executable, CMD for default args

No secrets in ENV, ARG, or RUN — persist in layer history. Use --mount=type=secret

HEALTHCHECK on all long-running services

Runtime

Read-only root filesystem where possible: --read-only

Drop all capabilities, re-add only what's needed: --cap-drop ALL --cap-add NET_BIND_SERVICE

No --privileged in production

Set resource limits: --memory, --cpus

Named volumes for persistent data. No bind mounts in production

No secrets via env vars. Use Docker secrets or mounted secret files

Log rotation: set --log-opt max-size=10m --log-opt max-file=3. Unbounded logs fill disks

Compose

compose.yml for local dev only. Production: Kubernetes, ECS, or equivalent

Explicit dependencies: depends_on + condition: service_healthy

Named volumes for persistent data. Never rely on container filesystem

env_file for local config. Never commit .env with real secrets

restart: unless-stopped for crash-resilient services

Custom networks per service group. Avoid default bridge

profiles: for optional services (e.g. debug tools, mock servers). Keep default startup lean

Maintenance

docker system prune -f regularly. Dangling images and stopped containers accumulate fast

docker image prune -a to remove unused images. Run in CI after builds

Inspect layer bloat with dive before pushing large images

Local tooling

Colima: colima start --cpu 4 --memory 8 --disk 60. Default VM is undersized

Switch context after start: docker context use colima

colima stop when not in use. Idle VM still consumes resources

OrbStack: preferred on Apple Silicon — lower memory overhead, faster mounts

Both are license-free alternatives to Docker Desktop for teams

Lima/Colima: use ~/.lima/<profile> for multiple VM profiles (e.g. arm64, rosetta)