// Refactor Dockerfiles following official Docker best practices without breaking builds. Use when asked to optimize, improve, refactor, or review Dockerfiles. Covers multi-stage builds, layer caching, security hardening, and instruction-specific patterns.
Write CMake and Make files like a principal engineer with decades of experience. Use when creating, refactoring, reviewing, or debugging CMakeLists.txt, Makefiles, or build system configurations for C/C++ projects. Produces elegant, minimal, modern build files that reflect deep understanding of build systems.
Configure and compile FFmpeg from source for any platform and architecture. Handles cross-compilation (Linux→Windows, x86_64→ARM), license compliance (LGPL/GPL/nonfree), codec dependencies, and Docker-based builds. Use when building FFmpeg binaries, creating CI/CD pipelines for FFmpeg compilation, debugging configure failures, or selecting codecs and features for custom builds.
| name | dev-docker |
| description | Refactor Dockerfiles following official Docker best practices without breaking builds. Use when asked to optimize, improve, refactor, or review Dockerfiles. Covers multi-stage builds, layer caching, security hardening, and instruction-specific patterns. |
Refactor Dockerfiles safely by applying these patterns incrementally. Test builds after each change.
docker build -t test:before ..dockerignore fileSplit build dependencies from runtime. Only final stage artifacts ship.
# Build stage
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
# Runtime stage
FROM node:20-alpine
WORKDIR /app
COPY --from=builder /app/node_modules ./node_modules
COPY . .
CMD ["node", "server.js"]
Reusable stages: If multiple images share setup, create a common base stage.
Order instructions from least to most frequently changing:
Critical: Always combine apt-get update && apt-get install in one RUN:
# WRONG - cache issues
RUN apt-get update
RUN apt-get install -y curl
# CORRECT
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
&& rm -rf /var/lib/apt/lists/*
latest: FROM python:3.12-slimFROM python:3.12-slim@sha256:abc123...-slim or -alpine variants&& to reduce layers--no-install-recommends with apt-get&& rm -rf /var/lib/apt/lists/*RUN <<EOF
set -e
apt-get update
apt-get install -y --no-install-recommends curl
rm -rf /var/lib/apt/lists/*
EOF
COPY for local filesADD only for: remote URLs with checksums, or auto-extracting tarballsRUN --mount=type=bind,source=requirements.txt,target=/tmp/requirements.txt \
pip install -r /tmp/requirements.txt
# WRONG - ADMIN_USER leaks to image
ENV ADMIN_USER=admin
RUN echo $ADMIN_USER > /config
# CORRECT - variable doesn't persist
RUN export ADMIN_USER=admin && echo $ADMIN_USER > /config
RUN groupadd -r appuser && useradd --no-log-init -r -g appuser appuser
# ... install dependencies as root ...
USER appuser
CMD ["./app"]
ENTRYPOINT for the command, CMD for default arguments:ENTRYPOINT ["python"]
CMD ["--help"]
WORKDIR /app over RUN cd /app && ...Create if missing. Exclude:
.git
.gitignore
node_modules
__pycache__
*.pyc
.env
*.md
Dockerfile*
docker-compose*
.dockerignore
| Before | After | Why |
|---|---|---|
FROM ubuntu:latest | FROM ubuntu:24.04 | Reproducible builds |
Multiple RUN apt-get | Single chained RUN | Fewer layers, cache efficiency |
COPY . . early | COPY . . last | Better cache utilization |
ADD local.tar.gz /app | COPY local.tar.gz /app + RUN tar | Explicit, debuggable |
| Root user throughout | USER nonroot at end | Security |
No .dockerignore | Add .dockerignore | Smaller context, faster builds |
After refactoring:
docker build -t test:after .docker images testdocker run test:after <test-command>docker history test:after.dockerignore (no build change)