[DevoxxFR2014] Runtime stage
FROM nginx:alpine
COPY –from=builder /app/dist /usr/share/nginx/html
EXPOSE 80
This pattern reduces final image size from hundreds of megabytes to tens of megabytes. **Layer caching** optimization requires careful instruction ordering:
COPY package.json package-lock.json ./
RUN npm ci
COPY . .
Copying dependency manifests first maximizes cache reuse during development.
## Networking Models and Service Discovery
Docker’s default bridge network isolates containers on a single host. Production environments demand multi-host communication. **Overlay networks** create virtual networks across swarm nodes:
docker network create –driver overlay –attachable prod-net
docker service create –network prod-net –name api myapp:latest
Docker’s built-in DNS enables service discovery by name. For external traffic, **ingress routing meshes** like Traefik or NGINX provide load balancing, TLS termination, and canary deployments.
## Persistent Storage for Stateful Applications
Stateless microservices dominate container use cases, but databases and queues require durable storage. **Docker volumes** offer the most flexible solution:
docker volume create postgres-data
docker run -d \
–name postgres \
-v postgres-data:/var/lib/postgresql/data \
-e POSTGRES_PASSWORD=secret \
postgres:13
For distributed environments, **CSI (Container Storage Interface)** plugins integrate with Ceph, GlusterFS, or cloud-native storage like AWS EBS.
## Orchestration and Automated Operations
Docker Swarm provides native clustering with zero external dependencies:
docker swarm init
docker stack deploy -c docker-compose.yml myapp
“`
For advanced workloads, Kubernetes offers:
– Deployments for rolling updates and self-healing.
– Horizontal Pod Autoscaling based on CPU/memory or custom metrics.
– ConfigMaps and Secrets for configuration management.
Migration paths typically begin with stateless services in Swarm, then progress to Kubernetes for stateful and machine-learning workloads.
Security Hardening and Compliance
Production containers must follow security best practices:
– Run as non-root users: USER appuser in Dockerfile.
– Scan images with Trivy or Clair in CI/CD pipelines.
– Apply seccomp and AppArmor profiles to restrict system calls.
– Use RBAC and Network Policies in Kubernetes to enforce least privilege.
Production Case Studies and Operational Wisdom
Spotify manages thousands of microservices using Helm charts and custom operators. Airbnb leverages Kubernetes for dynamic scaling during peak booking periods. The New York Times uses Docker for CI/CD acceleration, reducing deployment time from hours to minutes.
Common lessons include:
– Monitor with Prometheus and Grafana.
– Centralize logs with ELK or Loki.
– Implement distributed tracing with Jaeger or Zipkin.
– Use chaos engineering to validate resilience.
Strategic Impact on DevOps Culture
Docker fundamentally accelerates the CI/CD pipeline and enables immutable infrastructure. Success requires cultural alignment: developers embrace infrastructure-as-code, operations teams adopt GitOps workflows, and security integrates into every stage. Orchestration platforms bridge the gap between development velocity and operational stability.