Docker Image Optimizasyonu
Küçük ve güvenli Docker image'ları, hızlı deployment ve düşük attack surface sağlar. Bu rehberde best practice'leri inceleyeceğiz.
Base Image Seçimi
# KÖTÜ - Tam OS image'ı (800MB+)
FROM ubuntu:22.04
İYİ - Minimal image (5MB)
FROM alpine:3.18
EN İYİ - Distroless (security için)
FROM gcr.io/distroless/static-debian12
Multi-stage Build
# Dockerfile
# Build stage
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build
Production stage
FROM node:18-alpine
WORKDIR /app
Non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
Sadece gerekli dosyaları kopyala
COPY --from=builder --chown=appuser:appgroup /app/dist ./dist
COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules
EXPOSE 3000
CMD ["node", "dist/index.js"]
Layer Optimizasyonu
# KÖTÜ - Her RUN yeni layer
RUN apt-get update
RUN apt-get install -y curl
RUN apt-get install -y wget
RUN apt-get clean
İYİ - Tek layer, temizlik dahil
RUN apt-get update &&
apt-get install -y --no-install-recommends
curl
wget &&
apt-get clean &&
rm -rf /var/lib/apt/lists/*
.dockerignore Dosyası
# .dockerignore
.git
.gitignore
node_modules
npm-debug.log
Dockerfile*
docker-compose*
.env
*.md
.vscode
coverage
testsGüvenlik Best Practices
# Non-root user kullan
USER 1000:1000
Read-only filesystem
docker run --read-only --tmpfs /tmp myapp
Capability drop
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp
Security scanning
docker scan myimage:latest
trivy image myimage:latest
Image Build ve Push
# Buildkit ile build (paralel, cache optimize)
DOCKER_BUILDKIT=1 docker build -t myapp:v1.0 .
Multi-platform build
docker buildx build --platform linux/amd64,linux/arm64 -t myapp:v1.0 --push .
Image push
docker tag myapp:v1.0 registry.example.com/myapp:v1.0
docker push registry.example.com/myapp:v1.0
Sonuç
Optimize edilmiş image'lar %80'e varan boyut küçülmesi sağlar ve güvenlik risklerini azaltır.