Dockerfile Best Practices
Complete guide to writing efficient, secure, and optimized Dockerfiles.
← Developer Tools
Dockerfile Generator — 8 Stacks, Linter, AI Explain
Visual builder · Multi-stage · Linter · .dockerignore · AI Explain
Generate production-ready Dockerfiles with a visual form builder. Choose from 8 stacks (Node.js, Python, Go, Java, PHP, Ruby, Rust, Nginx) and 8 preset templates. Configure ENV vars, COPY rules, RUN commands, EXPOSE ports, HEALTHCHECK, and non-root user. Built-in linter flags best practice violations. Also generates a stack-specific .dockerignore. AI explains every instruction in plain English.
⚡ Preset Templates (8)▲
Node.js APIProduction Node.js REST API
React SPA (Nginx)React SPA built with Node, served with NginxMulti-stage
Python FastAPIFastAPI application with uvicorn
Go ApplicationGo app with multi-stage build (scratch final image)Multi-stage
Java Spring BootSpring Boot JAR application
PHP LaravelLaravel PHP application with php-fpm
Nginx Static SiteNginx serving static files
Rust ApplicationRust app with multi-stage scratch final imageMulti-stage
CONFIGURATION
STACK
BASE IMAGE
Use specific tags — avoid :latest
MULTI-STAGE BUILDSmaller final image — separate build & runtime
WORKDIR
COPY RULES
→
→
RUN COMMANDS
ENV VARIABLES
=
EXPOSE PORTS
CMD
ENTRYPOINT (optional)
SECURITY
Non-root user Recommended
HEALTHCHECK Recommended
FROM node:20-alpine WORKDIR /app # Create non-root user RUN addgroup -S appgroup && adduser -S appuser -G appgroup COPY package*.json ./ COPY . . RUN npm ci --only=production ENV NODE_ENV=production EXPOSE 3000 USER appuser HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \ CMD wget -qO- http://localhost:3000/health || exit 1 CMD ["node", "server.js"]
Frequently Asked Questions
What is a Dockerfile?
A Dockerfile is a text file with step-by-step instructions to build a Docker image. FROM sets the base, RUN executes commands, COPY adds files, EXPOSE declares ports, and CMD defines the startup command.
What is a multi-stage build?
Multi-stage builds use multiple FROM instructions. Stage 1 (builder) compiles your app. Stage 2 (runtime) copies only the compiled artifact — resulting in a much smaller image without build tools.
Why non-root user?
Running containers as root is a security risk. The non-root user toggle adds RUN addgroup/adduser and USER instructions — a Docker security best practice.
What does the linter check?
Linter checks for: missing HEALTHCHECK, running as root, :latest tags (non-reproducible), missing COPY/CMD, and potential secrets in ENV vars.
What does .dockerignore do?
Prevents files from being sent to the Docker build context — speeds up builds and prevents .env files, node_modules, and git history from leaking into your image.