https://besterry.com/tags/docker/Recent content in Docker on Besterry — Linux & DevOps NotesHugoen-usMon, 20 May 2024 00:00:00 +0000https://besterry.com/posts/container-image-size/Mon, 20 May 2024 00:00:00 +0000https://besterry.com/posts/container-image-size/<p>Small images boot faster, save bandwidth, and have smaller attack surface. Here are the techniques that actually work.</p> <h2 id="multi-stage-builds">Multi-stage builds</h2> <p>The single biggest win. Build in one stage, copy only the artifacts to a minimal runtime stage. A Go binary of 15 MB ends up in a 17 MB image. Compare to a naive golang:1.22 image at 900+ MB.</p> <h2 id="base-image-choice">Base image choice</h2> <p>From smallest to largest for Go/Rust static binaries:</p>https://besterry.com/posts/docker-networking/Wed, 20 Mar 2024 00:00:00 +0000https://besterry.com/posts/docker-networking/<p>When a container cannot reach something, the instinct is often to exec into it and curl. But most slim containers lack curl, dig, tcpdump, or even ping. A better pattern: use nsenter from the host.</p> <h2 id="enter-the-container-network-namespace">Enter the container network namespace</h2> <p>Get the container PID:</p> <pre><code>docker inspect -f '{{.State.Pid}}' myapp </code></pre> <p>Then:</p> <pre><code>sudo nsenter -t PID -n bash </code></pre> <p>You are now in the container network namespace, but with the host binaries. tcpdump, ip, ss, dig — all work.</p>