[AlphaSite]

Docker honestly made the world a little easier. You’re responsible for everything above the kernel.

[m463]

I love docker, but I really wish they would change a couple things.

I wish there was a way to say:

  LAYER foo
  RUN unpack_some_large_package
  RUN build it
  RUN install it
  RUN delete stuff
  LAYER bar

because the normal way of using docker makes really really large images.

and the efficient use of docker is unreadable and hard to maintain:

  RUN unpack_some_large_package && build it && install it && delete stuff

thing is - if you do it this way you can hack gigabytes off your image sizes

This is lots harder nowadays over vpn.

I know there's docker squash, but that is a hack on many levels.

Then there's the firewall thing

and last, I'd like to have my own private repository - where docker wont' and can't pull from other machines.

[searchableguy]

Is the current multi stage build process not sufficient for you?

https://docs.docker.com/develop/develop-images/multistage-bu...

[m463]

thank you! none of the docker files I've seen used this but it has worked since 17.x

[stekern]

Can't you use multi-stage builds to achieve this?

[m463]

thank you, i've never seen this :)

[kubav]

It is easier for developer but risky for end user. Docker runs as root and you have to trust application developer to use latest security patches for all dependencies.

[zaarn]

They run as root per default.

Simply using the "USER <uid/uname>" directory means you run as non-root user with a specified UID. Kubernetes recommends doing that as a baseline security measure. You can also drop caps from a container so even if you are root inside, you can't do a lot of things root can.