- Use explicit and deterministic Docker base image tags
- Install only what you need in production in the Java container image
- Find and fix security vulnerabilities in your Java Docker image
- Use multi-stage builds
- Don’t run Java apps as root
- Properly handle events to safely terminate a Java application
- Gracefully tear down Java applications
- Use .dockerignore
- Make sure Java is container-aware
- Be careful with automatic Docker container generation tools
Last active
October 3, 2025 15:48
-
-
Save shinyay/4cc4704a94594bdfc5b06c999545fb3d to your computer and use it in GitHub Desktop.
Dockerfile Best Practice
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Simple Java Container | |
| FROM maven | |
| RUN mkdir /app | |
| WORKDIR /app | |
| COPY . /app | |
| RUN mvn clean install | |
| CMD "mvn" "exec:java" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # The deterministic Docker base image tags | |
| FROM maven:3.6.3-jdk-11-slim@sha256:68ce1cd457891f48d1e137c7d6a4493f60843e84c9e2634e3df1d3d5b381d36c | |
| RUN mkdir /app | |
| WORKDIR /app | |
| COPY . /app | |
| RUN mvn clean package -DskipTests |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Install only what you need in production in the Java container image | |
| FROM openjdk:11-jre-slim@sha256:31a5d3fa2942eea891cf954f7d07359e09cf1b1f3d35fb32fedebb1e3399fc9e | |
| RUN mkdir /app | |
| COPY ./target/java-application.jar /app/java-application.jar | |
| WORKDIR /app | |
| CMD "java" "-jar" "java-application.jar" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Find and fix security vulnerabilities in your Java container Docker image | |
| FROM adoptopenjdk/openjdk11:jre-11.0.9.1_1-alpine@sha256:b6ab039066382d39cfc843914ef1fc624aa60e2a16ede433509ccadd6d995b1f | |
| RUN mkdir /app | |
| COPY ./target/java-application.jar /app/java-application.jar | |
| WORKDIR /usr/src/project | |
| CMD "java" "-jar" "java-application.jar" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Multi-stage builds for your Java container | |
| FROM maven:3.6.3-jdk-11-slim@sha256:68ce1cd457891f48d1e137c7d6a4493f60843e84c9e2634e3df1d3d5b381d36c AS build | |
| RUN mkdir /project | |
| COPY . /project | |
| WORKDIR /project | |
| RUN mvn clean package -DskipTests | |
| FROM adoptopenjdk/openjdk11:jre-11.0.9.1_1-alpine@sha256:b6ab039066382d39cfc843914ef1fc624aa60e2a16ede433509ccadd6d995b1f | |
| RUN mkdir /app | |
| COPY --from=build /project/target/java-application.jar /app/java-application.jar | |
| WORKDIR /app | |
| CMD "java" "-jar" "java-application.jar" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Don’t run containers as root | |
| FROM maven:3.6.3-jdk-11-slim@sha256:68ce1cd457891f48d1e137c7d6a4493f60843e84c9e2634e3df1d3d5b381d36c AS build | |
| RUN mkdir /project | |
| COPY . /project | |
| WORKDIR /project | |
| RUN mvn clean package -DskipTests | |
| FROM adoptopenjdk/openjdk11:jre-11.0.9.1_1-alpine@sha256:b6ab039066382d39cfc843914ef1fc624aa60e2a16ede433509ccadd6d995b1f | |
| RUN mkdir /app | |
| RUN addgroup --system javauser && adduser -S -s /bin/false -G javauser javauser | |
| COPY --from=build /project/target/java-application.jar /app/java-application.jar | |
| WORKDIR /app | |
| RUN chown -R javauser:javauser /app | |
| USER javauser | |
| CMD "java" "-jar" "java-application.jar" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Properly handle events to safely terminate a Java Docker web application | |
| FROM maven:3.6.3-jdk-11-slim@sha256:68ce1cd457891f48d1e137c7d6a4493f60843e84c9e2634e3df1d3d5b381d36c AS build | |
| RUN mkdir /project | |
| COPY . /project | |
| WORKDIR /project | |
| RUN mvn clean package -DskipTests | |
| FROM adoptopenjdk/openjdk11:jre-11.0.9.1_1-alpine@sha256:b6ab039066382d39cfc843914ef1fc624aa60e2a16ede433509ccadd6d995b1f | |
| RUN apk add dumb-init | |
| RUN mkdir /app | |
| RUN addgroup --system javauser && adduser -S -s /bin/false -G javauser javauser | |
| COPY --from=build /project/target/java-code-workshop-0.0.1-SNAPSHOT.jar /app/java-application.jar | |
| WORKDIR /app | |
| RUN chown -R javauser:javauser /app | |
| USER javauser | |
| CMD "dumb-init" "java" "-jar" "java-application.jar" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Graceful tear down for your Java web applications | |
| Runtime.getRuntime().addShutdownHook(new Thread() { | |
| @Override | |
| public void run() { | |
| System.out.println("Inside Add Shutdown Hook"); | |
| } | |
| }); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Keeping unnecessary files out of your Java container images | |
| .dockerignore | |
| **/*.log | |
| Dockerfile | |
| .git | |
| .gitignore |
Make sure Java is container-aware
-XX:MaxRAMPercentage=50 -XshowSettings:vm -version
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment