docker-development

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Docker Development

Docker开发

Smaller images. Faster builds. Secure containers. No guesswork.

Opinionated Docker workflow that turns bloated Dockerfiles into production-grade containers. Covers optimization, multi-stage builds, compose orchestration, and security hardening.

Not a Docker tutorial — a set of concrete decisions about how to build containers that don't waste time, space, or attack surface.

更小的镜像、更快的构建、更安全的容器，无需猜测。

一套实用的Docker工作流，可将臃肿的Dockerfile转换为生产级容器。涵盖优化、多阶段构建、Compose编排以及安全加固。

这不是Docker教程——而是关于如何构建不浪费时间、空间或攻击面的容器的一系列具体决策。

Slash Commands

斜杠命令

Command	What it does
`/docker:optimize`	Analyze and optimize a Dockerfile for size, speed, and layer caching
`/docker:compose`	Generate or improve docker-compose.yml with best practices
`/docker:security`	Audit a Dockerfile or running container for security issues

命令	功能
`/docker:optimize`	分析并优化Dockerfile的尺寸、构建速度和层缓存
`/docker:compose`	遵循最佳实践生成或改进docker-compose.yml
`/docker:security`	审计Dockerfile或运行中容器的安全问题

When This Skill Activates

技能触发场景

Recognize these patterns from the user:

"Optimize this Dockerfile"
"My Docker build is slow"
"Create a docker-compose for this project"
"Is this Dockerfile secure?"
"Reduce my Docker image size"
"Set up multi-stage builds"
"Docker best practices for [language/framework]"
Any request involving: Dockerfile, docker-compose, container, image size, build cache, Docker security

If the user has a Dockerfile or wants to containerize something → this skill applies.

识别用户的以下请求模式：

"优化这个Dockerfile"
"我的Docker构建速度很慢"
"为这个项目创建docker-compose配置"
"这个Dockerfile安全吗？"
"减小我的Docker镜像尺寸"
"设置多阶段构建"
"[语言/框架]的Docker最佳实践"
任何涉及Dockerfile、docker-compose、容器、镜像尺寸、构建缓存、Docker安全的请求

如果用户拥有Dockerfile或希望将应用容器化 → 适用本技能。

Workflow

工作流

/docker:optimize

— Dockerfile Optimization

/docker:optimize

— Dockerfile优化

Analyze current state
- Read the Dockerfile
- Identify base image and its size
- Count layers (each RUN/COPY/ADD = 1 layer)
- Check for common anti-patterns

Apply optimization checklist

BASE IMAGE
├── Use specific tags, never :latest in production
├── Prefer slim/alpine variants (debian-slim > ubuntu > debian)
├── Pin digest for reproducibility in CI: image@sha256:...
└── Match base to runtime needs (don't use python:3.12 for a compiled binary)

LAYER OPTIMIZATION
├── Combine related RUN commands with && \
├── Order layers: least-changing first (deps before source code)
├── Clean package manager cache in the same RUN layer
├── Use .dockerignore to exclude unnecessary files
└── Separate build deps from runtime deps

BUILD CACHE
├── COPY dependency files before source code (package.json, requirements.txt, go.mod)
├── Install deps in a separate layer from code copy
├── Use BuildKit cache mounts: --mount=type=cache,target=/root/.cache
└── Avoid COPY . . before dependency installation

MULTI-STAGE BUILDS
├── Stage 1: build (full SDK, build tools, dev deps)
├── Stage 2: runtime (minimal base, only production artifacts)
├── COPY --from=builder only what's needed
└── Final image should have NO build tools, NO source code, NO dev deps

Generate optimized Dockerfile
- Apply all relevant optimizations
- Add inline comments explaining each decision
- Report estimated size reduction

Validate

bash

python3 scripts/dockerfile_analyzer.py Dockerfile

分析当前状态
- 读取Dockerfile
- 识别基础镜像及其尺寸
- 统计层数（每个RUN/COPY/ADD命令对应1层）
- 检查常见反模式

应用优化检查清单

BASE IMAGE
├── 生产环境使用特定标签，绝不使用:latest
├── 优先选择slim/alpine变体（debian-slim > ubuntu > debian）
├── CI环境中固定摘要以保证可复现性：image@sha256:...
└── 根据运行时需求匹配基础镜像（不要为编译后的二进制文件使用python:3.12）

LAYER OPTIMIZATION
├── 使用&& \合并相关RUN命令
├── 按变更频率排序层：变更最少的在前（依赖项优先于源代码）
├── 在同一个RUN层中清理包管理器缓存
├── 使用.dockerignore排除不必要的文件
└── 将构建依赖与运行时依赖分离

BUILD CACHE
├── 在复制源代码前先复制依赖文件（package.json、requirements.txt、go.mod）
├── 在独立层中安装依赖，与代码复制分离
├── 使用BuildKit缓存挂载：--mount=type=cache,target=/root/.cache
└── 避免在依赖安装前执行COPY . .

MULTI-STAGE BUILDS
├── 阶段1：构建（完整SDK、构建工具、开发依赖）
├── 阶段2：运行时（最小化基础镜像，仅包含生产工件）
├── 仅从builder阶段复制所需内容
└── 最终镜像应无构建工具、无源代码、无开发依赖

生成优化后的Dockerfile
- 应用所有相关优化
- 添加内联注释解释每项决策
- 报告预估的尺寸缩减量

验证

bash

python3 scripts/dockerfile_analyzer.py Dockerfile

/docker:compose

— Docker Compose Configuration

/docker:compose

— Docker Compose配置

Identify services
- Application (web, API, worker)
- Database (postgres, mysql, redis, mongo)
- Cache (redis, memcached)
- Queue (rabbitmq, kafka)
- Reverse proxy (nginx, traefik, caddy)

Apply compose best practices

SERVICES
├── Use depends_on with condition: service_healthy
├── Add healthchecks for every service
├── Set resource limits (mem_limit, cpus)
├── Use named volumes for persistent data
└── Pin image versions

NETWORKING
├── Create explicit networks (don't rely on default)
├── Separate frontend and backend networks
├── Only expose ports that need external access
└── Use internal: true for backend-only networks

ENVIRONMENT
├── Use env_file for secrets, not inline environment
├── Never commit .env files (add to .gitignore)
├── Use variable substitution: ${VAR:-default}
└── Document all required env vars

DEVELOPMENT vs PRODUCTION
├── Use compose profiles or override files
├── Dev: bind mounts for hot reload, debug ports exposed
├── Prod: named volumes, no debug ports, restart: unless-stopped
└── docker-compose.override.yml for dev-only config

Generate compose file
- Output docker-compose.yml with healthchecks, networks, volumes
- Generate .env.example with all required variables documented
- Add dev/prod profile annotations

识别服务
- 应用服务（web、API、worker）
- 数据库（postgres、mysql、redis、mongo）
- 缓存（redis、memcached）
- 队列（rabbitmq、kafka）
- 反向代理（nginx、traefik、caddy）

应用Compose最佳实践

SERVICES
├── 使用depends_on并搭配condition: service_healthy
├── 为每个服务添加健康检查
├── 设置资源限制（mem_limit、cpus）
├── 使用命名卷存储持久化数据
└── 固定镜像版本

NETWORKING
├── 创建显式网络（不要依赖默认网络）
├── 分离前端和后端网络
├── 仅暴露需要外部访问的端口
└── 为仅后端网络设置internal: true

ENVIRONMENT
├── 使用env_file存储密钥，不要内联环境变量
├── 绝不提交.env文件（添加到.gitignore）
├── 使用变量替换：${VAR:-default}
└── 记录所有必需的环境变量

DEVELOPMENT vs PRODUCTION
├── 使用Compose配置文件或覆盖文件
├── 开发环境：绑定挂载实现热重载，暴露调试端口
├── 生产环境：使用命名卷，不暴露调试端口，设置restart: unless-stopped
└── 使用docker-compose.override.yml存储仅开发环境的配置

生成Compose文件
- 输出包含健康检查、网络、卷的docker-compose.yml
- 生成包含所有必需变量说明的.env.example
- 添加开发/生产环境配置文件注解

/docker:security

— Container Security Audit

/docker:security

— 容器安全审计

Dockerfile audit

Check	Severity	Fix
Running as root	Critical	Add `USER nonroot` after creating user
Using :latest tag	High	Pin to specific version
Secrets in ENV/ARG	Critical	Use BuildKit secrets: `--mount=type=secret`
COPY with broad glob	Medium	Use specific paths, add .dockerignore
Unnecessary EXPOSE	Low	Only expose ports the app uses
No HEALTHCHECK	Medium	Add HEALTHCHECK with appropriate interval
Privileged instructions	High	Avoid `--privileged` , drop capabilities
Package manager cache retained	Low	Clean in same RUN layer

Runtime security checks

Check	Severity	Fix
Container running as root	Critical	Set user in Dockerfile or compose
Writable root filesystem	Medium	Use `read_only: true` in compose
All capabilities retained	High	Drop all, add only needed: `cap_drop: [ALL]`
No resource limits	Medium	Set `mem_limit` and `cpus`
Host network mode	High	Use bridge or custom network
Sensitive mounts	Critical	Never mount /etc, /var/run/docker.sock in prod
No log driver configured	Low	Set `logging:` with size limits

Generate security report

SECURITY AUDIT — [Dockerfile/Image name]
Date: [timestamp]

CRITICAL: [count]
HIGH:     [count]
MEDIUM:   [count]
LOW:      [count]

[Detailed findings with fix recommendations]

Dockerfile审计

检查项	严重程度	修复方案
以root用户运行	严重	创建用户后添加 `USER nonroot`
使用:latest标签	高	固定到特定版本
密钥存储在ENV/ARG中	严重	使用BuildKit密钥挂载： `--mount=type=secret`
使用宽泛通配符COPY	中	使用特定路径，添加.dockerignore
不必要的EXPOSE	低	仅暴露应用使用的端口
无HEALTHCHECK	中	添加合适间隔的HEALTHCHECK
特权指令	高	避免 `--privileged` ，移除不必要的权限
保留包管理器缓存	低	在同一个RUN层中清理缓存

运行时安全检查

检查项	严重程度	修复方案
容器以root用户运行	严重	在Dockerfile或Compose中设置用户
根文件系统可写	中	在Compose中设置 `read_only: true`
保留所有权限	高	移除所有权限，仅添加必需的： `cap_drop: [ALL]`
无资源限制	中	设置 `mem_limit` 和 `cpus`
使用主机网络模式	高	使用桥接或自定义网络
敏感挂载	严重	生产环境绝不挂载/etc、/var/run/docker.sock
未配置日志驱动	低	设置带大小限制的 `logging:`

生成安全报告

安全审计 — [Dockerfile/镜像名称]
日期: [时间戳]

严重: [数量]
高:     [数量]
中:     [数量]
低:      [数量]

[带有修复建议的详细发现]

Tooling

工具集

scripts/dockerfile_analyzer.py

scripts/dockerfile_analyzer.py

CLI utility for static analysis of Dockerfiles.

Features:

Layer count and optimization suggestions
Base image analysis with size estimates
Anti-pattern detection (15+ rules)
Security issue flagging
Multi-stage build detection and validation
JSON and text output

Usage:

bash

undefined

用于Dockerfile静态分析的CLI工具。

特性：

层数统计和优化建议
基础镜像分析及尺寸预估
反模式检测（15+规则）
安全问题标记
多阶段构建检测与验证
JSON和文本输出

使用方法：

bash

undefined

Analyze a Dockerfile

分析Dockerfile

python3 scripts/dockerfile_analyzer.py Dockerfile

JSON output

JSON输出

python3 scripts/dockerfile_analyzer.py Dockerfile --output json

Analyze with security focus

聚焦安全分析

python3 scripts/dockerfile_analyzer.py Dockerfile --security

Check a specific directory

检查指定目录

python3 scripts/dockerfile_analyzer.py path/to/Dockerfile

undefined

python3 scripts/dockerfile_analyzer.py path/to/Dockerfile

undefined

scripts/compose_validator.py

scripts/compose_validator.py

CLI utility for validating docker-compose files.

Features:

Service dependency validation
Healthcheck presence detection
Network configuration analysis
Volume mount validation
Environment variable audit
Port conflict detection
Best practice scoring

Usage:

bash

undefined

用于验证docker-compose文件的CLI工具。

特性：

服务依赖验证
健康检查存在性检测
网络配置分析
卷挂载验证
环境变量审计
端口冲突检测
最佳实践评分

使用方法：

bash

undefined

Validate a compose file

验证Compose文件

python3 scripts/compose_validator.py docker-compose.yml

JSON output

JSON输出

python3 scripts/compose_validator.py docker-compose.yml --output json

Strict mode (fail on warnings)

严格模式（警告即失败）

python3 scripts/compose_validator.py docker-compose.yml --strict

---

python3 scripts/compose_validator.py docker-compose.yml --strict

---

Multi-Stage Build Patterns

多阶段构建模式

Pattern 1: Compiled Language (Go, Rust, C++)

模式1：编译型语言（Go、Rust、C++）

dockerfile

undefined

dockerfile

undefined

Build stage

FROM golang:1.22-alpine AS builder WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o /app/server ./cmd/server

Runtime stage

FROM gcr.io/distroless/static-debian12 COPY --from=builder /app/server /server USER nonroot:nonroot ENTRYPOINT ["/server"]

undefined

FROM gcr.io/distroless/static-debian12 COPY --from=builder /app/server /server USER nonroot:nonroot ENTRYPOINT ["/server"]

undefined

Pattern 2: Node.js / TypeScript

模式2：Node.js / TypeScript

dockerfile

undefined

dockerfile

undefined

Dependencies stage

FROM node:20-alpine AS deps WORKDIR /app COPY package.json package-lock.json ./ RUN npm ci --production=false

Build stage

FROM deps AS builder COPY . . RUN npm run build

Runtime stage

FROM node:20-alpine WORKDIR /app RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001 COPY --from=builder /app/dist ./dist COPY --from=deps /app/node_modules ./node_modules COPY package.json ./ USER appuser EXPOSE 3000 CMD ["node", "dist/index.js"]

undefined

undefined

Pattern 3: Python

模式3：Python

dockerfile

undefined

dockerfile

undefined

Build stage

FROM python:3.12-slim AS builder WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir --prefix=/install -r requirements.txt

Runtime stage

FROM python:3.12-slim WORKDIR /app RUN groupadd -r appgroup && useradd -r -g appgroup appuser COPY --from=builder /install /usr/local COPY . . USER appuser EXPOSE 8000 CMD ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]

---

---

Base Image Decision Tree

基础镜像决策树

Is it a compiled binary (Go, Rust, C)?
├── Yes → distroless/static or scratch
└── No
    ├── Need a shell for debugging?
    │   ├── Yes → alpine variant (e.g., node:20-alpine)
    │   └── No → distroless variant
    ├── Need glibc (not musl)?
    │   ├── Yes → slim variant (e.g., python:3.12-slim)
    │   └── No → alpine variant
    └── Need specific OS packages?
        ├── Many → debian-slim
        └── Few → alpine + apk add

是否为编译后的二进制文件（Go、Rust、C）？
├── 是 → 使用distroless/static或scratch
└── 否
    ├── 需要shell用于调试？
    │   ├── 是 → 使用alpine变体（如node:20-alpine）
    │   └── 否 → 使用distroless变体
    ├── 需要glibc（而非musl）？
    │   ├── 是 → 使用slim变体（如python:3.12-slim）
    │   └── 否 → 使用alpine变体
    └── 需要特定OS包？
        ├── 多个 → 使用debian-slim
        └── 少量 → 使用alpine + apk add

Proactive Triggers

主动触发提示

Flag these without being asked:

Dockerfile uses :latest → Suggest pinning to a specific version tag.
No .dockerignore → Create one. At minimum:
```
.git
```
,
```
node_modules
```
,
```
__pycache__
```
,
```
.env
```
.
COPY . . before dependency install → Cache bust. Reorder to install deps first.
Running as root → Add USER instruction. No exceptions for production.
Secrets in ENV or ARG → Use BuildKit secret mounts. Never bake secrets into layers.
Image over 1GB → Multi-stage build required. No reason for a production image this large.
No healthcheck → Add one. Orchestrators (Compose, K8s) need it for proper lifecycle management.
apt-get without cleanup in same layer →
```
rm -rf /var/lib/apt/lists/*
```
in the same RUN.

无需用户询问，自动标记以下问题：

Dockerfile使用:latest → 建议固定到特定版本标签。
无.dockerignore → 创建该文件。至少包含：
```
.git
```
、
```
node_modules
```
、
```
__pycache__
```
、
```
.env
```
。
在依赖安装前执行COPY . . → 缓存失效。调整顺序为先安装依赖。
以root用户运行 → 添加USER指令。生产环境无例外。
密钥存储在ENV或ARG中 → 使用BuildKit密钥挂载。绝不要将密钥 baked 到镜像层中。
镜像超过1GB → 需要多阶段构建。生产镜像没有理由这么大。
无健康检查 → 添加健康检查。编排工具（Compose、K8s）需要它进行正确的生命周期管理。
apt-get未在同一层清理缓存 → 在同一个RUN命令中添加
```
rm -rf /var/lib/apt/lists/*
```
。

Installation

安装方法

One-liner (any tool)

一键安装（适用于所有工具）

bash

git clone https://github.com/alirezarezvani/claude-skills.git
cp -r claude-skills/engineering/docker-development ~/.claude/skills/

bash

git clone https://github.com/alirezarezvani/claude-skills.git
cp -r claude-skills/engineering/docker-development ~/.claude/skills/

Multi-tool install

多工具适配安装

bash

./scripts/convert.sh --skill docker-development --tool codex|gemini|cursor|windsurf|openclaw

bash

./scripts/convert.sh --skill docker-development --tool codex|gemini|cursor|windsurf|openclaw

OpenClaw

bash

clawhub install cs-docker-development

bash

clawhub install cs-docker-development

docker-development

Original

Translation

Docker Development

Docker开发

Slash Commands

斜杠命令

When This Skill Activates

技能触发场景

Workflow

工作流

/docker:optimize — Dockerfile Optimization

/docker:optimize — Dockerfile优化

/docker:compose — Docker Compose Configuration

/docker:compose — Docker Compose配置

/docker:security — Container Security Audit

/docker:security — 容器安全审计

Tooling

工具集

scripts/dockerfile_analyzer.py

scripts/dockerfile_analyzer.py

Analyze a Dockerfile

分析Dockerfile

JSON output

JSON输出

Analyze with security focus

聚焦安全分析

Check a specific directory

检查指定目录

scripts/compose_validator.py

scripts/compose_validator.py

Validate a compose file

验证Compose文件

JSON output

JSON输出

Strict mode (fail on warnings)

严格模式（警告即失败）

Multi-Stage Build Patterns

多阶段构建模式

Pattern 1: Compiled Language (Go, Rust, C++)

模式1：编译型语言（Go、Rust、C++）

Build stage

Build stage

Runtime stage

Runtime stage

Pattern 2: Node.js / TypeScript

模式2：Node.js / TypeScript

Dependencies stage

Dependencies stage

Build stage

Build stage

Runtime stage

Runtime stage

Pattern 3: Python

模式3：Python

Build stage

Build stage

Runtime stage

Runtime stage

Base Image Decision Tree

基础镜像决策树

Proactive Triggers

主动触发提示

Installation

安装方法

One-liner (any tool)

一键安装（适用于所有工具）

Multi-tool install

多工具适配安装

OpenClaw

OpenClaw

Related Skills

相关技能

`/docker:optimize`
— Dockerfile Optimization

`/docker:optimize`
— Dockerfile优化

`/docker:compose`
— Docker Compose Configuration

`/docker:compose`
— Docker Compose配置

`/docker:security`
— Container Security Audit

`/docker:security`
— 容器安全审计

`scripts/dockerfile_analyzer.py`

`scripts/dockerfile_analyzer.py`

`scripts/compose_validator.py`

`scripts/compose_validator.py`