Running Docker containers in development is easy. Running them reliably in production is a different challenge. Here are 10 battle-tested practices for production-grade Docker deployments.

# Docker in Production: 10 Practices Every Team Should Follow Docker changed how we ship software. But many teams copy their local setup straight to production—and pay for it later. Here's what separates hobby deployments from production-ready ones. ## 1. Use Minimal Base Images Prefer `alpine` or `distroless` over `ubuntu`. Smaller images = smaller attack surface + faster pulls. ## 2. Never Run as Root ```dockerfile RUN addgroup -S appgroup && adduser -S appuser -G appgroup USER appuser ``` ## 3. Pin Your Image Tags `FROM node:20.12.2-alpine` not `FROM node:latest`. Reproducible builds require pinned versions. ## 4. Use Multi-Stage Builds ```dockerfile FROM node:20-alpine AS builder WORKDIR /app COPY . . RUN npm ci && npm run build FROM node:20-alpine AS runner COPY --from=builder /app/dist ./dist CMD ["node", "dist/index.js"] ``` ## 5. Set Resource Limits ```yaml deploy: resources: limits: cpus: "0.5" memory: 512M ``` ## 6. Implement Health Checks ```dockerfile HEALTHCHECK --interval=30s --timeout=5s CMD wget -qO- http://localhost:3000/health || exit 1 ``` ## 7. Use .dockerignore Exclude `node_modules`, `.git`, `.env` and any local config from your build context. ## 8. Never Bake Secrets Into Images Use environment variables, Docker secrets, or a secrets manager (Vault, AWS Secrets Manager). ## 9. Use Read-Only Filesystems ```bash docker run --read-only --tmpfs /tmp myapp ``` ## 10. Log to stdout/stderr Containers are ephemeral. Write logs to standard streams so orchestrators (Kubernetes, ECS) can collect them properly. Following these practices will dramatically improve your reliability, security, and debuggability in production.