• Treating containers like VMs: Containers are processes (don’t ssh into them), they are stateless and ephemeral (don’t store thing inside), and intended to run one process at a time.
• Images should be transparent: images build should be reproducible and should not depend on the state of the build environnement.
• No side effets ! Images should build on Read-on mode. they should not tinker with external state. (reproducible builds)
• Prod images should contain the compiled code and the runtime, nothing else.
• All stage images should look the same.
• Use Container registry as a source of truth for images. Never build images in prod machines. Always build somewhere else and push to the registry.
• Also don’t depend on git hashes, container images should be the new language between devs and ops
• Secrets and Configs should be fetched during runtime instead of build time (ConfigMaps, Consul, Vault …)
• Dockerfiles should not do too much: Multistage builds are a good solution.