- Treating containers like VMs: Containers are processes (don’t ssh into them), they are stateless and ephemeral (don’t store thing inside), and intended to run one process at a time.
- Images should be transparent: images build should be reproducible and should not depend on the state of the build environnement.
- No side effets ! Images should build on Read-on mode. they should not tinker with external state. (reproducible builds)
- Prod images should contain the compiled code and the runtime, nothing else.
- All stage images should look the same.
- Use Container registry as a source of truth for images. Never build images in prod machines. Always build somewhere else and push to the registry.
- Also don’t depend on git hashes, container images should be the new language between devs and ops
- Secrets and Configs should be fetched during runtime instead of build time (ConfigMaps, Consul, Vault …)
- Dockerfiles should not do too much: Multistage builds are a good solution.