在生产环境中,Docker镜像的大小直接影响部署速度和存储成本。一个臃肿的镜像不仅拉取缓慢,还可能包含不必要的攻击面。本文将系统讲解Docker多阶段构建、镜像瘦身技巧和Compose编排最佳实践。
一、为什么需要多阶段构建
传统单阶段构建会将编译工具、源码和运行时全部打包进最终镜像。以一个Node.js项目为例:
# 单阶段构建(不推荐)— 镜像超过 1GB
FROM node:20
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build
EXPOSE 3000
CMD ["node", "dist/server.js"]这个镜像包含了npm、node-gyp、Python编译工具链等大量不需要的东西。使用多阶段构建可以解决这个问题:
# 多阶段构建 — 最终镜像只有 150MB 左右
# ---- 构建阶段 ----
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
# ---- 运行阶段 ----
FROM node:20-alpine AS runner
WORKDIR /app
RUN addgroup -g 1001 -S nodejs && adduser -S nodejs -u 1001
COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist
COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules
COPY --from=builder --chown=nodejs:nodejs /app/package.json ./
USER nodejs
EXPOSE 3000
CMD ["node", "dist/server.js"]💡 效果对比:镜像从 1GB+ 缩减到约 150MB,减小了 85% 以上。
二、各语言多阶段构建实战
2.1 Python项目
# ---- 构建阶段 ----
FROM python:3.12-alpine AS builder
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir --prefix=/install -r requirements.txt
# ---- 运行阶段 ----
FROM python:3.12-alpine AS runner
WORKDIR /app
COPY --from=builder /install /usr/local
COPY . .
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
EXPOSE 8000
CMD ["gunicorn", "--bind", "0.0.0.0:8000", "app:app"]2.2 Java Spring Boot项目
# ---- 编译阶段 ----
FROM maven:3.9-eclipse-temurin-21 AS builder
WORKDIR /app
COPY pom.xml .
COPY src ./src
RUN mvn clean package -DskipTests
# ---- 运行阶段 ----
FROM eclipse-temurin:21-jre-alpine AS runner
WORKDIR /app
COPY --from=builder /app/target/*.jar app.jar
RUN addgroup -S spring && adduser -S spring -G spring
USER spring
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]2.3 Go项目
# ---- 编译阶段 ----
FROM golang:1.22-alpine AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -o /app/server .
# ---- 运行阶段 ----
FROM alpine:3.19 AS runner
RUN apk --no-cache add ca-certificates tzdata
COPY --from=builder /app/server /app/server
RUN addgroup -S app && adduser -S app -G app
USER app
EXPOSE 8080
CMD ["/app/server"]三、Docker Compose编排实战
3.1 完整的生产环境配置
version: '3.8'
x-common: &common
restart: unless-stopped
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
services:
nginx:
build:
context: ./nginx
dockerfile: Dockerfile
container_name: prod_nginx
ports:
- "80:80"
- "443:443"
volumes:
- nginx_certs:/etc/nginx/certs:ro
- nginx_logs:/var/log/nginx
depends_on:
app:
condition: service_healthy
networks:
- frontend
- backend
<<: *common
app:
build:
context: ./app
dockerfile: Dockerfile
target: runner
container_name: prod_app
environment:
- NODE_ENV=production
- DATABASE_URL=postgresql://app:app_pass@postgres:5432/appdb
- REDIS_URL=redis://redis:6379
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
networks:
- backend
healthcheck:
test: ["CMD", "wget", "-q", "--spider", "http://localhost:3000/health"]
interval: 30s
timeout: 5s
retries: 3
start_period: 40s
<<: *common
postgres:
image: postgres:16-alpine
container_name: prod_postgres
environment:
POSTGRES_DB: appdb
POSTGRES_USER: app
POSTGRES_PASSWORD: app_pass
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
- backend
healthcheck:
test: ["CMD-SHELL", "pg_isready -U app -d appdb"]
interval: 10s
timeout: 5s
retries: 5
<<: *common
redis:
image: redis:7-alpine
container_name: prod_redis
command: redis-server --appendonly yes --maxmemory 128mb --maxmemory-policy allkeys-lru
volumes:
- redis_data:/data
networks:
- backend
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 5
<<: *common
volumes:
nginx_certs:
nginx_logs:
postgres_data:
redis_data:
networks:
frontend:
driver: bridge
backend:
driver: bridge
internal: true3.2 关键配置解析
上面这个配置中包含几个重要的生产级实践:
- YAML锚点
x-common:避免重复配置 restart 和 logging - build target:指定多阶段构建的运行阶段(
target: runner) - healthcheck:健康检查确保依赖就绪后才启动下游服务
- internal网络:backend网络标记为内部,外部无法直接访问数据库和Redis
- 日志轮转:限制日志文件大小,防止磁盘被日志撑满
四、镜像瘦身技巧汇总
4.1 选择合适的基础镜像
# 对比不同基础镜像大小
# node:20 — 约 1.1GB
# node:20-slim — 约 250MB
# node:20-alpine — 约 180MB
# node:20-alpine + multi-stage — 约 150MB
# Alpine 是首选,如果遇到 glibc 兼容问题再考虑 slim
# 检查镜像中是否包含不必要的包
docker run --rm node:20-alpine sh -c "apk info"4.2 合并RUN指令减少层数
# ❌ 不好 — 每个RUN创建一个新层
RUN apk add --no-cache git
RUN apk add --no-cache curl
RUN apk add --no-cache bash
# ✅ 好 — 合并为一条RUN
RUN apk add --no-cache git curl bash4.3 利用构建缓存
# 先复制依赖文件,利用缓存层
COPY package.json package-lock.json ./
RUN npm ci --only=production
# 再复制源码(源码变化不会导致依赖重装)
COPY . .4.4 .dockerignore 排除无关文件
# .dockerignore
node_modules
.git
.gitignore
.env
.env.*
*.md
.vscode
.idea
dist
coverage
.nyc_output
*.log
Dockerfile
docker-compose*.yml五、安全加固
5.1 不以root用户运行
# 创建专用用户
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
# 设置文件权限
COPY --chown=appuser:appgroup . /app
# 切换用户
USER appuser
# 限制权限
RUN chmod -R 755 /app5.2 固定基础镜像版本
# ❌ 不好 — latest标签可能引入破坏性变更
FROM node:20
# ✅ 好 — 固定到具体补丁版本
FROM node:20.12.2-alpine3.195.3 镜像漏洞扫描
# 安装Trivy
brew install trivy
# 扫描本地镜像
trivy image myapp:latest
# 扫描并输出为表格格式
trivy image --format table myapp:latest
# 只显示高危漏洞
trivy image --severity HIGH,CRITICAL myapp:latest
# 扫描Docker Compose中所有镜像
trivy image --severity HIGH,CRITICAL $(docker compose images -q)六、自动化构建与部署
6.1 构建并推送私有仓库
#!/bin/bash
# deploy.sh — 自动化构建部署脚本
set -euo pipefail
REGISTRY="registry.example.com"
IMAGE_NAME="myapp"
VERSION="${1:-latest}"
COMMIT_SHA=$(git rev-parse --short HEAD)
echo ">>> 构建镜像 ${REGISTRY}/${IMAGE_NAME}:${VERSION}"
docker compose build
echo ">>> 打标签"
docker tag "${IMAGE_NAME}:latest" "${REGISTRY}/${IMAGE_NAME}:${VERSION}"
docker tag "${IMAGE_NAME}:latest" "${REGISTRY}/${IMAGE_NAME}:${COMMIT_SHA}"
echo ">>> 推送镜像"
docker push "${REGISTRY}/${IMAGE_NAME}:${VERSION}"
docker push "${REGISTRY}/${IMAGE_NAME}:${COMMIT_SHA}"
echo ">>> 部署到生产环境"
ssh deploy@prod-server "cd /opt/myapp && docker compose pull && docker compose up -d"
echo ">>> 清理旧镜像"
docker image prune -f
echo "✅ 部署完成 ${IMAGE_NAME}:${VERSION} (${COMMIT_SHA})"6.2 Docker Compose健康检查脚本
#!/bin/bash
# healthcheck.sh — 检查所有服务健康状态
set -euo pipefail
SERVICES=("nginx" "app" "postgres" "redis")
MAX_RETRIES=30
INTERVAL=5
check_health() {
local service=$1
local count=0
while [ $count -lt $MAX_RETRIES ]; do
STATUS=$(docker inspect --format='{{.State.Health.Status}}' "prod_${service}" 2>/dev/null || echo "missing")
if [ "$STATUS" = "healthy" ]; then
echo "✅ $service is healthy"
return 0
fi
echo "⏳ $service status: $STATUS (attempt $((count+1))/$MAX_RETRIES)"
sleep $INTERVAL
count=$((count + 1))
done
echo "❌ $service failed to become healthy"
return 1
}
echo "=== 服务健康检查 ==="
ALL_OK=true
for svc in "${SERVICES[@]}"; do
check_health "$svc" || ALL_OK=false
done
if [ "$ALL_OK" = true ]; then
echo ""
echo "🎉 所有服务运行正常"
exit 0
else
echo ""
echo "⚠️ 部分服务异常,请检查日志"
docker compose logs --tail=50
exit 1
fi总结
本文覆盖了Docker镜像优化的核心实践:
- 多阶段构建:将编译和运行分离,大幅减小镜像体积
- Compose编排:健康检查、网络隔离、日志轮转等生产级配置
- 镜像瘦身:Alpine基础镜像、合并RUN层、构建缓存优化
- 安全加固:非root运行、固定版本、漏洞扫描
- 自动化部署:构建推送脚本和健康检查
🔒 安全提醒:生产环境务必使用 .env 文件管理密码,不要将敏感信息硬编码在 docker-compose.yml 中,并将 .env 加入 .gitignore。
更多Docker实战文章,请访问 xjahb.cn
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
暂无评论内容