Skip to main content

Creating Containers - Best Practices

Best Practices for adding services to Docker

  1. Ensure the compose file for the entire service is located within compose/service.yml - this should then be referenced within the global docker-compose.yml
  2. Ensure ALL volumes are mapped inside of appdata, and seperated out when required.
    1. EG - if you have a service which has a storage volume for the frontend container, and the database container, seperate them out into appdata/SERVICE/app and appdata/SERVICE/db
    2. This should be referenced using the .env variable $DOCKERDIR. eg, $DOCKERDIR/appdata/SERVICE/app
  3. If using environment variables inside of Compose files, try and keep these hardcoded within the global .env file. Includes items like a database or username referenced for the container. 
  4. If needing sensitive information like passwords or root credentials inside of compose files, ensure you utilise the SECRETS functionality in Docker. 
    1. Sudo create a text file in secrets/, paste the information, and reference this within docker-compose.yml and the service.yml file

    2.  COMPOSE FILE

      ENVIRONMENTVARIABLE=/run/secrets/secret_name
      docker-compose.yml under SECRETS:
    3. secret_name:
    file: $DOCKERDIR/secrets/secret_name
  5. Where possible, reduce container permissions to specific UID and GID's. There are hardcoded variables you can use in .env called $PUID and $PGID in compose files. 
    1. Some containers can support this in environment variables, others can be forced, some do not behave properly. Follow maintainers direction. 
  6. Ensure containers are manually defined in Networks. This should be the socket_proxy network where possible. 
    1. If needing to be exposed via Traefik, ensure that t3_proxy network is included as well
  7. If exposing interface via Traefik, consider if you need to expose ports manually within the compose file - sometimes it is not required given the Traefik labels do this as well
  8. Update documentation if adding a service or if something complex is being added for reference
  9. Consider reducing what you need to expose via a external interface. If an external interface is required, ensure you are using highly protected middlewares, preferably with authentication. 

No comments to display

Back to top