#Docker
25 posts
Modern Python in Practice #6: Testing and Deployment — pytest, Docker, Railway/Fly
FastAPI integration tests with pytest + httpx, isolation via dependency overrides, multi-stage Docker builds, and cloud deployment to Railway/Fly.
Docker in Practice #6 Cloud Deployment — Fly.io / Railway / ECS — Wrapping the Track
The final step — taking the images you built and pushed and putting them on real production. Three options (Fly.io , Railway , ECS Fargate), the fork between them, deployment flows, secret management, healthchecks and zero-downtime, and a recap of all 24 posts in the track.
Docker in Practice #5 Pushing to Registries and Tag Strategy — The :latest Trap
Picking a registry (GHCR vs Docker Hub vs ECR) and tag strategy. Why :latest is dangerous in production, where semver and SHA tags belong, immutable tags, retention policies, and image size management — sorting out what comes after the push.
Docker in Practice #4: Building Images in CI — GitHub Actions and BuildKit Cache
The standard for building and pushing Docker images in GitHub Actions. docker/build-push-action, BuildKit GHA cache (type=gha), multi-arch (amd64+arm64) builds, build-time secrets, and build-time optimization — all in a single workflow.
Docker in Practice #3: React/Next.js Build Containers — standalone and the NEXT_PUBLIC Place
Wrapping a Next.js app into a container. The deps → build → runner three-stage pattern with standalone output, the build-time-baking issue with NEXT_PUBLIC env vars, the static-export option, and hosting a Vite SPA with nginx.
Docker in Practice #2: Django + PostgreSQL compose — Two Containers as One
Bundling a Django app and PostgreSQL into one docker compose file. Migration entrypoint, depends_on relying on healthcheck, data volumes, .env separation, and collectstatic — a production-shaped compose setup.
Docker in Practice #1: Containerizing FastAPI — uv, Multi-stage, non-root
First post of the practice series. Containerizing the most common scenario — a FastAPI app. Slim base on uv, multi-stage to separate build from runtime deps, a non-root user, and HEALTHCHECK — in a shape that goes straight to production.
Docker Advanced #6: Production Operations — graceful shutdown, healthcheck, restart
PID 1 signal handling, the precise SIGTERM graceful shutdown flow, where init and dumb-init fit, restart policies in depth, liveness vs. readiness — the small details that keep one container running steadily in production. The wrap-up of Docker Advanced.
Docker Advanced #5: Resource Limits and cgroups
Container memory and CPU limits, diagnosing OOMKilled, how runtimes like the JVM and Node perceive container limits, and other isolation knobs like ulimit / pids. The exact behavior of limits running on cgroups v2.
Docker Advanced #4: SBOM and Signing — The Entry to Supply Chain Security
Make a machine-readable bill of materials (SBOM) of what is in this image, and verify who built it with a cosign signature. The supply chain security toolkit that became standard after the xz incident.
Docker Advanced #3: Image Security — non-root, distroless, Trivy Scans
A practical toolkit for container security. Dropping to a non-root USER, read-only root with tmpfs, dropping capabilities, narrowing the attack surface with distroless, scanning known CVEs with Trivy/Grype, and linting Dockerfiles with hadolint.
Docker Advanced #2: Multi-Architecture Images — amd64 and arm64 Together
The "image built on Apple Silicon doesn't run on the production server" incident vanishes with one multi-arch build line. The shape of a manifest list, the cost of QEMU emulation, native ARM builders, and verifying results with docker buildx imagetools.