#Docker

25 posts

Modern Python in Practice #6: Testing and Deployment — pytest, Docker, Railway/Fly
9 min read

Modern Python in Practice #6: Testing and Deployment — pytest, Docker, Railway/Fly

FastAPI integration tests with pytest + httpx, isolation via dependency overrides, multi-stage Docker builds, and cloud deployment to Railway/Fly.

Docker in Practice #6 Cloud Deployment — Fly.io / Railway / ECS — Wrapping the Track
10 min read

Docker in Practice #6 Cloud Deployment — Fly.io / Railway / ECS — Wrapping the Track

The final step — taking the images you built and pushed and putting them on real production. Three options (Fly.io , Railway , ECS Fargate), the fork between them, deployment flows, secret management, healthchecks and zero-downtime, and a recap of all 24 posts in the track.

Docker in Practice #5 Pushing to Registries and Tag Strategy — The :latest Trap
9 min read

Docker in Practice #5 Pushing to Registries and Tag Strategy — The :latest Trap

Picking a registry (GHCR vs Docker Hub vs ECR) and tag strategy. Why :latest is dangerous in production, where semver and SHA tags belong, immutable tags, retention policies, and image size management — sorting out what comes after the push.

Docker in Practice #4: Building Images in CI — GitHub Actions and BuildKit Cache
8 min read

Docker in Practice #4: Building Images in CI — GitHub Actions and BuildKit Cache

The standard for building and pushing Docker images in GitHub Actions. docker/build-push-action, BuildKit GHA cache (type=gha), multi-arch (amd64+arm64) builds, build-time secrets, and build-time optimization — all in a single workflow.

Docker in Practice #3: React/Next.js Build Containers — standalone and the NEXT_PUBLIC Place
8 min read

Docker in Practice #3: React/Next.js Build Containers — standalone and the NEXT_PUBLIC Place

Wrapping a Next.js app into a container. The deps → build → runner three-stage pattern with standalone output, the build-time-baking issue with NEXT_PUBLIC env vars, the static-export option, and hosting a Vite SPA with nginx.

Docker in Practice #2: Django + PostgreSQL compose — Two Containers as One
9 min read

Docker in Practice #2: Django + PostgreSQL compose — Two Containers as One

Bundling a Django app and PostgreSQL into one docker compose file. Migration entrypoint, depends_on relying on healthcheck, data volumes, .env separation, and collectstatic — a production-shaped compose setup.

Docker in Practice #1: Containerizing FastAPI — uv, Multi-stage, non-root
8 min read

Docker in Practice #1: Containerizing FastAPI — uv, Multi-stage, non-root

First post of the practice series. Containerizing the most common scenario — a FastAPI app. Slim base on uv, multi-stage to separate build from runtime deps, a non-root user, and HEALTHCHECK — in a shape that goes straight to production.

Docker Advanced #6: Production Operations — graceful shutdown, healthcheck, restart
9 min read

Docker Advanced #6: Production Operations — graceful shutdown, healthcheck, restart

PID 1 signal handling, the precise SIGTERM graceful shutdown flow, where init and dumb-init fit, restart policies in depth, liveness vs. readiness — the small details that keep one container running steadily in production. The wrap-up of Docker Advanced.

Docker Advanced #5: Resource Limits and cgroups
8 min read

Docker Advanced #5: Resource Limits and cgroups

Container memory and CPU limits, diagnosing OOMKilled, how runtimes like the JVM and Node perceive container limits, and other isolation knobs like ulimit / pids. The exact behavior of limits running on cgroups v2.

Docker Advanced #4: SBOM and Signing — The Entry to Supply Chain Security
7 min read

Docker Advanced #4: SBOM and Signing — The Entry to Supply Chain Security

Make a machine-readable bill of materials (SBOM) of what is in this image, and verify who built it with a cosign signature. The supply chain security toolkit that became standard after the xz incident.

Docker Advanced #3: Image Security — non-root, distroless, Trivy Scans
8 min read

Docker Advanced #3: Image Security — non-root, distroless, Trivy Scans

A practical toolkit for container security. Dropping to a non-root USER, read-only root with tmpfs, dropping capabilities, narrowing the attack surface with distroless, scanning known CVEs with Trivy/Grype, and linting Dockerfiles with hadolint.

Docker Advanced #2: Multi-Architecture Images — amd64 and arm64 Together
7 min read

Docker Advanced #2: Multi-Architecture Images — amd64 and arm64 Together

The "image built on Apple Silicon doesn't run on the production server" incident vanishes with one multi-arch build line. The shape of a manifest list, the cost of QEMU emulation, native ARM builders, and verifying results with docker buildx imagetools.