Rico Moorman 🐀

unpopular dockerfile takes (that actually work) 1 - stop using alpine — yes, it's tiny. but musl libc ≠ glibc. your python/node app will rebuild native deps from scratch or just... silently be slower. use -slim (debian-slim) instead. same size win, zero grief. 2 - layer order is your cache strategy. COPY your lockfile first, run install, then copy source. invalidating the install layer on every code change is a skill issue ngl 3 - multi-stage builds aren't just "best practice" — they're the actual reason your prod image doesn't ship gcc and 400mb of build tools. builder stage = bloat zone. final stage = lean mean container. 4 - COPY . . is fine actually — if your .dockerignore is correct. most pain here is from forgetting to ignore node_modules/, .git, *.log. fix the ignore file, not the COPY. 5 - one process per container is a vibe, not a law. if your app needs nginx + app server and you're not at k8s scale — just use supervisord. the "one process" dogma costs more complexity than it saves sometimes. 6 - pin your base image by digest, not tag. node:20 today ≠ node:20 in 6 months. prod broke because of a tag? that's a you problem tbh. 7 - BuildKit cache mounts (--mount=type=cache) will change your life. pip/apt/cargo cache between builds without it ending up in the final layer. nobody talks about this enough fr there's no "best practice" in a vacuum. alpine is great for Go binaries. slim is great for Python. scratch is great for static bins. know your workload, then choose. btw if you want something to catch all this stuff automatically - check out dockerfile-roast — a linter written in Rust that literally roasts your Dockerfile. 63 rules, brutally honest output (but it can also provide just dry facts, no roast), runs on any OS or as a docker container https://t.co/NVYpe8iD65 #docker #devops #kubernetes #backend #linux #rust #sre #containers

we spoke to a company today who's security team is so concerned by ai code they're considering banning ai tools your first reaction might be "they're gonna get left behind" but if you are practical their concerns aren't invalid if you are a huge multi national org with tens of thousands of employees and they just got a button that appears to do their work, it's gonna get pushed a lot and the process around knowing what is making it to production is totally melting being honest we're all getting a bit lazier see that kiro related aws outage as a real life example so they're genuinely arguing over how much this is going to be allowed esp since the net productivity gains for the average dev seem to be pretty low