there is a good point about layers, another example is to clear package manager cache after you finish in one layer that is:
FROM registry.fedoraproject.org/fedora-minimal:35
RUN \
microdnf module enable -y nodejs:14 && \
microdnf -y install nodejs zopfli findutils busybox && \
microdnf clean all
because if you add file in a layer and remove it in another layer it would still count and carried in the archive, it would be just carried with a flag that it's removed.
regarding: Use specific Docker image versions
pinning the exact version is a security risk, one might pin only the major version allowing it to receive security updates so instead of node:17.0.1 just node:17, it's less likely to break the application depending on 17-specific features, it it would be able to receive security fixes from 17.0.2.
Use .dockerignore file
even better, use buildah (podman build) which does not need to archive and create and send the archive to the docker daemon.
another workaround, create a directory called containers and put the docker file inside it, where only the needed files are inside that directory.
Make use of Multi-Stage Builds
this is very important, as someone who was part of that proposal, I'm very sad this feature is rarely used.
The compiler, git, intermediate files, ...etc should never be part of final image.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
there is a good point about layers, another example is to clear package manager cache after you finish in one layer that is:
because if you add file in a layer and remove it in another layer it would still count and carried in the archive, it would be just carried with a flag that it's removed.
regarding: Use specific Docker image versions
pinning the exact version is a security risk, one might pin only the major version allowing it to receive security updates so instead of node:17.0.1 just node:17, it's less likely to break the application depending on 17-specific features, it it would be able to receive security fixes from 17.0.2.
even better, use buildah (podman build) which does not need to archive and create and send the archive to the docker daemon.
another workaround, create a directory called containers and put the docker file inside it, where only the needed files are inside that directory.
this is very important, as someone who was part of that proposal, I'm very sad this feature is rarely used.
The compiler, git, intermediate files, ...etc should never be part of final image.