Docker / Podman · DevOps & CI/CD Deep Dive

Anatomy

What's Actually a Container

Image — immutable, layered filesystem + metadata, conforming to the OCI spec.
Container — a running instance of an image; a process tree isolated by Linux namespaces + cgroups.
Dockerfile — recipe of layers (FROM, RUN, COPY, CMD); each line caches independently.
Registry — image storage (Docker Hub, GHCR, ECR, GCR, ACR).
Compose — define multi-container apps in compose.yml; great for local dev.
BuildKit / Buildx — modern builder: parallel layers, multi-arch (amd64+arm64), secret/SSH mounts.

Build Lifecycle

Dockerfile

→

docker build

→

Image (layered)

→

docker push → registry

→

docker pull on host

→

docker run (namespaces + cgroups)

Hard-Won Habits

Multi-stage builds — compile in a fat builder image, copy artifacts into a slim runtime (Alpine, distroless, scratch).
Order layers by churn — copy package.json and install deps before copying source, so dep layers cache.
Pin base images by digest, not latest. Reproducibility + security.
Run as non-root (USER 10001); drop capabilities; readonly rootfs where possible.
Scan images — Trivy, Grype, Snyk in CI; fail builds on critical CVEs.
Sign images — Cosign / Sigstore; verify on deploy.

Docker vs Podman

Daemonless. Podman runs containers as regular processes — no root daemon to exploit or crash.
Rootless by default, even on the build path.
Drop-in CLI (alias docker=podman); supports Docker Compose via podman-compose or systemd quadlets.
Docker Desktop licensing change in 2021 nudged many enterprises toward Podman, Rancher Desktop, or OrbStack.

Continue