gcr.io/distroless/base-debian12

Characteristic: intentionally does not include a shell like /bin/bash or even /bin/sh, extremely minimal and contain only the application and its direct runtime dependencies

Reasons for excluding a shell: Security: Removing unnecessary components like shells reduces the attack surface of the container, making it harder for attackers to gain a foothold or execute arbitrary commands. Size: The absence of a shell and other utilities significantly reduces the image size, leading to faster downloads and deployments. Reduced Complexity: By removing components not directly required by the application, the image becomes simpler and easier to manage. Implications for users: No interactive shell access: . You cannot docker exec -it /bin/bash into a Distroless container for debugging or inspection. No RUN commands that rely on a shell: . When building your Dockerfile, RUN commands that implicitly use a shell (e.g., RUN apt-get update) will fail. You must use the "exec" form of RUN with explicit commands (e.g., RUN ["apt-get", "update"]) or ensure the command is self-contained. Debugging challenges: . Debugging within a running container becomes more challenging as traditional shell-based debugging tools are unavailable. You must rely on application-level logging and metrics. Solutions for specific needs: Debugging: . Consider building a separate "debug" image based on a full-featured base image (like Debian or Ubuntu) with your application and debugging tools for development and troubleshooting. Running shell scripts: . If your application requires running shell scripts, you will need to include a shell within your image or refactor your application to not rely on shell execution within the container. This can be done by copying a statically compiled shell from another image (like BusyBox) or using a different base image.

golang:1.24.4-alpine

Characteristic: Official Go programming language Docker image based on Alpine Linux, providing a minimal and secure environment for building and running Go applications.

Key Features:

  • Lightweight base: Built on Alpine Linux, resulting in smaller image sizes (typically under 300MB)
  • Go toolchain: Includes Go compiler, runtime, and standard library
  • Package manager: Includes apk package manager for installing additional dependencies
  • Security: Alpine’s musl libc and security-focused approach
  • Multi-architecture: Supports multiple CPU architectures (amd64, arm64, etc.)

Use Cases: Building Go applications: Perfect for multi-stage Docker builds where you compile Go binaries in one stage and copy them to a smaller runtime image. Development environment: Provides a consistent Go development environment across different systems. CI/CD pipelines: Commonly used in continuous integration workflows for testing and building Go projects.

Best Practices: Multi-stage builds: Use this image in the build stage, then copy the compiled binary to a smaller runtime image like scratch or distroless. Cache dependencies: Copy go.mod and go.sum first, then run go mod download to leverage Docker layer caching. Static compilation: Compile with CGO_ENABLED=0 to create statically linked binaries that can run in minimal containers.

Example Dockerfile pattern:

FROM golang:1.24.4-alpine AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -o main .

FROM gcr.io/distroless/static
COPY --from=builder /app/main /
CMD ["/main"]

docker.n8n.io/n8nio/n8n

Characteristic: Official Docker image for n8n, a free and open-source workflow automation tool that allows you to connect different services and APIs through a visual interface.

Key Features:

  • Node.js based: Built on Node.js runtime for executing workflows
  • Web interface: Includes built-in web UI accessible via browser
  • Pre-installed nodes: Comes with hundreds of pre-built integrations
  • Database support: Compatible with SQLite, PostgreSQL, MySQL
  • Webhook support: Built-in webhook endpoints for triggering workflows
  • Credential management: Secure storage and management of API keys and credentials

Configuration Options: Environment variables:

  • N8N_BASIC_AUTH_ACTIVE: Enable/disable basic authentication
  • N8N_BASIC_AUTH_USER/PASSWORD: Set authentication credentials
  • DB_TYPE: Database type (sqlite, postgresdb, mysqldb)
  • WEBHOOK_URL: External webhook URL for proper link generation
  • N8N_HOST: Hostname for the n8n instance
  • N8N_PORT: Port number (default: 5678)
  • N8N_PROTOCOL: HTTP or HTTPS protocol

Volume Mounts:

  • /home/node/.n8n: User data, workflows, and credentials
  • /home/node/.n8n/custom: Custom nodes and extensions

Use Cases: Workflow automation: Automate business processes, data synchronization, and API integrations. API orchestration: Connect multiple services and APIs without writing code. Data processing: Transform and process data between different systems. Monitoring and alerts: Set up automated monitoring workflows and notification systems.

Example Docker Compose:

version: '3.8'
services:
  n8n:
    image: docker.n8n.io/n8nio/n8n
    ports:
      - "5678:5678"
    environment:
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=admin
      - N8N_BASIC_AUTH_PASSWORD=password
    volumes:
      - n8n_data:/home/node/.n8n
volumes:
  n8n_data:

ghcr.io/open-webui/open-webui:main

Characteristic: Open-source web interface for Large Language Models (LLMs), providing a ChatGPT-like experience that can be self-hosted and integrated with various AI models.

Key Features:

  • Multi-model support: Compatible with OpenAI API, Ollama, and other LLM providers
  • Self-hosted: Complete control over your AI chat interface and data
  • User management: Built-in authentication and user management system
  • Chat history: Persistent conversation storage and management
  • Model switching: Easy switching between different AI models within the same interface
  • Plugin system: Extensible through various plugins and integrations
  • Responsive design: Mobile-friendly web interface

Configuration Options: Environment variables:

  • OLLAMA_BASE_URL: URL for Ollama API endpoint
  • OPENAI_API_KEY: OpenAI API key for GPT models
  • WEBUI_SECRET_KEY: Secret key for session management
  • DEFAULT_MODELS: Comma-separated list of default models
  • ENABLE_SIGNUP: Enable/disable user registration
  • WEBUI_AUTH: Enable/disable authentication

Database:

  • Uses SQLite by default for storing user data and chat history
  • Supports external database configuration for production deployments

Networking:

  • Default port: 8080
  • Reverse proxy friendly for HTTPS termination

Use Cases: Personal AI assistant: Self-host your own ChatGPT-like interface with privacy control. Team collaboration: Provide AI assistance to teams with user management and shared conversations. AI model comparison: Test and compare different LLM models through a unified interface. Educational purposes: Teach AI concepts with a hands-on, self-hosted platform.

Example Docker Compose with Ollama:

version: '3.8'
services:
  ollama:
    image: ollama/ollama
    ports:
      - "11434:11434"
    volumes:
      - ollama_data:/root/.ollama
    
  open-webui:
    image: ghcr.io/open-webui/open-webui:main
    ports:
      - "3000:8080"
    environment:
      - OLLAMA_BASE_URL=http://ollama:11434
      - WEBUI_SECRET_KEY=your-secret-key-here
    volumes:
      - open_webui_data:/app/backend/data
    depends_on:
      - ollama

volumes:
  ollama_data:
  open_webui_data:

Security Considerations:

  • Set strong WEBUI_SECRET_KEY for production deployments
  • Use HTTPS in production with reverse proxy
  • Configure proper firewall rules to limit access
  • Regular updates to maintain security patches
  • Consider authentication requirements for your use case

docker.m.daocloud.io/library/node:20-alpine

Characteristic: Official Node.js Docker image based on Alpine Linux, providing a lightweight and secure environment for running Node.js applications with the latest LTS version.

Key Features:

  • Lightweight base: Built on Alpine Linux, resulting in minimal image size (typically under 100MB)
  • Node.js 20 LTS: Includes Node.js runtime, npm package manager, and yarn
  • Security focused: Alpine’s security-oriented approach with musl libc
  • Package manager: Includes apk for installing additional system dependencies
  • Multi-architecture: Supports multiple CPU architectures (amd64, arm64, armv7)

Use Cases: Production Node.js applications: Ideal for deploying lightweight Node.js applications in production environments. Frontend build processes: Perfect for building React, Vue, Angular, or other frontend applications. Microservices: Excellent choice for Node.js-based microservices architecture. Development environments: Consistent Node.js environment across different development setups.

Best Practices: Multi-stage builds: Use for building applications, then copy artifacts to an even smaller runtime image. Package.json caching: Copy package.json first, run npm install, then copy source code for better layer caching. Non-root user: Create and use a non-root user for security best practices. Health checks: Implement proper health check endpoints for container orchestration.

Example Dockerfile:

FROM docker.m.daocloud.io/library/node:20-alpine
WORKDIR /app

# Create non-root user
RUN addgroup -g 1001 -S nodejs
RUN adduser -S nextjs -u 1001

# Copy package files for better caching
COPY package*.json ./
RUN npm ci --only=production && npm cache clean --force

# Copy source code
COPY --chown=nextjs:nodejs . .
USER nextjs

EXPOSE 3000
CMD ["node", "server.js"]

Security Considerations:

  • Always run as non-root user in production
  • Regularly update base image for security patches
  • Use .dockerignore to exclude sensitive files
  • Implement proper secret management for environment variables

docker.m.daocloud.io/library/maven:3.8-openjdk-17

Characteristic: Official Apache Maven Docker image with OpenJDK 17, providing a complete Java development and build environment for Maven-based projects.

Key Features:

  • Maven 3.8: Latest stable version of Apache Maven build automation tool
  • OpenJDK 17: Long Term Support (LTS) version of OpenJDK
  • Complete toolchain: Includes Java compiler, Maven, and standard Java libraries
  • Debian-based: Built on Debian for stability and compatibility
  • Pre-configured: Maven settings and repositories pre-configured for immediate use

Use Cases: Java application builds: Compile and package Java applications using Maven build lifecycle. CI/CD pipelines: Essential for continuous integration workflows with Java projects. Dependency management: Resolve and download Java dependencies through Maven Central and other repositories. Multi-module projects: Handle complex Java projects with multiple modules and dependencies.

Maven Lifecycle Commands:

  • mvn clean: Clean previous build artifacts
  • mvn compile: Compile source code
  • mvn test: Run unit tests
  • mvn package: Create JAR/WAR packages
  • mvn install: Install artifacts to local repository
  • mvn deploy: Deploy artifacts to remote repository

Best Practices: Layer caching: Copy pom.xml first, run dependency download, then copy source code. Multi-stage builds: Use Maven image for building, then copy JARs to a smaller JRE image. Offline builds: Cache dependencies in Docker layers for faster subsequent builds. Memory optimization: Configure Maven memory settings for large projects.

Example Multi-stage Dockerfile:

FROM docker.m.daocloud.io/library/maven:3.8-openjdk-17 AS builder
WORKDIR /app

# Copy pom.xml for dependency caching
COPY pom.xml .
RUN mvn dependency:go-offline -B

# Copy source and build
COPY src ./src
RUN mvn clean package -DskipTests

# Runtime stage
FROM openjdk:17-jre-slim
WORKDIR /app
COPY --from=builder /app/target/*.jar app.jar

EXPOSE 8080
ENTRYPOINT ["java", "-jar", "app.jar"]

Configuration Options: Maven settings:

  • Custom settings.xml for repository configuration
  • Proxy settings for corporate environments
  • Authentication for private repositories

JVM options:

  • Memory settings: -Xmx, -Xms
  • Garbage collection: -XX:+UseG1GC
  • Debugging: -agentlib:jdwp

Environment variables:

  • MAVEN_OPTS: JVM options for Maven execution
  • MAVEN_CONFIG: Maven configuration directory
  • JAVA_TOOL_OPTIONS: Additional JVM options

docker.m.daocloud.io/library/python:3.11-slim

Characteristic: Official Python Docker image based on Debian slim, providing a balance between functionality and image size for Python 3.11 applications.

Key Features:

  • Python 3.11: Latest stable Python version with performance improvements
  • Debian slim base: Minimal Debian installation reducing image size significantly
  • pip included: Package installer for Python with latest version
  • Essential tools: Includes basic system tools while maintaining small footprint
  • Multi-architecture: Supports various CPU architectures

Advantages over full Python image:

  • Smaller size: Typically 3-5x smaller than the full Python image
  • Faster deployment: Reduced download and startup times
  • Security: Fewer installed packages mean reduced attack surface
  • Efficiency: Better resource utilization in containerized environments

Use Cases: Production Python applications: Ideal for deploying Python web applications, APIs, and services. Data science workflows: Suitable for machine learning and data processing applications. Microservices: Perfect for Python-based microservices architecture. Batch processing: Excellent for scheduled tasks and data processing jobs.

Best Practices: Requirements management: Pin dependency versions and use requirements.txt for reproducible builds. Multi-stage builds: Use for installing build dependencies, then copy to clean runtime image. Virtual environments: Consider using virtual environments even in containers for dependency isolation. Security scanning: Regularly scan images for vulnerabilities and update base images.

Example Dockerfile:

FROM docker.m.daocloud.io/library/python:3.11-slim

# Set working directory
WORKDIR /app

# Install system dependencies if needed
RUN apt-get update && apt-get install -y \
    gcc \
    && rm -rf /var/lib/apt/lists/*

# Create non-root user
RUN groupadd -r appuser && useradd -r -g appuser appuser

# Copy requirements first for better caching
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy application code
COPY --chown=appuser:appuser . .

# Switch to non-root user
USER appuser

# Expose port
EXPOSE 8000

# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
    CMD python -c "import requests; requests.get('http://localhost:8000/health')"

# Run application
CMD ["python", "app.py"]

Common Patterns: Flask/FastAPI applications:

# Install production WSGI server
RUN pip install gunicorn
CMD ["gunicorn", "--bind", "0.0.0.0:8000", "app:app"]

Data science applications:

# Install Jupyter for development
RUN pip install jupyter pandas numpy matplotlib
CMD ["jupyter", "notebook", "--ip=0.0.0.0", "--allow-root"]

Package Management:

  • Use pip install --no-cache-dir to reduce image size
  • Pin dependency versions in requirements.txt
  • Use pip-tools for dependency management
  • Consider using pipenv or poetry for advanced dependency management

Security Considerations:

  • Run applications as non-root user
  • Regularly update base image and dependencies
  • Use .dockerignore to exclude sensitive files
  • Implement proper logging and monitoring
  • Scan for vulnerabilities using tools like Trivy or Snyk