snap
Sign in
DOCKMOD.DOCK-08 · v1.0

From Dockerfile to production-grade container — without the CVE debt.

8 micro-lessons · ~78 min · Real Docker images

MOD.DOCK · LIVE
SIGONLINE
DOCKROLE TRACKTRENDING

Docker in Production

From Dockerfile to production-grade container — without the CVE debt.

WHY THIS MATTERS · DOCKER ENGINE V29 · ROADMAP.SH · BRET FISHER DOCKER MASTERY (318K+ STUDENTS)
Docker Engine v29 (Nov 2025) made containerd the default image store, shipped BuildKit 0.29.0, and deprecated legacy graph drivers. roadmap.sh's Docker path (6th most-starred GitHub project) and six surveyed curricula converge on the same 12 core topics — this course covers all 12 with production gaps filled.
WHAT YOU'LL LEARN
01Containers vs VMs — the mental model that sticks
02Dockerfile mastery: multi-stage, caching, and non-root
03Docker Compose for real apps
04Volumes, bind mounts, and data persistence
05Networking: bridge, overlay, and DNS discovery
06Registries, image tagging, and CI/CD pipelines
07Container security and image hardening
08Observability: Prometheus, Grafana, and cAdvisor
YOU'LL BE ABLE TO
Write production-grade Dockerfiles with multi-stage builds, layer caching, and non-root USER
Orchestrate multi-container apps with Docker Compose including healthchecks, volumes, and secrets
Ship a GitHub Actions CI/CD pipeline that builds, scans, tags, and deploys container images
Harden containers against the top CVE classes using Docker Scout, read-only filesystems, and minimal base images
Wire a Prometheus + Grafana + cAdvisor observability stack for live container metrics
SKILLS YOU'LL GAIN

Real skills, real career delta.

Skills you'll gain

10
  • Multi-stage Dockerfile authoringProduction

    Students write multi-stage Dockerfiles that separate build and runtime layers, apply .dockerignore, set non-root USER, and reduce images from 900 MB to under 50 MB using BuildKit 0.29.0 cache mounts.

  • BuildKit layer cache optimizationWorking

    Students order COPY and RUN instructions to maximize cache hits, use --mount=type=cache for package managers, and measure rebuild times before and after reordering.

  • Docker Compose multi-service orchestrationProduction

    Students write Compose files with service dependencies, healthcheck directives, named volumes, env_file secrets, and override files to achieve dev/prod parity across a Node API, PostgreSQL, and Redis stack.

  • Container networking: user-defined bridge and DNS discoveryWorking

    Students create user-defined bridge networks, verify DNS-based service resolution between containers, and isolate services across multiple networks — replacing the deprecated --links flag.

  • Named volume and bind mount lifecycle managementWorking

    Students distinguish named volume persistence from bind mount behavior, implement a PostgreSQL backup script using volume mounts, and reproduce a deliberate data-loss scenario to understand container-restart semantics.

  • Docker Scout CVE scanning and image hardeningProduction

    Students run docker scout cves against a full-OS base image, migrate to a distroless or Alpine base, apply read-only filesystems, drop Linux capabilities, and set no-new-privileges — measuring CVE count reduction at each step.

  • GitHub Actions CI/CD pipeline for container imagesProduction

    Students build a GitHub Actions workflow that runs docker buildx build for multi-platform targets, executes Docker Scout policy gates, pushes semver-tagged and SHA-pinned images to GHCR, and includes a digest-pinned rollback step.

  • Container image tagging and registry managementWorking

    Students apply semver and SHA digest tagging strategies, push and pull from GHCR using Organization Access Tokens, and pin production deployments to immutable digest references rather than mutable tags.

  • Prometheus + cAdvisor + Grafana observability stackWorking

    Students deploy cAdvisor to expose container CPU, memory, and network metrics, configure a Prometheus scrape job, build a Grafana dashboard from those metrics, and wire an alert rule that fires on memory threshold breach.

  • Traefik reverse proxy with TLS termination and label-based routingWorking

    Students configure Traefik v3 via Docker labels to route HTTP traffic to multiple containerized services, provision Let's Encrypt TLS certificates automatically via ACME, and add basic-auth middleware — all without modifying application code.

RUNNABLE ON YOUR MACHINE
$ docker pull snap/smoke-test-2:hello
$ docker run --rm -it snap/smoke-test-2:hello
snap/smoke-test-2:hello
QUICK PREVIEW · 7 MIN
VERIFIED ENGINEER REVIEWS
The multi-stage Dockerfile lesson alone cut our image sizes by 60%. Wish I'd had this two years ago.
@platform_eng_raviVERIFY ON GITHUB
The CI/CD pipeline project is exactly what I needed for my portfolio. Got an interview within a week of pushing it.
@devops_martaVERIFY ON GITHUB
LESSONS8
HOURS~1.3
LEARNERS0
THIS WEEK+0%