Container Runtime & Docker

Executive Summary

Professional containerization and image management covering the complete lifecycle from Dockerfile design through production deployment. This agent provides deep expertise in building efficient, secure, and maintainable container images while managing container infrastructure at enterprise scale.

Core Competencies

1. Dockerfile Optimization & Best Practices

Dockerfile Structure Evolution

• Basic: Single-layer, monolithic, large images (900MB+)
• Optimized: Multi-stage, minimal base, ~50-100MB
• Production: Distroless, signed, security hardened, <10MB

Layer Optimization Strategy

# ❌ ANTI-PATTERN: Many layers, large intermediate
FROM ubuntu:20.04
RUN apt-get update && apt-get install -y nodejs npm git curl wget
RUN useradd appuser
RUN npm install -g yarn
COPY . /app
WORKDIR /app
RUN npm install
RUN npm build

# ✅ PATTERN: Minimal layers, efficient
FROM node:18-alpine as builder
WORKDIR /build
COPY package*.json ./
RUN npm ci --only=production

FROM gcr.io/distroless/nodejs18-debian11:nonroot
COPY --from=builder /build/node_modules /app/node_modules
COPY --chown=nonroot:nonroot . /app
WORKDIR /app
EXPOSE 3000
CMD ["server.js"]

Key Optimization Principles

1. Layer Ordering: Frequently changing content last
2. Build Context: Minimize files sent to daemon (.dockerignore)
3. Caching: Leverage Docker layer caching (dependencies before code)
4. Deduplication: Share layers across images (common base)
5. Compression: Use minimal base images (Alpine, Distroless)
6. Size Reduction: Remove unnecessary packages (apt-get clean)

Size Reduction Examples

• Node.js: 860MB (ubuntu:20.04) → 120MB (node:18) → 85MB (multi-stage) → 45MB (distroless)
• Python: 900MB → 150MB (python:slim) → 85MB (multi-stage) → 120MB (distroless)
• Go: 800MB → 50MB (single binary) → 20MB (distroless)

2. Container Runtimes & Architecture

Runtime Options Comparison

Runtime	Size	Speed	Security	Kubernetes	Use Case
Docker	100MB+	Standard	Good	Via Docker	Dev, testing
containerd	20MB	Fast	Excellent	Native	Production
CRI-O	15MB	Fast	Excellent	Native	Production, CNCF
Kata	50MB	Slower	Superior	Plugin	Multi-tenant
gVisor	30MB	Slower	Superior	Plugin	Untrusted

containerd Configuration

# /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
  endpoint = ["https://mirror.gcr.io"]

[plugins."io.containerd.grpc.v1.cri".registry.auths."private-registry.com"]
  auth = "base64-encoded-credentials"

[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
  runtime_engine = "runc"
  runtime_root = ""

CRI-O Configuration

# /etc/crio/crio.conf
[crio.runtime]
manage_network_ns_lifecycle = true
pause_image = "k8s.gcr.io/pause:3.6"

[crio.image]
registries = ["docker.io", "gcr.io", "quay.io"]

Runtime Selection Decision Tree

1. Kubernetes? → containerd (fastest, most efficient)
2. Development? → Docker (familiar tooling)
3. Untrusted workloads? → Kata Containers or gVisor
4. Multi-tenant? → CRI-O with security policies
5. Performance critical? → containerd or CRI-O
6. Corporate standard? → Follow organizational policy

3. Image Management & Registry Operations

Image Naming Convention

registry.example.com/namespace/repository:tag
├── registry: Where image stored (docker.io, gcr.io, ecr.aws, acr.azurecr.io)
├── namespace: Organization (mycompany, team-name, public)
├── repository: App name (api-server, auth-service, web-ui)
└── tag: Version identifier (v1.2.3, sha256:abc123..., latest)

Image Tagging Strategy - Production

# Semantic Versioning (recommended)
registry.example.com/company/api:v1.2.3
registry.example.com/company/api:v1.2
registry.example.com/company/api:v1

# Git SHA (immutable reference)
registry.example.com/company/api:sha-abc123def456

# Environment tags (development)
registry.example.com/company/api:dev
registry.example.com/company/api:staging
registry.example.com/company/api:prod

# Timestamp (for builds)
registry.example.com/company/api:2024-01-15-120530

Registry Operations Workflow

# Step 1: Build image locally
docker build -t myregistry.azurecr.io/company/api:v1.2.3 .

# Step 2: Authenticate to registry
az acr login --name myregistry

# Step 3: Push to registry
docker push myregistry.azurecr.io/company/api:v1.2.3

# Step 4: Pull for testing
docker pull myregistry.azurecr.io/company/api:v1.2.3

# Step 5: Sign image (optional)
cosign sign --key cosign.key myregistry.azurecr.io/company/api:v1.2.3

# Step 6: Verify signature
cosign verify --key cosign.pub myregistry.azurecr.io/company/api:v1.2.3

Multi-Registry Strategy

• Public registry: Docker Hub (public images, common libraries)
• Private registry: ECR, ACR, GCR (internal, proprietary code)
• Mirror/proxy: Harbor, Quay (reduce external dependencies)
• Sync strategy: Replicate tags across regions for redundancy

4. Image Scanning & Security

Vulnerability Scanning Tools Comparison

Tool	Speed	Accuracy	Updates	Output
Trivy	Fast	Excellent	Daily	SBOM, JSON, SPDX
Grype	Medium	Excellent	Regular	SBOM, JSON
Snyk	Slow	Good	Real-time	JSON, HTML, SARIF
Anchore	Medium	Excellent	Regular	Detailed reports

Scanning Pipeline Implementation

# GitHub Actions example
name: Container Security

on: [push]

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: Build image
      run: docker build -t app:${{ github.sha }} .

    - name: Scan with Trivy
      uses: aquasecurity/trivy-action@master
      with:
        image-ref: app:${{ github.sha }}
        format: 'sarif'
        output: 'trivy-results.sarif'

    - name: Upload results
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: 'trivy-results.sarif'

Vulnerability Management SLA

• Critical (CVSS 9.0+): Fix within 1 day, block deployment
• High (CVSS 7.0-8.9): Fix within 7 days, escalate
• Medium (CVSS 4.0-6.9): Fix within 30 days, monitor
• Low (CVSS <4.0): Monitor, low priority

Policy Enforcement

# Allowed base images only
FROM gcr.io/distroless/base-debian11:nonroot
# or
FROM node:18-alpine
# ❌ Do not use: ubuntu:latest, centos:7, etc.

5. Multi-Architecture Builds

Buildx Setup for Multiple Architectures

# Enable buildx
docker buildx create --name mybuilder
docker buildx use mybuilder

# Build for multiple architectures
docker buildx build \
  --platform linux/amd64,linux/arm64,linux/arm/v7 \
  -t myregistry.azurecr.io/company/api:v1.2.3 \
  --push .

Architecture Support Matrix

• amd64: Standard x86, AWS EC2, Google Cloud, Azure (most common)
• arm64: Apple Silicon, AWS Graviton, Azure Ampere (growing)
• arm/v7: Older ARM devices, Raspberry Pi 3
• ppc64le: IBM Power systems (enterprise)

Manifest List Strategy

# Create and push manifest list
docker buildx build --push \
  --platform linux/amd64,linux/arm64 \
  -t myregistry.azurecr.io/company/api:v1.2.3 .

# Kubernetes automatically pulls correct variant
kubectl create deployment app \
  --image=myregistry.azurecr.io/company/api:v1.2.3
# On amd64 node: pulls amd64 variant
# On arm64 node: pulls arm64 variant

6. Container Networking & Resource Limits

Resource Constraints

# Memory limit
docker run --memory 512m app

# CPU limits
docker run --cpus 1.5 app

# I/O limits
docker run --device-read-bps /dev/sda:10mb app
docker run --device-write-bps /dev/sda:10mb app

# Process limit
docker run --pids-limit 100 app

# Network bandwidth
docker run --network-opt "com.docker.network.driver.mtu=1500" app

Health Checks

HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
  CMD curl -f http://localhost:8080/health || exit 1

7. Security Hardening

Dockerfile Security Checklist

• Non-root user (avoid UID 0)
• Read-only root filesystem where possible
• No secrets in image (use secrets at runtime)
• Minimal base image (fewer attack surface)
• Drop capabilities (CAP_NET_RAW, CAP_SYS_ADMIN)
• Resource limits defined
• Health checks included
• Image signed and verified
• Regular vulnerability scans
• SBOM (Software Bill of Materials) generated

Production Security Pattern

# Security-hardened Dockerfile
FROM gcr.io/distroless/base-debian11:nonroot

# No shell, no package manager, minimal attack surface
# Runs as UID 65532 (nonroot)

COPY --chown=65532:65532 app /app
WORKDIR /app

EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=5s \
  CMD ["/app/health"]

ENTRYPOINT ["/app/server"]

8. Build Automation & CI/CD Integration

GitLab CI Example

build-image:
  stage: build
  image: docker:latest
  script:
    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
    - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest
    - docker push $CI_REGISTRY_IMAGE:latest

scan-image:
  stage: test
  image: aquasec/trivy:latest
  script:
    - trivy image --severity HIGH,CRITICAL $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
  allow_failure: false

deploy-image:
  stage: deploy
  script:
    - kubectl set image deployment/app app=$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

Integration with Related Skills

Uses skill: docker-containers

• Dockerfile commands and syntax
• Container runtime operations
• Build process details
• Network and volume management

Coordinates with skill: deployments

• Image pulling in Kubernetes
• Container specification
• Pod templates
• Rollout strategies

Works with skill: security

• Image scanning and vulnerability assessment
• Container access control to registries
• Image signing and verification
• Runtime security policies

References skill: gitops

• Image tag updates in GitOps
• CI/CD image building automation
• Registry integration
• Automated image promotion

Real-World Scenarios

Scenario 1: Reduce Image Size 850MB → 45MB

1. Analyze current image (docker inspect, docker history)
2. Switch base: ubuntu:20.04 → node:18-alpine
3. Implement multi-stage: separate build and runtime
4. Use distroless: gcr.io/distroless/nodejs18
5. Remove development: npm ci vs npm install
6. Result: 95% reduction, 10x faster pull

Scenario 2: Implement Image Scanning Pipeline

1. Scan on commit (GitHub Actions, GitLab CI)
2. Scan on push to registry (ECR scan, GCR scan)
3. Daily scan of production images (Anchore)
4. Alert on new vulnerabilities (Slack webhook)
5. Automated remediation (rebuild with new base)

Scenario 3: Build for Multiple Architectures

1. Enable buildx (docker buildx create)
2. Define platforms (--platform linux/amd64,linux/arm64)
3. Use multi-arch base images (node:18-alpine)
4. Test on each architecture (emulation)
5. Publish manifest list to registry

Success Criteria

✅ Image size <50MB for most applications ✅ Build time <2 minutes ✅ Zero critical vulnerabilities ✅ <5 layers per Dockerfile ✅ Non-root user enforcement (100%) ✅ All images scanned before deployment ✅ Pull time <5 seconds ✅ Image signing coverage 100% (production) ✅ SBOM generated for all images ✅ Multi-arch support where needed

Common Challenges & Solutions

Challenge	Solution
Large images (>500MB)	Multi-stage builds, distroless, cleanup
Slow builds (>5 min)	Layer caching, parallel builds, BuildKit
Vulnerabilities found in prod	Regular scanning, automated patching
Registry access errors	Auth config, service principals, RBAC
Architecture mismatches	Buildx, manifest lists, platform testing
Secret leaks in images	Use secret mounts, environment variables
Dependency bloat	Slim base images, minimal dependencies
License compliance issues	SBOM analysis, tool choice