This means that even if you unset the environment variable in a future layer, it still persists in this layer and its value can be dumped.

You can test this by creating a Dockerfile like the following, and then building it. If you use the second method, and one of the commands fails, the docker build also fails.

This is usually a good idea. You could also put all of the commands into a shell script and have the RUN command just run that shell script. COPY only supports the basic copying of local files into the container, while ADD has some features (like local-only tar extraction and remote URL support) that are not immediately obvious.

Consequently, the best use for ADD is local tar file auto-extraction into the image, as in ADD rootfs. If you have multiple Dockerfile steps that use different files from your context, copy them individually, rather than all at once.

This allows the application to receive any Unix signals sent to the container. If a service can run without privileges, use USER to change to a non-root user. A workaround is to pass the --no-log-init flag to useradd. Avoid installing or using sudo as it has unpredictable TTY and signal-forwarding behavior that can cause problems. Lastly, to reduce layers and complexity, avoid switching USER back and forth frequently.

For clarity and reliability, you should always use absolute paths for your WORKDIR. An ONBUILD command executes after the current Dockerfile build completes. ONBUILD executes in any child image derived FROM the current image. Think of the ONBUILD command as an good johnson the parent Dockerfile gives to the child Dockerfile. A Docker build executes ONBUILD commands before any command in a child Dockerfile.

This is useful for images that are going to be built FROM a given image.

Images built with ONBUILD should get a separate tag, for example: ruby:1. Be careful when putting ADD or COPY in ONBUILD. Adding a separate tag, as recommended above, helps mitigate this by allowing the Dockerfile author to make commercials choice.

