DOCKER - 4 6 The bases of the Dockerfile

The Dockerfile is the recipe Docker uses to bake an image. Every official image you've used was built from one, and you can read them on Docker Hub. Despite looking like a shell script, a Dockerfile is its own little language, with its own instructions. The default filename is Dockerfile (capital D), but the CLI's -f flag lets you point at any file you want.

The main instructions, line by line

FROM is mandatory and must come first. It picks the base image — usually a minimal distribution like Debian or, more often, Alpine. These minimal images are far smaller than what a regular VM ISO would install: a base Ubuntu container doesn't even ship curl. Because they're official images, they receive timely security patches. The big advantage of starting from a distro is reusing its package manager (apt, apk) to install only what you need.

ENV sets environment variables — the recommended way to pass build-time and runtime configuration into containers. The Nginx official Dockerfile, for example, uses an ENV like NGINX_VERSION so the later instructions can reference it without hardcoding the version repeatedly.

RUN executes shell commands inside the image during the build: install packages, unzip files, patch configuration, run shell scripts you've copied in. Each instruction in a Dockerfile creates a new image layer, so the convention is to chain several shell commands into a single RUN with && — fewer layers, smaller image, faster builds.

  • FROM debian:stretch-slim — mandatory base image
  • ENV NGINX_VERSION 1.21.6 — env vars used downstream
  • RUN apt-get update && apt-get install -y nginx — install software with the distro's package manager
  • RUN ln -sf /dev/stdout /var/log/nginx/access.log — redirect file logs to stdout
  • EXPOSE 80 443 — declare ports, document only — no host binding
  • CMD ["nginx", "-g", "daemon off;"] — the process to run when the container starts

For logs, the Docker way is to send everything to stdout / stderr instead of writing to log files inside the container. The Nginx Dockerfile symlinks its access and error logs to those streams, and Docker captures and routes them through its log drivers. EXPOSE only documents which TCP/UDP ports the application listens on inside the virtual network — it does not publish them on the host; you still need -p at run time. CMD is the final mandatory instruction: it defines what process runs each time a container is started from this image. Full reference docs live on docs.docker.com.