Keep configurations DRY! The include directive enables modular, reusable Compose setups. Basic include usage Split configurations into logical modules: # compose.yml include: - path: ./services/database.yml - path: ./services/cache.yml - path: ./services/monitoring.yml services: app: image: myapp:latest depends_on: - postgres - redis # services/database.yml services: postgres: image: postgres:15 volumes: - postgres_data:/var/lib/postgresql/data volumes: postgres_data: Project-wide organization Structure complex projects: project/ ├── compose.yml # Main entry point ├── common/ │ ├── networks.yml # Shared networks │ └── volumes.yml # Shared volumes ├── services/ │ ├── frontend.yml # Frontend services │ ├── backend.yml # Backend services │ └── database.yml # Data layer └── environments/ ├── dev.yml # Development overrides └── prod.yml # Production config # compose.yml include: - path: ./common/networks.yml - path: ./common/volumes.yml - path: ./services/frontend.yml - path: ./services/backend.yml - path: ./services/database.yml - path: ${COMPOSE_ENV:-./environments/dev.yml} Conditional includes Include files based on environment: ...

Secure containers with principle of least privilege! Control exactly what your containers can do. Understanding capabilities Linux capabilities break down root privileges into distinct units: services: # Drop all capabilities, then add only what's needed secure-app: image: myapp cap_drop: - ALL cap_add: - NET_BIND_SERVICE # Bind to ports < 1024 - CHOWN # Change file ownership # Default Docker capabilities (for reference) default-app: image: myapp # Implicitly has: CHOWN, DAC_OVERRIDE, FSETID, FOWNER, # MKNOD, NET_RAW, SETGID, SETUID, SETFCAP, SETPCAP, # NET_BIND_SERVICE, SYS_CHROOT, KILL, AUDIT_WRITE Common capability patterns Web server (needs port 80/443): ...

Stop managing long docker run commands! Convert them to maintainable Compose files. Basic conversions Common flag mappings: # Docker run command docker run -d \ --name myapp \ -p 3000:3000 \ -e NODE_ENV=production \ -e API_KEY=secret123 \ -v $(pwd)/data:/app/data \ -v /var/run/docker.sock:/var/run/docker.sock \ --restart unless-stopped \ myapp:latest Becomes: services: myapp: image: myapp:latest container_name: myapp ports: - "3000:3000" environment: NODE_ENV: production API_KEY: secret123 volumes: - ./data:/app/data - /var/run/docker.sock:/var/run/docker.sock restart: unless-stopped Network configurations # Host network docker run --network host nginx # Custom network docker run --network mynet --ip 172.20.0.5 app # Network alias docker run --network mynet --network-alias db postgres Compose equivalent: ...

Extension fields aren’t just for YAML reusability - they’re powerful metadata carriers that tools can leverage for platform-specific configurations! Extension fields as metadata Any key starting with x- is ignored by Compose but preserved in the configuration: # Top-level metadata x-project-version: "2.1.0" x-team: "platform-engineering" x-environment: "production" x-region: "us-east-1" services: api: image: myapi:latest # Service-level metadata x-tier: "frontend" x-cost-center: "engineering" x-sla: "99.9" x-owner: "api-team@company.com" Compose Bridge and Kubernetes integration Extension fields can provide hints for Kubernetes deployment: ...

Keep your services running! Restart policies ensure containers recover from crashes automatically. Available restart policies Docker Compose offers four restart options: services: # Never restart (default) dev-tool: image: debug-tools restart: "no" # Restart only on failure (non-zero exit) api: image: api:latest restart: on-failure # Always restart unless manually stopped web: image: nginx restart: unless-stopped # Always restart, even after Docker daemon restarts database: image: postgres:15 restart: always Choosing the right policy Development services: ...