Intermediate

Choose the right networking mode for your containers. Understand when isolation matters and when performance is key. Bridge mode (default) The default and most secure option - containers get their own network namespace: services: web: image: nginx ports: - "8080:80" # Port mapping required networks: - app_network db: image: postgres:15 networks: - app_network networks: app_network: driver: bridge Containers can communicate using service names (web, db) within the network. ...

Give your containers time to clean up. Configure grace periods to ensure database connections close, transactions complete, and data saves properly. The problem By default, Docker gives containers 10 seconds to stop before forcefully killing them: services: app: image: myapp:latest # Container gets SIGTERM, then SIGKILL after 10s This can interrupt long-running operations and corrupt data. The solution Use stop_grace_period to extend shutdown time: services: worker: image: myworker:latest stop_grace_period: 2m # 2 minutes to finish current job stop_signal: SIGTERM # Signal to send first (default) Real-world examples Different services need different grace periods: ...

Stop copy-pasting the same configuration. YAML anchors let you define once and reuse everywhere in your Compose files. The basics Define an anchor with & and reference it with *: services: web: &default-app image: myapp:latest environment: NODE_ENV: production LOG_LEVEL: info networks: - app-network worker: <<: *default-app # Inherit all settings from web command: npm run worker The worker service inherits everything from web, then overrides the command. ...

Prevent containers from consuming all available resources. Set CPU and memory limits to ensure stable multi-service deployments. The basics Resource limits protect your system from runaway containers: services: api: image: node:20 deploy: resources: limits: cpus: '0.5' # Half a CPU core memory: 512M # 512 megabytes reservations: cpus: '0.25' # Minimum guaranteed memory: 256M The container can use up to 512MB memory and 50% of one CPU core. ...

Running containers as root is a security risk. Configure your services to use non-root users for defense in depth. The problem By default, many containers run as root: services: app: image: nginx # Runs as root user (uid 0) - security risk! If compromised, attackers have root privileges inside the container. The solution Set the user in compose.yml: services: app: image: node:20 user: "1000:1000" # Run as uid:gid 1000 working_dir: /app volumes: - ./app:/app Or use the image’s built-in user: ...