name docker-patterns description Docker and Docker Compose patterns for local development, container security, networking, volume strategies, and multi-service orchestration. Use when setting up containerized development environments or reviewing Docker configurations. metadata {"origin":"ECC"} Docker Patterns Docker and Docker Compose best practices for containerized development. When to Activate Setting up Docker Compose for local development Designing multi-container architectures Troubleshooting container networking or volume issues Reviewing Dockerfiles for security and size Migrating from local dev to containerized workflow Docker Compose for Local Development Standard Web App Stack

docker-compose.yml

services: app: build: context: . target: dev

Use dev stage of multi-stage Dockerfile

ports:

"3000:3000" volumes:

.:/app

Bind mount for hot reload

docker-compose.yml

services: app: build: context: . target: dev

Use dev stage of multi-stage Dockerfile

ports:

"3000:3000" volumes:

.:/app

Docker Patterns

docker-compose.yml

Use dev stage of multi-stage Dockerfile

ports:

"3000:3000" volumes:

Bind mount for hot reload

Docker Patterns

docker-compose.yml

Use dev stage of multi-stage Dockerfile

ports:

"3000:3000" volumes:

Bind mount for hot reload

Anonymous volume -- preserves container deps

environment:

DATABASE_URL=postgres://postgres:postgres@db:5432/app_dev

REDIS_URL=redis://redis:6379/0

NODE_ENV=development depends_on: db: condition: service_healthy redis: condition: service_started command: npm run dev db: image: postgres:16-alpine ports:

"5432:5432" environment: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres POSTGRES_DB: app_dev volumes:

pgdata:/var/lib/postgresql/data

./scripts/init-db.sql:/docker-entrypoint-initdb.d/init.sql healthcheck: test: [ "CMD-SHELL" , "pg_isready -U postgres" ] interval: 5s timeout: 3s retries: 5 redis: image: redis:7-alpine ports:

"6379:6379" volumes:

Local email testing

image: axllent/mailpit ports:

Web UI

SMTP

Stage: dependencies

Stage: dev (hot reload, debug tools)

Stage: build

Stage: production (minimal image)

docker-compose.override.yml (auto-loaded, dev-only settings)

services: app: environment:

DEBUG=app:*

LOG_LEVEL=debug ports:

Node.js debugger

docker-compose.prod.yml (explicit for production)

Development (auto-loads override)

Production

From "app" container:

postgres://postgres:postgres@db:5432/app_dev # "db" resolves to the db container redis://redis:6379/0 # "redis" resolves to the redis container Custom Networks services: frontend: networks:

frontend-net api: networks:

frontend-net

backend-net db: networks:

Only reachable from api, not frontend

networks: frontend-net: backend-net: Exposing Only What's Needed services: db: ports:

Only accessible from host, not network

Omit ports entirely in production -- accessible only within Docker network

Named volume: persists across container restarts, managed by Docker

Bind mount: maps host directory into container (for development)

- ./src:/app/src

Anonymous volume: preserves container-generated content from bind mount override

- /app/node_modules

Common Patterns services: app: volumes:

Source code (bind mount for hot reload)

Protect container's node_modules from host

Protect build cache

db: volumes:

Persistent data

Init scripts

1. Use specific tags (never :latest)

2. Run as non-root

3. Drop capabilities (in compose)

4. Read-only root filesystem where possible

5. No secrets in image layers

Compose Security services: app: security_opt:

no -new-privileges:true read_only: true tmpfs:

/tmp

/app/.cache cap_drop:

ALL cap_add:

Only if binding to ports < 1024

GOOD: Use environment variables (injected at runtime)

services: app: env_file:

Never commit .env to git

environment:

Inherits from host environment

GOOD: Docker secrets (Swarm mode)

secrets: db_password: file: ./secrets/db_password.txt services: db: secrets:

BAD: Hardcoded in image

ENV API_KEY=sk-proj-xxxxx # NEVER DO THIS

View logs

Follow app logs