@@ -63,6 +63,13 @@ replaced by the new hardened image.
6363
6464### Step 2: Update the runtime image in your Dockerfile
6565
66+ > [ !NOTE]
67+ >
68+ > Using a multi-stage build is not strictly required, but it is highly
69+ > recommended to ensure that your final image is as minimal and secure as
70+ > possible. ` dev ` variant images have near-zero known CVEs, but they have
71+ > a larger attack surface than runtime images.
72+
6673To ensure that your final image is as minimal as possible, you should use a
6774[ multi-stage build] ( /manuals/build/building/multi-stage.md ) . All stages in your
6875Dockerfile should use a hardened image. While intermediary stages will typically
@@ -78,7 +85,9 @@ examples of how to update your Dockerfile.
7885## Example Dockerfile migrations
7986
8087The following migration examples show a Dockerfile before the migration and
81- after the migration.
88+ after the migration. The examples include both multi-stage and single-stage
89+ builds. While multi-stage builds are recommended, single-stage builds are also
90+ supported.
8291
8392### Go example
8493
@@ -98,7 +107,7 @@ ENTRYPOINT ["/app/main"]
98107```
99108
100109{{< /tab >}}
101- {{< tab name="After" >}}
110+ {{< tab name="After (multi-stage) " >}}
102111
103112``` dockerfile
104113# syntax=docker/dockerfile:1
@@ -118,6 +127,30 @@ COPY --from=builder /app/main /app/main
118127
119128ENTRYPOINT ["/app/main" ]
120129```
130+
131+ {{< /tab >}}
132+ {{< tab name="After (single-stage)" >}}
133+
134+ > [ !NOTE]
135+ >
136+ > Using a multi-stage build is not strictly required, but it is highly
137+ > recommended to ensure that your final image is as minimal and secure as
138+ > possible. ` dev ` variant images have near-zero known CVEs, but they have
139+ > a larger attack surface than runtime images.
140+
141+
142+ ``` dockerfile
143+ # syntax=docker/dockerfile:1
144+
145+ FROM <your-namespace>/dhi-golang:1-alpine3.21-dev
146+
147+ WORKDIR /app
148+ ADD . ./
149+ RUN CGO_ENABLED=0 GOOS=linux go build -a -ldflags="-s -w" --installsuffix cgo -o main .
150+
151+ ENTRYPOINT ["/app/main" ]
152+ ```
153+
121154{{< /tab >}}
122155{{< /tabs >}}
123156
@@ -142,7 +175,7 @@ CMD ["node", "index.js"]
142175```
143176
144177{{< /tab >}}
145- {{< tab name="After" >}}
178+ {{< tab name="After (multi-stage) " >}}
146179
147180``` dockerfile
148181# syntax=docker/dockerfile:1
@@ -167,6 +200,33 @@ WORKDIR /app
167200
168201CMD ["index.js" ]
169202```
203+
204+ {{< /tab >}}
205+ {{< tab name="After (single-stage)" >}}
206+
207+ > [ !NOTE]
208+ >
209+ > Using a multi-stage build is not strictly required, but it is highly
210+ > recommended to ensure that your final image is as minimal and secure as
211+ > possible. ` dev ` variant images have near-zero known CVEs, but they have
212+ > a larger attack surface than runtime images.
213+
214+
215+ ``` dockerfile
216+ # syntax=docker/dockerfile:1
217+
218+ FROM <your-namespace>/dhi-node:23-alpine3.21-dev
219+ WORKDIR /usr/src/app
220+
221+ COPY package*.json ./
222+ RUN npm install
223+
224+ COPY image.jpg ./image.jpg
225+ COPY . .
226+
227+ CMD ["index.js" ]
228+ ```
229+
170230{{< /tab >}}
171231{{< /tabs >}}
172232
@@ -206,7 +266,7 @@ ENTRYPOINT [ "python", "/app/image.py" ]
206266```
207267
208268{{< /tab >}}
209- {{< tab name="After" >}}
269+ {{< tab name="After (multi-stage) " >}}
210270
211271``` dockerfile
212272# syntax=docker/dockerfile:1
@@ -240,12 +300,43 @@ COPY --from=builder /app/venv /app/venv
240300ENTRYPOINT [ "python" , "/app/image.py" ]
241301```
242302
303+ {{< /tab >}}
304+ {{< tab name="After (single-stage)" >}}
305+
306+ > [ !NOTE]
307+ >
308+ > Using a multi-stage build is not strictly required, but it is highly
309+ > recommended to ensure that your final image is as minimal and secure as
310+ > possible. ` dev ` variant images have near-zero known CVEs, but they have
311+ > a larger attack surface than runtime images.
312+
313+
314+ ``` dockerfile
315+ # syntax=docker/dockerfile:1
316+
317+ FROM <your-namespace>/dhi-python:3.13-alpine3.21-dev
318+
319+ ENV LANG=C.UTF-8
320+ ENV PYTHONDONTWRITEBYTECODE=1
321+ ENV PYTHONUNBUFFERED=1
322+
323+ WORKDIR /app
324+
325+ COPY requirements.txt .
326+ RUN pip install --no-cache-dir -r requirements.txt
327+
328+ COPY image.py image.png ./
329+
330+ ENTRYPOINT [ "python" , "/app/image.py" ]
331+ ```
332+
243333{{< /tab >}}
244334{{< /tabs >}}
245335
246336### Use Gordon
247337
248- Alternatively, you can request assistance to
249- [ Gordon] ( /manuals/ai/gordon/_index.md ) , Docker's AI-powered assistant, to migrate your Dockerfile:
338+ Alternatively, you can request assistance to
339+ [ Gordon] ( /manuals/ai/gordon/_index.md ) , Docker's AI-powered assistant, to
340+ migrate your Dockerfile:
250341
251342{{% include "gordondhi.md" %}}
0 commit comments