BudiBadu Logo

Samplebadu

Code with Example
BudiBadu Logo
Samplebadu

Dockerfile by Example: Base Image Selection

Docker Engine 20.10+

The FROM instruction initializes a new build stage and sets the Base Image for subsequent instructions. This sample code demonstrates how to choose specific versions, digests, and minimal images.

Code

# 1. Use a specific version tag for reproducibility
# Avoid using 'latest' in production
FROM node:18.16.0-alpine

# 2. Use a digest for immutable builds (maximum security)
# This ensures you get the exact same image bits every time
FROM python@sha256:a875e5...

# 3. Use 'scratch' for minimal binaries (e.g., Go, Rust)
# Scratch is an empty image, perfect for static binaries
FROM scratch

Explanation

Every Dockerfile must start with a FROM instruction (except for global ARGs), which specifies the parent image from which you are building. The choice of base image significantly impacts the security, size, and reproducibility of the final container. While the latest tag is convenient, it is mutable and refers to the last image pushed without a specific tag, leading to potential inconsistencies across builds when the upstream image changes.

Image identification methods include:

  • Specific version tags like node:18.16.0 ensure consistent builds by pinning to a release
  • Image digests using SHA-256 hashes provide cryptographic immutability guarantees
  • The scratch image is an explicitly empty image with no filesystem or OS
  • Alpine variants use musl libc instead of glibc for reduced image footprint

For high-security environments, using an image digest (e.g., python@sha256:...) is the only way to guarantee that the base image content is exactly what you expect, preventing supply chain attacks where a tag is maliciously updated. The scratch image serves as a starting point for building extremely minimal images, containing absolutely nothing—no shell, no libraries, and no users—making it ideal for statically compiled binaries like those from Go or Rust.

Code Breakdown

3
FROM node:18.16.0-alpine selects a specific Node.js version on Alpine Linux.
7
FROM python@sha256:... pins the image to a specific hash for immutability.
11
FROM scratch starts with a completely empty filesystem.
1-2
Comments explain the strategy behind each base image selection type.
Layer Caching Strategy