A collection of reusable Dockerfile patterns for common infrastructure and service setups.
System metrics collection daemon (collectd v5.7.1) compiled from source. Non-trivial patterns:
- Source builds of the full dependency chain -- protobuf-c and riemann-c-client compiled from upstream tarballs before collectd itself
- Custom
rootfs_prefixLD_PRELOAD module prefixes/procand/syspaths -- lets containerized collectd monitor the host filesystem - Pinned apt versions for every build dependency for reproducible builds
- Build-toolchain purge removes
build-essentialand apt lists in the final layer
Containerized elasticdump for backing up and restoring Elasticsearch indices. Non-trivial patterns:
- Version-locked toolchain -- pinned node.js and
elasticdump@2.4.2for reproducible backups - PPA-sourced node.js via
apt-add-repositoryon the legacy base - ENTRYPOINT as a CLI wrapper so the image runs as the
elasticdumpbinary directly
Riemann event stream processor on a minimal busybox+java base. Non-trivial patterns:
- HTTPS workaround on busybox -- busybox
wgetcan't do TLS, so a staticcurlbinary is dropped in to fetch the release - Pinned curl and Riemann versions via build-time
ENV - Shell compatibility patch rewrites the launcher's
env bashtoenv sh - Listen-on-all-interfaces patch rewrites the default config from
127.0.0.1to0.0.0.0
Etsy StatsD v0.8.0 metrics aggregation daemon. Non-trivial patterns:
- Version-pinned release fetched via
ADDfrom a tagged GitHub tarball - Pinned node.js from NodeSource, with
curlpurged after setup to slim the image - Externalized config --
config.jscopied in and passed to the daemon for easy overrides - Default UDP listener on
8125/udp
Modern Python microservice base image using uv for fast package management. Non-trivial patterns:
- uv from ghcr.io -- copied as a static binary, no pip install step needed
- Non-root user with explicit UID/GID (k8s
runAsNonRootcompatible) - BuildKit cache mount (
--mount=type=cache) to persist pip/uv cache across builds - Multi-arch AWS CLI install that auto-detects amd64 vs arm64
- Container-tuned Python env (
PYTHONDONTWRITEBYTECODE,PYTHONUNBUFFERED)
Two-stage Python build focused on supply-chain security. Non-trivial patterns:
- pip-compile --generate-hashes locks every dependency with cryptographic checksums, protecting against tampered or typosquatted packages
- Multi-stage build keeps compilers (gcc, g++) out of the final image
- HEALTHCHECK directive for orchestrator liveness/readiness probes
- ENTRYPOINT + CMD split for flexible runtime overrides
Three-stage build that compiles nginx dynamic modules from source and bundles a React (or Next.js/Vite) frontend. Non-trivial patterns:
- Official nginx pkg-oss build system for compiling modules (headers-more, geoip2, etc.)
- SHA-512 integrity check on downloaded build scripts
- Parameterized modules via
ENABLED_MODULESbuild arg - Clean final image -- only the compiled
.soand static assets, no build toolchain
Jenkins CI/CD image pre-loaded with Docker CLI, Ansible, and AWS CLI. Non-trivial patterns:
- Docker CLI via socket mount (not Docker-in-Docker) -- build images in pipelines by mounting
/var/run/docker.sock - Setup wizard skip for headless/automated provisioning
- Plugin pinning from a text file for reproducible Jenkins setups