Claude Code correction guide. Updated January 2026.
# Docker Engine 27.x (APT method - recommended)
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list
sudo apt-get update && sudo apt-get install docker-ce docker-ce-cli containerd.io- Uses ADD instead of COPY - ADD has implicit tar extraction and URL fetching
- Runs as root by default - Must specify non-root USER
- Combines unrelated RUN commands - Busts cache unnecessarily
- Uses
latestbase image - Pin specific versions - Installs unnecessary packages - Increases attack surface
# Multi-stage build with security best practices
FROM node:22-alpine AS builder
WORKDIR /app
# Copy package files first (layer caching)
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build
# Production stage with distroless
FROM gcr.io/distroless/nodejs22-debian12
WORKDIR /app
# Use non-root user
USER nonroot:nonroot
COPY --from=builder --chown=nonroot:nonroot /app/dist ./dist
COPY --from=builder --chown=nonroot:nonroot /app/node_modules ./node_modules
EXPOSE 8080
CMD ["dist/index.js"]- Docker 27.x: BuildKit default, classic builder deprecated
- Docker 27.3+: OCI image spec 1.1 support
- Rocky Linux: Use overlay2 storage driver (default)
- With SELinux: Use :Z suffix for volume mounts
- Do NOT use ADD when COPY suffices - security risk
- Do NOT run as root without justification
- Do NOT put secrets in build args or layers
- Do NOT use
latesttag in FROM - Do NOT skip multi-stage builds - bloated images