28 KiB
28 KiB
Docker-Guidelines für das Meldestelle-Projekt
Version: 1.1 Datum: 16. August 2025 Autor: Meldestelle Development Team Letzte Aktualisierung: Erweitert und optimiert basierend auf aktueller Implementierung
🚀 Überblick und Philosophie
Das Meldestelle-Projekt implementiert eine moderne, sicherheitsorientierte Containerisierungsstrategie basierend auf bewährten DevOps-Praktiken und Production-Ready-Standards. Unsere Docker-Architektur ist darauf ausgelegt:
- Sicherheit first: Alle Container laufen als Non-Root-User
- Optimale Performance: Multi-stage Builds mit Layer-Caching
- Observability: Umfassendes Monitoring und Health-Checks
- Skalierbarkeit: Microservices-ready mit Service Discovery
- Wartbarkeit: Standardisierte Templates und klare Konventionen
📋 Inhaltsverzeichnis
- Architektur-Überblick
- Dockerfile-Standards
- Docker-Compose Organisation
- Development-Workflow
- Production-Deployment
- Monitoring und Observability
- Troubleshooting
- Best Practices
🏗️ Architektur-Überblick
Container-Kategorien
graph TB
subgraph "Infrastructure Services"
PG[PostgreSQL]
RD[Redis]
KC[Keycloak]
KF[Kafka+Zookeeper]
CS[Consul]
end
subgraph "Application Services"
GW[API Gateway]
AS[Auth Server]
MS[Monitoring Server]
PS[Ping Service]
end
subgraph "Client Applications"
WA[Web App]
DA[Desktop App - Native]
end
subgraph "Monitoring Stack"
PR[Prometheus]
GR[Grafana]
ZK[Zipkin]
NX[Nginx - Prod]
end
Infrastructure --> Application
Application --> Client
Monitoring --> Infrastructure
Monitoring --> Application
Service-Ports Matrix
| Service | Development | Production | Health Check | Debug Port |
|---|---|---|---|---|
| PostgreSQL | 5432 | Internal | pg_isready -U meldestelle -d meldestelle | - |
| Redis | 6379 | Internal | redis-cli ping | - |
| Keycloak | 8180 | 8443 (HTTPS) | /health/ready | - |
| Kafka | 9092 | Internal | kafka-topics --bootstrap-server localhost:9092 --list | - |
| Zookeeper | 2181 | Internal | nc -z localhost 2181 | - |
| Zipkin | 9411 | Internal | /health | - |
| Consul | 8500 | Internal | /v1/status/leader | - |
| Auth Server | 8081 | Internal | /actuator/health/readiness | 5005 |
| Ping Service | 8082 | Internal | /actuator/health/readiness | 5005 |
| Monitoring Server | 8083 | Internal | /actuator/health/readiness | 5005 |
| Prometheus | 9090 | Internal | /-/healthy | - |
| Grafana | 3000 | 3443 (HTTPS) | /api/health | - |
| Nginx | - | 80/443 | /health | - |
🐳 Dockerfile-Standards
Template-Struktur
Alle Dockerfiles folgen einem standardisierten Template-System:
dockerfiles/
├── templates/
│ ├── spring-boot-service.Dockerfile # Backend-Services
│ ├── kotlin-multiplatform-web.Dockerfile # Web-Client
│ └── monitoring-service.Dockerfile # Monitoring-Services
├── infrastructure/
│ ├── gateway/Dockerfile # ✅ API Gateway
│ ├── auth-server/Dockerfile # Auth Server
│ └── monitoring-server/Dockerfile # Monitoring Server
└── services/
├── members-service/Dockerfile # Domain Services (wenn reaktiviert)
├── horses-service/Dockerfile
├── events-service/Dockerfile
└── masterdata-service/Dockerfile
Spring Boot Service Template
Datei: dockerfiles/templates/spring-boot-service.Dockerfile
# syntax=docker/dockerfile:1.8
# ===================================================================
# Multi-stage Dockerfile Template for Spring Boot Services
# Features: Security hardening, monitoring support, optimal caching, BuildKit cache mounts
# ===================================================================
# Build arguments for flexibility
ARG GRADLE_VERSION=8.14
ARG JAVA_VERSION=21
ARG SPRING_PROFILES_ACTIVE=default
ARG SERVICE_PATH=.
ARG SERVICE_NAME=spring-boot-service
ARG SERVICE_PORT=8080
# ===================================================================
# Build Stage
# ===================================================================
FROM gradle:${GRADLE_VERSION}-jdk${JAVA_VERSION}-alpine AS builder
# Re-declare build arguments for this stage
ARG SERVICE_PATH=.
ARG SERVICE_NAME=spring-boot-service
ARG SERVICE_PORT=8080
ARG SPRING_PROFILES_ACTIVE=default
LABEL stage=builder
LABEL service="${SERVICE_NAME}"
LABEL maintainer="Meldestelle Development Team"
WORKDIR /workspace
# Gradle optimizations for containerized builds
ENV GRADLE_OPTS="-Dorg.gradle.caching=true \
-Dorg.gradle.daemon=false \
-Dorg.gradle.parallel=true \
-Dorg.gradle.configureondemand=true \
-Xmx2g"
# Copy gradle wrapper and configuration files first for optimal caching
COPY gradlew gradlew.bat gradle.properties settings.gradle.kts ./
COPY gradle/ gradle/
# Copy platform dependencies (changes less frequently)
COPY platform/ platform/
# Copy root build configuration
COPY build.gradle.kts ./
# Copy service-specific files last (changes most frequently)
COPY ${SERVICE_PATH}/build.gradle.kts ${SERVICE_PATH}/
COPY ${SERVICE_PATH}/src/ ${SERVICE_PATH}/src/
# Download and cache dependencies with BuildKit cache mount
RUN --mount=type=cache,target=/home/gradle/.gradle/caches \
--mount=type=cache,target=/home/gradle/.gradle/wrapper \
./gradlew :${SERVICE_NAME}:dependencies --no-daemon --info
# Build the application with optimizations and build cache
RUN --mount=type=cache,target=/home/gradle/.gradle/caches \
--mount=type=cache,target=/home/gradle/.gradle/wrapper \
./gradlew :${SERVICE_NAME}:bootJar --no-daemon --info \
-Pspring.profiles.active=${SPRING_PROFILES_ACTIVE}
# ===================================================================
# Runtime Stage
# ===================================================================
FROM eclipse-temurin:${JAVA_VERSION}-jre-alpine AS runtime
# Build arguments for runtime stage
ARG BUILD_DATE
ARG SPRING_PROFILES_ACTIVE=default
ARG SERVICE_NAME=spring-boot-service
ARG SERVICE_PORT=8080
# Enhanced metadata
LABEL service="${SERVICE_NAME}" \
version="1.0.0" \
description="Containerized Spring Boot microservice" \
maintainer="Meldestelle Development Team" \
java.version="${JAVA_VERSION}" \
spring.profiles.active="${SPRING_PROFILES_ACTIVE}" \
build.date="${BUILD_DATE}"
# Build arguments for user configuration
ARG APP_USER=appuser
ARG APP_GROUP=appgroup
ARG APP_UID=1001
ARG APP_GID=1001
WORKDIR /app
# Update Alpine packages, install tools, create user and directories in one layer
RUN apk update && \
apk upgrade && \
apk add --no-cache \
curl \
tzdata && \
rm -rf /var/cache/apk/* && \
addgroup -g ${APP_GID} -S ${APP_GROUP} && \
adduser -u ${APP_UID} -S ${APP_USER} -G ${APP_GROUP} -h /app -s /bin/sh && \
mkdir -p /app/logs /app/tmp && \
chown -R ${APP_USER}:${APP_GROUP} /app
# Copy the built JAR from builder stage with proper ownership
COPY --from=builder --chown=${APP_USER}:${APP_GROUP} \
/workspace/${SERVICE_PATH}/build/libs/*.jar app.jar
# Switch to non-root user
USER ${APP_USER}
# Expose application port and debug port
EXPOSE ${SERVICE_PORT} 5005
# Enhanced health check with better configuration
HEALTHCHECK --interval=15s --timeout=3s --start-period=40s --retries=3 \
CMD curl -fsS --max-time 2 http://localhost:${SERVICE_PORT}/actuator/health/readiness || exit 1
# Optimized JVM settings for Spring Boot 3.x with Java 21 and monitoring support
ENV JAVA_OPTS="-XX:MaxRAMPercentage=80.0 \
-XX:+UseG1GC \
-XX:+UseStringDeduplication \
-XX:+UseContainerSupport \
-Djava.security.egd=file:/dev/./urandom \
-Djava.awt.headless=true \
-Dfile.encoding=UTF-8 \
-Duser.timezone=Europe/Vienna \
-Dmanagement.endpoints.web.exposure.include=health,info,metrics,prometheus \
-Dmanagement.endpoint.health.show-details=always \
-Dmanagement.metrics.export.prometheus.enabled=true"
# Spring Boot configuration
ENV SPRING_OUTPUT_ANSI_ENABLED=ALWAYS \
SPRING_PROFILES_ACTIVE=${SPRING_PROFILES_ACTIVE} \
SERVER_PORT=${SERVICE_PORT} \
LOGGING_LEVEL_ROOT=INFO
# Enhanced entrypoint with conditional debug support and better logging
ENTRYPOINT ["sh", "-c", "\
echo 'Starting ${SERVICE_NAME} with Java ${JAVA_VERSION}...'; \
echo 'Active Spring profiles: ${SPRING_PROFILES_ACTIVE}'; \
if [ \"${DEBUG:-false}\" = \"true\" ]; then \
echo 'DEBUG mode enabled - remote debugging available on port 5005'; \
exec java ${JAVA_OPTS} -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005 -jar app.jar; \
else \
echo 'Starting application in production mode'; \
exec java ${JAVA_OPTS} -jar app.jar; \
fi"]
Web-Client Template
Datei: dockerfiles/templates/kotlin-multiplatform-web.Dockerfile
# ===================================================================
# Multi-stage Dockerfile for Kotlin Multiplatform Web Client
# ===================================================================
# ===================================================================
# Build Stage - Kotlin/JS Compilation
# ===================================================================
FROM gradle:8.14-jdk21-alpine AS kotlin-builder
WORKDIR /workspace
# Copy build configuration
COPY gradlew gradlew.bat gradle.properties settings.gradle.kts ./
COPY gradle/ gradle/
COPY build.gradle.kts ./
# Copy client modules
COPY client/ client/
COPY platform/ platform/
# Build web application
RUN ./gradlew :client:web-app:jsBrowserProductionWebpack --no-daemon
# ===================================================================
# Production Stage - Nginx serving
# ===================================================================
FROM nginx:alpine AS runtime
# Security and system setup
RUN apk update && \
apk add --no-cache curl && \
rm -rf /var/cache/apk/*
# Copy built web application
COPY --from=kotlin-builder /workspace/client/web-app/build/dist/ /usr/share/nginx/html/
# Copy nginx configuration
COPY client/web-app/nginx.conf /etc/nginx/nginx.conf
# Health check
HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
CMD curl -f http://localhost:80/ || exit 1
EXPOSE 80
# Start nginx
CMD ["nginx", "-g", "daemon off;"]
🚀 Moderne Docker-Features und Optimierungen
BuildKit Cache Mounts
Unsere Templates nutzen moderne BuildKit Cache Mounts für optimale Build-Performance:
# BuildKit Cache Mount für Gradle Dependencies
RUN --mount=type=cache,target=/home/gradle/.gradle/caches \
--mount=type=cache,target=/home/gradle/.gradle/wrapper \
./gradlew :${SERVICE_NAME}:dependencies --no-daemon --info
Vorteile:
- Erheblich schnellere Builds: Dependencies werden zwischen Builds gecacht
- Geringerer Netzwerk-Traffic: Erneute Downloads werden vermieden
- Konsistente Build-Zeiten: Vorhersagbare Performance auch bei häufigen Builds
- CI/CD Optimierung: Drastische Reduktion der Pipeline-Laufzeiten
Docker Syntax und Versioning
# Verwendung der neuesten Dockerfile-Syntax für erweiterte Features
# syntax=docker/dockerfile:1.8
Moderne Features:
- Cache Mounts: Persistente Build-Caches zwischen Container-Builds
- Secret Mounts: Sichere Übertragung von Build-Secrets ohne Layer-Persistierung
- SSH Mounts: Sichere Git-Repository-Zugriffe während des Builds
- Multi-Platform Builds: Unterstützung für ARM64 und AMD64 Architekturen
Container Testing und Validation
Automatisierte Dockerfile-Tests mit test-dockerfile.sh:
# Vollständige Template-Validierung
./test-dockerfile.sh
# Tests umfassen:
# 1. Dockerfile-Syntax-Validierung
# 2. ARG-Deklarationen-Prüfung
# 3. Build-Tests mit Default-Argumenten
# 4. Build-Tests mit Custom-Argumenten
# 5. Container-Startup-Verifikation
# 6. Service-Health-Checks
Test-Kategorien:
- Syntax-Tests: Docker-Parser-Validierung ohne vollständigen Build
- Build-Tests: Vollständige Container-Builds mit verschiedenen Parametern
- Runtime-Tests: Container-Startup und Service-Health-Prüfungen
- Cleanup-Tests: Automatische Bereinigung von Test-Artefakten
🎼 Docker-Compose Organisation
Multi-Environment Strategie
Unsere Compose-Dateien sind modular organisiert für verschiedene Einsatzszenarien:
├── docker-compose.yml # ✅ Development (Infrastructure)
├── docker-compose.prod.yml # ✅ Production (gehärtet, SSL/TLS)
├── docker-compose.services.yml # 🆕 Application Services
├── docker-compose.clients.yml # 🆕 Client Applications
└── docker-compose.override.yml # 🆕 Local Development Overrides
Verwendungsszenarien
🏠 Lokale Entwicklung - Vollständiges System
# Alle Services einschließlich Clients
docker-compose \
-f docker-compose.yml \
-f docker-compose.services.yml \
-f docker-compose.clients.yml \
up -d
# Nur Infrastructure für Backend-Entwicklung
docker-compose -f docker-compose.yml up -d postgres redis kafka consul zipkin
# Mit Debug-Unterstützung für Service-Entwicklung
DEBUG=true SPRING_PROFILES_ACTIVE=docker \
docker-compose -f docker-compose.yml -f docker-compose.services.yml up -d
# Mit Live-Reload für Frontend-Entwicklung
docker-compose -f docker-compose.yml -f docker-compose.override.yml up -d
🔧 Erweiterte Umgebungskonfiguration
Beispiel für Auth-Server Konfiguration:
# Erweiterte Environment-Variablen aus docker-compose.services.yml
auth-server:
environment:
# Spring Boot Configuration
- SPRING_PROFILES_ACTIVE=docker
- SERVER_PORT=8081
- DEBUG=false
# Service Discovery
- SPRING_CLOUD_CONSUL_HOST=consul
- SPRING_CLOUD_CONSUL_PORT=8500
# Database Configuration mit Connection Pooling
- SPRING_DATASOURCE_URL=jdbc:postgresql://postgres:5432/meldestelle
- SPRING_DATASOURCE_HIKARI_MAXIMUM_POOL_SIZE=10
- SPRING_DATASOURCE_HIKARI_MINIMUM_IDLE=5
# Redis Configuration mit Timeout-Einstellungen
- SPRING_REDIS_HOST=redis
- SPRING_REDIS_TIMEOUT=2000ms
- SPRING_REDIS_LETTUCE_POOL_MAX_ACTIVE=8
# Security & JWT Configuration
- JWT_SECRET=meldestelle-auth-secret-key-change-in-production
- JWT_EXPIRATION=86400
- JWT_REFRESH_EXPIRATION=604800
# Monitoring & Observability
- MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDE=health,info,metrics,prometheus,configprops
- MANAGEMENT_ENDPOINT_HEALTH_SHOW_DETAILS=always
- MANAGEMENT_TRACING_SAMPLING_PROBABILITY=0.1
- MANAGEMENT_ZIPKIN_TRACING_ENDPOINT=http://zipkin:9411/api/v2/spans
# Performance Tuning
- JAVA_OPTS=-XX:MaxRAMPercentage=75.0 -XX:+UseG1GC
- LOGGING_LEVEL_AT_MOCODE=DEBUG
# Resource Constraints
deploy:
resources:
limits:
memory: 512M
cpus: '1.0'
reservations:
memory: 256M
cpus: '0.5'
🚀 Production Deployment
# Production - Optimiert und sicher
docker-compose \
-f docker-compose.prod.yml \
-f docker-compose.services.yml \
up -d
# Mit spezifischen Environment-Variablen
export POSTGRES_PASSWORD=$(openssl rand -base64 32)
export REDIS_PASSWORD=$(openssl rand -base64 32)
docker-compose -f docker-compose.prod.yml up -d
🧪 Testing Environment
# Nur notwendige Services für Tests
docker-compose -f docker-compose.yml up -d postgres redis
./gradlew test
# End-to-End Tests
docker-compose -f docker-compose.yml -f docker-compose.services.yml up -d
./gradlew :client:web-app:jsTest
Service-Abhängigkeiten
# Typische Service-Abhängigkeiten in unserer Architektur
depends_on:
postgres:
condition: service_healthy
consul:
condition: service_healthy
redis:
condition: service_healthy
🛠️ Development-Workflow
Schnellstart-Befehle
# 🚀 Komplettes Development-Setup
make dev-up # Startet alle Development-Services
make dev-down # Stoppt alle Services
make dev-logs # Zeigt Logs aller Services
make dev-restart # Neustart aller Services
# 🔧 Service-spezifische Befehle
make service-build SERVICE=ping-service # Service neu bauen
make service-logs SERVICE=ping-service # Service-Logs anzeigen
make service-restart SERVICE=ping-service # Service neustarten
Makefile-Beispiel:
# Development commands
.PHONY: dev-up dev-down dev-logs dev-restart
dev-up:
docker-compose -f docker-compose.yml -f docker-compose.services.yml up -d
@echo "🚀 Development environment started"
@echo "📊 Grafana: http://localhost:3000 (admin/admin)"
@echo "🔍 Prometheus: http://localhost:9090"
@echo "🚪 API Gateway: http://localhost:8080"
dev-down:
docker-compose -f docker-compose.yml -f docker-compose.services.yml down
dev-logs:
docker-compose -f docker-compose.yml -f docker-compose.services.yml logs -f
dev-restart:
$(MAKE) dev-down
$(MAKE) dev-up
# Service-specific commands
service-build:
@test -n "$(SERVICE)" || (echo "❌ SERVICE parameter required"; exit 1)
docker-compose -f docker-compose.yml -f docker-compose.services.yml build $(SERVICE)
service-logs:
@test -n "$(SERVICE)" || (echo "❌ SERVICE parameter required"; exit 1)
docker-compose logs -f $(SERVICE)
service-restart:
@test -n "$(SERVICE)" || (echo "❌ SERVICE parameter required"; exit 1)
docker-compose -f docker-compose.yml -f docker-compose.services.yml restart $(SERVICE)
Hot-Reload Development
docker-compose.override.yml für optimierte Entwicklung:
# Development overrides für Hot-Reload
version: '3.8'
services:
web-client:
volumes:
- ./client/web-app/src:/app/src:ro
- ./client/common-ui/src:/app/common-ui/src:ro
environment:
- NODE_ENV=development
command: npm run dev
ping-service:
environment:
- DEBUG=true
- SPRING_DEVTOOLS_RESTART_ENABLED=true
ports:
- "5005:5005" # Debug-Port
volumes:
- ./temp/ping-service/src:/workspace/src:ro
Debugging von Services
# Service im Debug-Modus starten
docker-compose -f docker-compose.yml up -d ping-service
docker-compose exec ping-service sh
# Logs in Echtzeit verfolgen
docker-compose logs -f ping-service api-gateway
# Health-Check Status prüfen
curl -s http://localhost:8082/actuator/health | jq
curl -s http://localhost:8080/actuator/health | jq
🚀 Production-Deployment
Security Hardening
Unsere Production-Konfiguration implementiert umfassende Sicherheitsmaßnahmen:
🔒 SSL/TLS Everywhere
# TLS-Zertifikate vorbereiten
mkdir -p config/ssl/{postgres,redis,keycloak,grafana,prometheus,nginx}
# Let's Encrypt Zertifikate generieren
certbot certonly --dns-route53 -d api.meldestelle.at
certbot certonly --dns-route53 -d auth.meldestelle.at
certbot certonly --dns-route53 -d monitor.meldestelle.at
🛡️ Environment Variables
Erforderliche Production-Variablen:
# Datenschutz und Sicherheit
export POSTGRES_USER=meldestelle_prod
export POSTGRES_PASSWORD=$(openssl rand -base64 32)
export POSTGRES_DB=meldestelle_prod
export REDIS_PASSWORD=$(openssl rand -base64 32)
# Keycloak Admin
export KEYCLOAK_ADMIN=admin
export KEYCLOAK_ADMIN_PASSWORD=$(openssl rand -base64 32)
export KC_DB_PASSWORD=${POSTGRES_PASSWORD}
export KC_HOSTNAME=auth.meldestelle.at
# Monitoring
export GF_SECURITY_ADMIN_USER=admin
export GF_SECURITY_ADMIN_PASSWORD=$(openssl rand -base64 32)
export GRAFANA_HOSTNAME=monitor.meldestelle.at
export PROMETHEUS_HOSTNAME=metrics.meldestelle.at
# Kafka Security
export KAFKA_BROKER_ID=1
export KAFKA_ZOOKEEPER_CONNECT=zookeeper:2181
🌐 Reverse Proxy Configuration
nginx.prod.conf Beispiel:
upstream api_backend {
server api-gateway:8080;
keepalive 32;
}
upstream auth_backend {
server keycloak:8443;
keepalive 32;
}
upstream monitoring_backend {
server grafana:3443;
keepalive 32;
}
server {
listen 443 ssl http2;
server_name api.meldestelle.at;
ssl_certificate /etc/ssl/nginx/api.meldestelle.at.crt;
ssl_certificate_key /etc/ssl/nginx/api.meldestelle.at.key;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
location / {
proxy_pass http://api_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Resource Limits
Alle Production-Services haben definierte Resource-Limits:
# Beispiel für Resource-Management
services:
postgres:
deploy:
resources:
limits:
memory: 1G
cpus: '0.5'
reservations:
memory: 512M
cpus: '0.25'
api-gateway:
deploy:
resources:
limits:
memory: 512M
cpus: '0.5'
reservations:
memory: 256M
cpus: '0.25'
📊 Monitoring und Observability
Prometheus Metrics
Alle Services exposieren standardisierte Metrics:
# Service-Labels für Prometheus Autodiscovery
labels:
- "prometheus.scrape=true"
- "prometheus.port=8080"
- "prometheus.path=/actuator/prometheus"
- "prometheus.service=${SERVICE_NAME}"
Grafana Dashboards
Vorgefertigte Dashboards:
- Infrastructure Overview: CPU, Memory, Disk, Network
- Spring Boot Services: JVM Metrics, HTTP Requests, Circuit Breaker
- Database Performance: PostgreSQL Connections, Query Performance
- Message Queue: Kafka Consumer Lag, Throughput
- Business Metrics: Application-spezifische KPIs
Health Check Matrix
| Service | Endpoint | Erwartung | Timeout |
|---|---|---|---|
| API Gateway | /actuator/health |
{"status":"UP"} |
15s |
| Ping Service | /actuator/health/readiness |
HTTP 200 | 3s |
| PostgreSQL | pg_isready |
Connection OK | 5s |
| Redis | redis-cli ping |
PONG | 5s |
| Keycloak | /health/ready |
HTTP 200 | 5s |
Log Aggregation
# Centralized logging mit ELK Stack (optional)
docker-compose -f docker-compose.yml -f docker-compose.logging.yml up -d
# Log-Parsing für strukturierte Logs
docker-compose logs --follow --tail=100 api-gateway | jq -r '.message'
🔧 Troubleshooting
Häufige Probleme und Lösungen
🚫 Port-Konflikte
# Überprüfe, welche Ports verwendet werden
netstat -tulpn | grep :8080
lsof -i :8080
# Stoppe konfligierende Services
docker-compose down
sudo systemctl stop apache2 # Falls Apache läuft
🐌 Langsame Startup-Zeiten
# Überprüfe Container-Ressourcen
docker stats
# Health-Check Logs analysieren
docker-compose logs ping-service | grep health
# Java Startup optimieren
export JAVA_OPTS="$JAVA_OPTS -XX:TieredStopAtLevel=1 -noverify"
💾 Disk-Space Probleme
# Docker-Cleanup
docker system prune -a --volumes
docker volume prune
# Log-Rotation für Container
docker-compose logs --tail=1000 > /dev/null # Truncate logs
🌐 Service Discovery Issues
# Consul Status prüfen
curl -s http://localhost:8500/v1/health/state/any | jq
# Service Registration überprüfen
curl -s http://localhost:8500/v1/catalog/services | jq
# DNS-Resolution testen
docker-compose exec api-gateway nslookup ping-service
Debug-Kommandos
# Container introspection
docker-compose exec SERVICE_NAME sh
docker-compose exec postgres psql -U meldestelle -d meldestelle
# Live-Monitoring
docker-compose top
watch -n 1 'docker-compose ps'
# Memory und CPU-Usage
docker stats $(docker-compose ps -q)
# Detailed service logs
docker-compose logs -f --tail=50 SERVICE_NAME
✅ Best Practices
🔐 Security Best Practices
- Non-Root Users: Alle Container laufen mit dedizierten Non-Root-Usern
- Minimal Base Images: Alpine Linux für kleinste Angriffsfläche
- Secrets Management: Externe Secret-Stores für Production
- Network Isolation: Dedizierte Docker-Networks
- Regular Updates: Automatische Security-Updates für Base Images
⚡ Performance Best Practices
- Multi-Stage Builds: Minimale Runtime-Images
- Layer Caching: Optimale COPY-Reihenfolge in Dockerfiles
- Resource Limits: Definierte Memory und CPU-Limits
- Health Checks: Proaktive Container-Health-Überwachung
- JVM Tuning: Container-aware JVM-Settings
🧹 Wartung Best Practices
- Version Pinning: Explizite Image-Versionen in Production
- Backup Strategies: Automatische Volume-Backups
- Log Rotation: Begrenzte Log-Datei-Größen
- Documentation: Aktuelle README-Dateien pro Service
- Testing: Automatisierte Container-Tests
📦 Build Best Practices
# ✅ Gute Praktiken
FROM eclipse-temurin:21-jre-alpine AS runtime
RUN apk update && apk upgrade && rm -rf /var/cache/apk/*
USER 1001:1001
HEALTHCHECK --interval=30s CMD curl -f http://localhost:8080/health || exit 1
# ❌ Zu vermeidende Praktiken
FROM ubuntu:latest
RUN apt-get update
USER root
Probleme: Zu große Base-Image, keine Versionierung, fehlende Cleanup, Sicherheitsrisiko durch Root-User, keine Health Checks
📚 Weiterführende Ressourcen
Interne Dokumentation
README.md- Projekt-ÜberblickREADME-ENV.md- Environment-SetupREADME-PRODUCTION.md- Production-Deploymentinfrastructure/*/README.md- Service-spezifische Dokumentation
Externe Referenzen
Tools und Utilities
# Nützliche Entwicklungstools
brew install docker-compose # macOS
apt-get install docker-compose-plugin # Ubuntu
pip install docker-compose # Python
# Container-Debugging
brew install dive # Docker-Image-Layer-Analyse
brew install ctop # Container-Monitoring-Tool
📝 Changelog
| Version | Datum | Änderungen |
|---|---|---|
| 1.1.0 | 2025-08-16 | Umfassende Überarbeitung und Optimierung: |
| • Aktualisierung aller Dockerfile-Templates auf aktuelle Implementierung | ||
| • Integration von BuildKit Cache Mounts für optimale Build-Performance | ||
| • Dokumentation moderner Docker-Features (syntax=docker/dockerfile:1.8) | ||
| • Erweiterte Service-Ports-Matrix mit Debug-Ports und korrekten Health-Checks | ||
| • Umfassende docker-compose Konfigurationsbeispiele mit Environment-Variablen | ||
| • Neue Sektion für automatisierte Container-Tests (test-dockerfile.sh) | ||
| • Aktualisierung auf Europe/Vienna Timezone und Java 21 Optimierungen | ||
| • Erweiterte Monitoring- und Observability-Konfigurationen | ||
| • Verbesserte Resource-Management und Performance-Tuning Einstellungen | ||
| 1.0.0 | 2025-08-16 | Initiale Docker-Guidelines basierend auf Containerisierungsstrategie |
🤝 Beitragen
Änderungen an den Docker-Guidelines sollten über Pull Requests eingereicht und vom Team reviewed werden. Bei Fragen oder Verbesserungsvorschlägen bitte ein Issue erstellen.
Kontakt: Meldestelle Development Team