# Docker Compose Skill

## Purpose
Create secure, production-ready Docker configurations with multi-service orchestration.

## Dockerfile Best Practices

### Multi-stage Builds
```dockerfile
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

FROM node:20-alpine
RUN addgroup -g 1001 appgroup && adduser -u 1001 -G appgroup -s /bin/sh -D appuser
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER appuser
HEALTHCHECK CMD wget -q --spider http://localhost:3000/health || exit 1
EXPOSE 3000
CMD ["node", "dist/index.js"]
```

## Security Checklist
- Never run as root (USER directive)
- Never embed secrets in images (use env vars or secrets)
- Use specific image tags (not :latest)
- Use alpine-based images for smaller attack surface
- Add HEALTHCHECK instruction
- Scan images with trivy or grype

## Compose Best Practices
- Use named volumes for persistent data
- Add health checks and depends_on conditions
- Set resource limits (memory, CPU)
- Use .env files for configuration (never commit secrets)
- Add restart policies