Is it a good practice to have an extra docker container for build tasks?

Question

I have a simple web app with nginx as web server. I use grunt (node module) to prepare my assets for production (minifying etc.). Now I wonder if I should run the build task in an own container or if one container is enough.

Which approach is the best and why?

Answer 1

Having separate images for the build and the finished app is a good practice - it means your final app image is clean and has a minimal feature set, only what you need to run the app. That makes for a smaller image with (more importantly) a smaller attack surface. Here's a good write up of that - it's called the Docker Builder pattern.

Alternatively, the benefit of having a single image which contains your app and the build tools is that you reduce your management overhead during development - you don't have to chain builds together or manage multiple versions of multiple images. But the cost in having a more bloated final app with more potential for exploits may not be worth it.

Answer 2

One container is enough. Containers running on a single machine share the same operating system kernel. So, maintenance maybe a problem if you want to run the same build at multiple containers. Preferably, you can spawn up another image at any point. Though it is advisable to keep snapshots after each successful build.