PW
Back to home

Anatomy of a Production-Ready Docker Command

Mar 26, 2026

BackendDocker

Full Command

docker run -d --name payment-service-prod -p 8080:8080 -e SPRING_PROFILES_ACTIVE=production -e DB_HOST=postgres.cluster.internal -e DB_PASSWORD=secure123 -v /data/payments/logs:/app/logs -v /data/payments/config:/app/config:ro --memory="512m" --cpus="1.0" --restart unless-stopped --log-opt max-size=10m --log-opt max-file=3 --health-cmd="curl -f http://localhost:8080/health || exit 1" --health-interval=30s --health-timeout=5s --health-retries=3 --read-only --tmpfs /tmp:rw,noexec,nosuid,size=128m --user=1000:1000 myregistry.com/payment-service:1.2.3

As you move from a local "hello world" to production, Docker commands tend to get much longer. That is not just for show. Each flag adds stability, security, or observability. Let’s break down the command used for our payment-service.

1. The Basics: Identity & Connectivity

  • d: Runs the container in detached mode, which means it runs in the background and does not take over your terminal session.
  • -name payment-service-prod: Gives the container a human-readable name, which is much easier to manage than the random names Docker generates (like nostalgic_hopper).
  • p 8080:8080: Maps port 8080 on your host machine to port 8080 inside the container. This is how external traffic reaches your app.

2. Configuration & Storage

  • e: Sets Environment Variables. Here, we are telling the Spring Boot app to use the "production" profile and providing the database credentials.
  • v: Mounts Volumes.
    • The first mount sends logs to a persistent directory on the host.
    • The second mount pulls in configuration files. Note the :ro at the end—this stands for Read-Only, ensuring the container can't accidentally overwrite its own config.

3. Resource Management

In production, you don't want one container to "eat" the whole server.

  • -memory="512m": Caps the RAM usage at 512MB.
  • -cpus="1.0": Limits the container to a maximum of one CPU core.
  • -restart unless-stopped: Ensures that if the container crashes or the server reboots, the container starts back up automatically.

4. Health & Logging

  • -log-opt: Prevents logs from filling up your hard drive. This setup limits logs to 3 files of 10MB each (log rotation).
  • -health-*: This tells Docker how to check if the app is actually working. It tries to curl the health endpoint every 30 seconds. If it fails three times, Docker marks the container as "unhealthy."

5. Security Hardening

This is where the "pros" separate themselves from the amateurs:

  • -read-only: This makes the container's entire root filesystem immutable. If a hacker gets in, they can't install malware or change system files.
  • -tmpfs /tmp...: Since the system is read-only, we provide a small, temporary memory space (tmpfs) for the app to write its temporary files.
  • -user=1000:1000: This ensures the container runs as a non-root user. If the container is compromised, the attacker won't have administrative privileges on your host machine.