See these pages for more information:
https://docs.docker.com/reference/dockerfile/
https://docs.docker.com/build/building/best-practices/

Docker introduced new backend for builing images (buildkit) which doesn't expose intermediate containers.
To show intermediate containers, set the environment variable DOCKER_BUILDKIT before the docker build command: $ DOCKER_BUILDKIT=0 docker build [OPTIONS] PATH | URL | -

Dockerfile contains builds commands that are needed to create a Docker image.

For each build command in the Dockerfile, Docker will generate a new filesystem layer. An image is a combination of all filesystem layers created by the build commands of the Dockerfile. Each layer is mapped to a specific build command in the Dockerfile.

For a new created image, Docker will execute all the build commands in the Dockerfile.

When building an already created image (assuming the cache was not cleared), Docker uses, for each command in the Dockerfile, the corresponding filesystem layer from its cache, only if:

• The command and its parent were not updated.
  
• The command and its parent are not generating a new filesystem layer.
  

If any of the above conditions are met, Docker will automatically run all build commands in the Dockerfile that are below this updated build command.

Best practices: A build command that might create a new filesystem layer every time it's executed (e.g., update OS, library) should be placed at the bottom of the Dockerfile. Another option is to place, when possible, that command in a parent Dockerfile and use the generated image as a parent image for the descendant Dockerfiles. In such case case, the parent image can be re-built only when needed.

Best practices: If possible, multiple build commands should be combined in one single build command.

Following best practices when designing Dockerfiles helps:

• speed up the creation of Docker images by leveraging the cache.
  
• reduce the size of Docker images.
  
• speed up copying/downloading Docker images by skipping layers that have already been copied/downloaded.
  

Example of a Dockerfile:
$ vi Dockerfile FROM ubuntu:latest RUN apt-get -y update RUN apt-get -y install curl RUN apt-get -y install nginx RUN groupadd -r mtitek --gid=1001 RUN useradd -r -g mtitek --uid=1001 mtitek
Build the Dockerfile:
$ docker build -t ubuntu-nginx:latest . Sending build context to Docker daemon 2.048kB Step 1/6 : FROM ubuntu:latest latest: Pulling from library/ubuntu 3ff22d22a855: Pull complete ... Digest: sha256:5d1d5407f353843ecf8b16524bc5565aa332e9e6a1297c73a92d3e754b8a636d Status: Downloaded newer image for ubuntu:latest ---> 1e4467b07108 Step 2/6 : RUN apt-get -y update ---> Running in 232b13119cfb ... Removing intermediate container 232b13119cfb ---> eb020e044f5a Step 3/6 : RUN apt-get -y install curl ---> Running in 6db1a5ce5418 ... Removing intermediate container 6db1a5ce5418 ---> cd922ddc54c1 Step 4/6 : RUN apt-get -y install nginx ---> Running in 43a520ceb080 ... Removing intermediate container 43a520ceb080 ---> aa834b9addb2 Step 5/6 : RUN groupadd -r mtitek --gid=1001 ---> Running in 4b12986513b1 Removing intermediate container 4b12986513b1 ---> 68bf80375948 Step 6/6 : RUN useradd -r -g mtitek --uid=1001 mtitek ---> Running in d4eb29e56387 Removing intermediate container d4eb29e56387 ---> 96b9b2a5d5bd Successfully built 96b9b2a5d5bd Successfully tagged ubuntu-nginx:latest
Check the image: $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu-nginx latest 05f7784dcd54 4 minutes ago 225MB
Let's inspect the layers of the ubuntu image (ubuntu:latest):
$ docker inspect ubuntu:latest --format '{{json .RootFS.Layers}}' | jq [ "sha256:ce30112909569cead47eac188789d0cf95924b166405aa4b71fb500d6e4ae08d", "sha256:8eeb4a14bcb4379021c215017c94800a848a8203a8ce76aa1bd211d4c995f792", "sha256:a37e74863e723df4ddd599ef1b7d9a68e2301794a8c37c2370f8c2c8993ef72c", "sha256:095624243293a7dfdb582f8471d6e2d9d7772dd621bc57906b034c59f388ebac" ]
Let's inspect the layers of the new image (ubuntu-nginx:latest):
$ docker inspect ubuntu-nginx:latest --format '{{json .RootFS.Layers}}' | jq [ "sha256:ce30112909569cead47eac188789d0cf95924b166405aa4b71fb500d6e4ae08d", "sha256:8eeb4a14bcb4379021c215017c94800a848a8203a8ce76aa1bd211d4c995f792", "sha256:a37e74863e723df4ddd599ef1b7d9a68e2301794a8c37c2370f8c2c8993ef72c", "sha256:095624243293a7dfdb582f8471d6e2d9d7772dd621bc57906b034c59f388ebac", "sha256:990f9d12449d20d10e48e83a8882a69c25848a615c571d9702fbacc98ff08cf5", "sha256:12f4a1ff23cb6bc755ae3b28374d639d5381c4f775795ef02d2551bd2728a5ac", "sha256:b3f98fc07babfcad7f251a2aa105232d2b14c63948e48c3df8498377e179199b", "sha256:0af660f0ef73a30d73ffef848c11a3ab09f9cdcca51a86866f90952d041bc411", "sha256:7ad5b6cb70b0d2c21e3a922ba4d529e354b182d25af0b4fa57928105efebd6cb" ]
Note that the image 'ubuntu-nginx:latest' inherit all the layers of the parent image 'ubuntu:latest'.

The five new layers are the ones created by executing the build steps in the Dockerfile.

Let's optimize a bit the Dockerfile we used above:
$ vi Dockerfile-optimized FROM ubuntu:latest RUN groupadd -r mtitek --gid=1001 && useradd -r -g mtitek --uid=1001 mtitek RUN apt-get -y update && apt-get -y install curl && apt-get -y install nginx && rm -rf /var/lib/apt/lists/*
Build the Dockerfile:
$ docker build -t ubuntu-nginx:latest -f Dockerfile-optimized . Sending build context to Docker daemon 3.072kB Step 1/3 : FROM ubuntu:latest latest: Pulling from library/ubuntu 3ff22d22a855: Pull complete ... Digest: sha256:5d1d5407f353843ecf8b16524bc5565aa332e9e6a1297c73a92d3e754b8a636d Status: Downloaded newer image for ubuntu:latest ---> 1e4467b07108 Step 2/3 : RUN groupadd -r mtitek --gid=1001 && useradd -r -g mtitek --uid=1001 mtitek ---> Running in 0c2873dba86c Removing intermediate container 0c2873dba86c ---> 72509963272b Step 3/3 : RUN apt-get -y update && apt-get -y install curl && apt-get -y install nginx && rm -rf /var/lib/apt/lists/* ---> Running in 7cf20dc973f0 ... ---> 863c3eccbaad Successfully built 863c3eccbaad Successfully tagged ubuntu-nginx:latest
Let's inspect the layers of the new image:
$ docker inspect ubuntu-nginx:latest --format '{{json .RootFS.Layers}}' | jq [ "sha256:ce30112909569cead47eac188789d0cf95924b166405aa4b71fb500d6e4ae08d", "sha256:8eeb4a14bcb4379021c215017c94800a848a8203a8ce76aa1bd211d4c995f792", "sha256:a37e74863e723df4ddd599ef1b7d9a68e2301794a8c37c2370f8c2c8993ef72c", "sha256:095624243293a7dfdb582f8471d6e2d9d7772dd621bc57906b034c59f388ebac", "sha256:c17d2b5a59c3fd4513eedbe4f93b42d076185d0c62d82049aca9c9b8a4fc9695", "sha256:234f21cc6c8c5b9dc81ffc447ab9fefae9b8ee8751ea1cd93ad4df9da6897ab4" ]
First note that the build steps were reduced to only three steps. This result to only two new layers created for the new image instead of five with the non-optimized Dockerfile.

Note that the steps, in the Dockerfile, to create the mtitek group and user are placed before the installation instructions of curl and nginx. This is to show that the instructions that are more likely to generate the same exact result, no matter how many time they are executed, should be placed at the top of the Dockerfile. This will save time when building the image frequently.

Note also the instruction rm -rf /var/lib/apt/lists/*, which is useful to save disk space on the final image. The size of the image is now 140MB instead of 225MB.
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE ubuntu-nginx latest 9db82079903f 4 seconds ago 140MB

The Dockerfile supports the following instructions: FROM # Create a new build stage from a base image. ARG # USE BUILD-TIME VARIABLES. LABEL # Add metadata to an image. ENV # Set environment variables. RUN # Execute build commands. COPY # Copy files and directories. CMD # Specify default commands. ENTRYPOINT # Specify default executable. USER # Set user and group ID. VOLUME # Create volume mounts. WORKDIR # Change working directory. EXPOSE # Describe which ports your application is listening on. ADD # Add local or remote files and directories. HEALTHCHECK # Check a container's health on startup. MAINTAINER # Specify the author of an image. ONBUILD # Specify instructions for when the image is used in a build. SHELL # Set the default shell of an image. STOPSIGNAL # Specify the system call signal for exiting a container.

FROM [--platform=<platform>] <image> [AS <name>] FROM [--platform=<platform>] <image>[:<tag>] [AS <name>] FROM [--platform=<platform>] <image>[@<digest>] [AS <name>]
The FROM instruction creates a new build stage from a base image.
FROM ubuntu:latest

ARG <name>[=<default value>] [<name>[=<default value>]...]
The ARG instruction uses build-time variables (along with their default values).
ARG image_version="latest"

LABEL <key>=<value> [<key>=<value>...]
The LABEL instruction adds metadata to an image.
LABEL IMAGE_NAME="Ubuntu $image_version"
Note that the label is using a variable name which, in this case, references the argument defined by the instruction ARG.

Let's use a Dockerfile with the above instructions:
$ vi Dockerfile FROM ubuntu:latest ARG image_version="latest" LABEL IMAGE_NAME="Ubuntu $image_version"
Let's build the Dockerfile:
$ docker build -t ubuntu-base:latest --build-arg image_version="1.0" .
You can inspect the created image to check the labels:
$ docker inspect ubuntu-base:latest --format '{{json .Config.Labels}}' | jq { "IMAGE_NAME": "Ubuntu 1.0" }

ENV <key>=<value> [<key>=<value>...]
The ENV instruction sets environment variables (also available as regular variables during build-time).
ENV image_env="dev"
Let's use a Dockerfile with the above instructions:
$ vi Dockerfile FROM ubuntu:latest ARG image_version="latest" ENV image_env="dev" LABEL IMAGE_NAME="Ubuntu $image_version $image_env"
Let's build the Dockerfile:
$ docker build -t ubuntu-base:latest .
You can inspect the created image to check the labels.
Note that the environment variable was used to set the label.
Also note that this time the label used the default value of the argument because it was not set when the image was created.
$ docker inspect ubuntu-base:latest --format '{{json .Config.Labels}}' | jq { "IMAGE_NAME": "Ubuntu latest dev" }
Let's check the env variable within the container:
$ docker run --rm -ti ubuntu-base:latest /bin/bash -c 'env | grep image_env' image_env=dev

# Shell form: RUN [OPTIONS] <command> ... # Exec form: RUN [OPTIONS] [ "<command>", ... ]
The RUN instruction executes build commands.
RUN apt-get -y update
You should combine multiple build execution commands into a single instruction whenever possible.
RUN apt-get -y install curl && apt-get -y install nginx
You should also avoid updating the operating system or upgrading libraries. If necessary, you should use a base image that you can build only when needed. The base image should also be used, where possible, to install third-party libraries.

COPY [OPTIONS] <src> ... <dest> COPY [OPTIONS] ["<src>", ... "<dest>"]
The COPY instruction copies files and directories from the local filesystem into a Docker image.
COPY ./file1 /tmp
You can copy files or folders.
When copying a folder, only its content is copied.

Let's create few local folders/files:
$ mkdir folder1 $ mkdir folder1/folder2 $ touch folder1/file1 $ touch folder1/folder2/file2
Let's use a Dockerfile to copy files/folders into the Docker image:
$ vi Dockerfile FROM ubuntu:latest RUN mkdir /opt/foo RUN mkdir /opt/bar COPY ./folder1/file1 /opt/foo COPY ./folder1 /opt/bar
Let's build the Dockerfile:
$ docker build -t ubuntu-copy:latest .
You can check the copied files/folders
$ docker run --rm -ti ubuntu-copy:latest /bin/bash -c 'find /opt' /opt /opt/bar /opt/bar/folder2 /opt/bar/folder2/file2 /opt/bar/file1 /opt/foo /opt/foo/file1

# Exec form: CMD ["executable", "parameter1", "parameter2", ...] CMD ["parameter1", "parameter2", ...] # when used with ENTRYPOINT # Shell form: CMD command parameter1 parameter2
The CMD instruction specifies default commands.

Let's use a Dockerfile:
$ vi Dockerfile FROM ubuntu:latest CMD ["bash", "-x"]
Let's build the Dockerfile:
$ docker build -t ubuntu-copy:latest .
You can check the copied files/folders
$ docker run --rm -ti ubuntu-cmd:latest + '[' -z '\s-\v\$ ' ']' + shopt -s checkwinsize ... root@fd2b5bd60f7f:/

# Exec form: ENTRYPOINT ["executable", "parameter1", "parameter2", ...] # Shell form: ENTRYPOINT command parameter1 parameter2
The ENTRYPOINT instruction specifies default executable.

Let's use a Dockerfile:
$ vi Dockerfile FROM ubuntu:latest ENTRYPOINT ["bash", "-c"] CMD ["top", "-o %CPU", "-H"]
Let's build the Dockerfile:
$ docker build -t ubuntu-entrypoint-cmd:latest .
You can check the copied files/folders
$ docker run --rm -ti ubuntu-entrypoint-cmd:latest top - 09:52:48 up 20:39, 0 user, load average: 0.60, 0.58, 0.54 Tasks: 1 total, 1 running, 0 sleeping, 0 stopped, 0 zombie %Cpu(s): 2.3 us, 2.2 sy, 0.0 ni, 94.6 id, 0.3 wa, 0.0 hi, 0.6 si, 0.0 st MiB Mem : 15884.0 total, 9379.6 free, 2099.5 used, 4728.7 buff/cache MiB Swap: 4096.0 total, 4096.0 free, 0.0 used. 13784.5 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1 root 20 0 8856 5188 3060 R 0.0 0.0 0:00.01 top

USER <user>[:<group>] USER <UID>[:<GID>]
The USER instruction sets the user that will be used to run the processes inside the container.

By default, if the USER instruction is not set, docker run all processes as root.
Unless there is a real reason for this, you should avoid running containers using root or privileged users.

Let's check the mti existing on the Docker host:
$ id mti uid=1002(mti) gid=1002(tek) groups=1002(tek)
Let's first try a Dockerfile without the USER instruction:
$ vi Dockerfile-withoutuser FROM ubuntu:latest
Let's build the Dockerfile:
$ docker build -t ubuntu-withoutuser:latest -f Dockerfile-withoutuser .
Let's check the user within the container:
$ docker run --rm -ti ubuntu-withoutuser:latest /bin/bash -c 'id' uid=0(root) gid=0(root) groups=0(root)
Let's try now a Dockerfile with the USER instruction:
$ vi Dockerfile-withuser FROM ubuntu:latest RUN groupadd -r tek --gid=1002 && useradd -r -g tek --uid=1002 mti USER mti
Let's build the Dockerfile:
$ docker build -t ubuntu-withuser:latest -f Dockerfile-withuser .
Let's check the user within the container:
$ docker run --rm -ti ubuntu-withuser:latest /bin/bash -c 'id' uid=1002(mti) gid=1002(tek) groups=1002(tek)
Note that the Dockerfile create the group "tek" with the group id (gid) "1002". It also create the user "mti" with the user id (uid) "1002" and the group id (gid) "1002". The image that we create from this Dockerfile will run with the user "mti".

Note that the group and user names are, more or less, just friendly names. The important part is the uid and gid. These two elements will map the container's user uid and group gid to the host's user uid and group gid. So, in the above example, the container will be running using the same uid and gid that match the ones of the Docker host. In the host I am using the uid 1002 and gid=1002 are mapped to the user and group "mtitek". This means that the container's user will get the same privileges that the user "mtitek" has.

VOLUME ["/data"]
The VOLUME instruction creates volume mounts.

Let's create a Dockerfile that will use the VOLUME instruction to mount a local directory. I will adapt a bit the nginx Dockerfie to print the logs in a directory.

Here's the Dockerfile (this is for demo purposes only):
$ vi Dockerfile-nginx-mounted-log-dir FROM nginx:latest #removing the redirection to stdout/stderr to allow writing logs to directory RUN rm -f /var/log/nginx/access.log && rm -f /var/log/nginx/error.log VOLUME /var/log/nginx
Let's build the Dockerfile:
$ docker build -t nginx-mounted-log-dir:latest -f Dockerfile-nginx-mounted-log-dir .
Let's create a local directroy:
$ mkdir ./nginx-loc-dir
Let's run the nginx image (the host's directory ./nginx-loc-dir is mounted to the container's directory /var/log/nginx):
$ docker run -d -P -v ./nginx-loc-dir:/var/log/nginx nginx-mounted-log-dir:latest 0a6ea9efbc1f264287aa2b146d77423fd5d8e9070b7aebd0a4d36d148631c16c
Check the nginx process:
$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 8491a320ecd8 nginx-mounted-log-dir:latest "/docker-entrypoint.…" 8 seconds ago Up 6 seconds 0.0.0.0:32770->80/tcp zen_shtern
Let's access nginx at the published port 32770:
$ curl http://localhost:32770
Check the nginx logs:
$ ls -al ./nginx-loc-dir/ -rw-r--r-- 1 root root 91 access.log -rw-r--r-- 1 root root 0 error.log
$ cat ./nginx-loc-dir/access.log 172.17.0.1 - - [03/Aug/2020:03:22:16 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.58.0" "-"

WORKDIR /path/to/workdir
The WORKDIR instruction sets the working directory for the remaining build instructions.
This working directory will also be the default directory for all processes running inside the container.

Let's try a Dockerfile with the WORKDIR instruction:
$ vi Dockerfile-withworkdir FROM ubuntu:latest WORKDIR /tmp
Let's build the Dockerfile:
$ docker build -t ubuntu-withworkdir:latest -f Dockerfile-withworkdir .
Let's check the working directory within the container:
$ docker run --rm -ti ubuntu-withworkdir:latest /bin/bash -c 'pwd' /tmp

EXPOSE <port> [<port>/<protocol>...]
The EXPOSE instruction informs Docker that the container should listen on the specified ports. You still need to manually publish the ports when running the container. Use the -p flag to publish and map ports. Use the -P flag to publish all exposed ports and map them to ephemeral higher-order host ports on the host. By default, ports listen on TCP but you can explicitly set UDP.

Let's try a Dockerfile with the EXPOSE instruction:
$ vi Dockerfile-expose FROM nginx:latest EXPOSE 80/tcp EXPOSE 80/udp
Let's build the Dockerfile:
$ docker build -t nginx-expose:latest -f Dockerfile-expose .
Let's check the exposed port:
$ docker run -d -p 8080:80 nginx-expose:latest $ curl -s -o /dev/null -w "%{http_code}" http://localhost:8080 200