Writing Your First Dockerfile

In Lesson 2, you pulled images from Docker Hub and ran containers. Those images were built by someone else. Now you'll write your own blueprint—a Dockerfile—and build a custom image for your Task API.

By the end of this lesson, you'll understand exactly what happens when Docker reads each line of your Dockerfile, why instruction order matters for build speed, and how to create images that build fast and run reliably.

---

Setup: Create the Task API Project

You'll containerize the In-Memory Task API from Chapter 70. Let's create it fresh using UV:

Output:

Add FastAPI with all standard dependencies:

Output:

Now replace the contents of main.py with the Task API:

Test that it runs locally:

Output:

Open a new terminal and verify:

Output:

Stop the server with Ctrl+C. Your API works locally—now let's containerize it.

---

What Is a Dockerfile?

A Dockerfile is a text file containing instructions that tell Docker how to build an image. Think of it as a recipe:

• A recipe lists ingredients and steps to make a dish
• A Dockerfile lists a base environment and steps to create an image

When you run docker build, Docker reads your Dockerfile line by line, executing each instruction to construct an image.

What a Dockerfile Produces

The Dockerfile doesn't run your application. It creates an image—a frozen snapshot containing your code, dependencies, and configuration. When you docker run that image, you get a live container.

How Docker Reads a Dockerfile

Docker processes your Dockerfile top to bottom, one instruction at a time:

1. Each instruction creates a layer (a snapshot of the filesystem at that point)
2. Layers stack on top of each other
3. The final stack of layers = your image
4. Docker caches layers—if an instruction hasn't changed, Docker reuses the cached layer

This layered approach is why Docker builds are fast after the first time: unchanged layers don't rebuild.

The Six Essential Instructions

You'll use all six in your Dockerfile. Let's write it instruction by instruction.

---

Writing the Dockerfile: Line by Line

Create a new file named Dockerfile (no extension):

Open it in your editor. We'll build it one instruction at a time.

Instruction 1: FROM

Every Dockerfile starts with FROM. This specifies your base image—the starting environment.

Add this line:

What this does:

• FROM tells Docker: "Start with this pre-built image"
• python:3.12-slim is an official Python image with minimal OS (~130 MB)
• The image comes from Docker Hub (where you pulled nginx:alpine in Lesson 2)

Why slim? The slim variant includes only what's needed to run Python. The full python:3.12 image is ~900 MB with build tools you don't need for this application.

Your Dockerfile so far:

Instruction 2: Install UV Package Manager

UV is a modern Python package manager—10-100x faster than pip. We'll copy it from its official image:

What this does:

• COPY --from= is a multi-stage copy—it pulls binaries from another image
• ghcr.io/astral-sh/uv:latest is UV's official image
• /uv and /uvx are the UV binaries
• /bin/ places them in the system PATH

Your Dockerfile so far:

Instruction 3: WORKDIR

Set where your application will live inside the container:

What this does:

• Creates /app directory if it doesn't exist
• Sets it as the working directory for all subsequent instructions
• All COPY and RUN commands now execute relative to /app

Your Dockerfile so far:

Instruction 4: COPY Dependencies

Copy your dependency file into the image:

What this does:

• Copies pyproject.toml from your machine (the build context)
• Places it in /app (current WORKDIR)
• The . means "current directory inside the container"

Why copy this first? Layer caching. Dependencies change rarely; code changes often. By copying dependencies first, Docker can cache the installed packages layer and reuse it when only your code changes.

Your Dockerfile so far:

Instruction 5: RUN (Install Packages)

Now install the dependencies:

What this does:

• RUN executes a command during image build
• uv sync reads pyproject.toml and installs all dependencies
• --no-dev skips development dependencies (pytest, mypy, etc.)
• Creates a layer containing all installed packages

Important distinction:

• RUN executes during build (creates a layer in the image)
• CMD executes when container starts (doesn't create a layer)

Your Dockerfile so far:

Instruction 6: COPY Application Code

Now copy your actual application:

What this does:

• Copies main.py into /app
• This is the code that changes frequently

Why copy this AFTER dependencies? When you edit main.py and rebuild:

1. Docker sees that pyproject.toml hasn't changed
2. Docker reuses the cached layer with installed packages
3. Only this COPY main.py layer rebuilds
4. Build time: ~1 second instead of 30+ seconds

Your Dockerfile so far:

Instruction 7: EXPOSE

Document which port your application uses:

What this does:

• Documents that the container listens on port 8000
• Does NOT actually open the port—that happens with -p at runtime
• Useful as documentation and for orchestrators like Kubernetes

Your Dockerfile so far:

Instruction 8: CMD

Finally, tell Docker what command to run when the container starts:

What this does:

• CMD specifies the default startup command
• uv run executes in the UV-managed environment
• uvicorn main:app starts the ASGI server with your FastAPI app
• --host 0.0.0.0 binds to all interfaces (required for container networking)
• --port 8000 matches the EXPOSE instruction

Why 0.0.0.0? Inside a container, localhost (127.0.0.1) is isolated. Using 0.0.0.0 makes the service accessible when you map ports with -p.

Complete Dockerfile

Save the file.

---

Building Your Image

Now build an image from your Dockerfile:

What the flags mean:

Output:

Notice each step corresponds to an instruction in your Dockerfile. Docker executed them top to bottom, creating layers.

Verify the image exists:

Output:

Your image is ~195 MB—containing Python, UV, FastAPI, Uvicorn, and your application code.

---

Running Your Container

Start a container from your image:

What -p 8000:8000 does:

Output:

Open a new terminal and test:

Output:

Create a task:

Output:

Your containerized Task API works! Stop it with Ctrl+C.

---

The .dockerignore File

When you run docker build ., Docker sends your entire directory to the build context. If you have:

• .venv/ (500+ MB virtual environment)
• __pycache__/ (bytecode)
• .git/ (repository history)
• .env (secrets)

Docker wastes time processing these, and worse—secrets could end up in your image.

Create .dockerignore:

Rebuild to verify it works:

The build should be faster since Docker isn't processing excluded files.

---

Layer Caching in Action

Edit main.py to add a version endpoint:

Rebuild:

Output:

Notice CACHED for steps 1-5. Docker reused those layers because pyproject.toml didn't change. Only the COPY main.py step ran.

Build time: ~1 second instead of 45 seconds.

This is why instruction order matters:

• Frequent changes (your code) go at the bottom
• Rare changes (dependencies) go near the top

---

Running with Options

Different Host Port

Run on port 9000 instead:

Test:

Environment Variables

Pass configuration without changing the image:

Your application reads os.environ["LOG_LEVEL"] at runtime.

Background Mode

Run without blocking your terminal:

Flags:

Check status:

Stop and remove:

---

Common Build Errors

"COPY: source file does not exist"

Cause: File missing in build context. Fix: Verify the file exists: ls pyproject.toml

"Port already in use"

Cause: Another process using port 8000. Fix: Use different port: docker run -p 9000:8000 task-api:v1

Container Exits Immediately

Run without -d to see the error:

Or check logs:

---

Try With AI

Prompt 1: Diagnose a Slow Build

What you're learning: Analyzing layer cache invalidation—understanding how instruction order affects build performance.

Prompt 2: Handle Build Dependencies

What you're learning: Troubleshooting native compilation failures—a common challenge with Python packages that have binary dependencies.

Prompt 3: Design for Your Own API

What you're learning: Applying Dockerfile patterns to your own applications—moving from following instructions to making design decisions.

Safety Note

Never include secrets (API keys, passwords, database credentials) in your Dockerfile or image. Use environment variables (-e flag) or Docker secrets at runtime. Images may be shared or pushed to registries where secrets would be exposed.

---

Reflect on Your Skill

You built a docker-deployment skill in Lesson 0. Test and improve it based on what you learned.

Test Your Skill

Identify Gaps

• Did your skill produce valid Dockerfiles?
• Did it handle layer caching correctly?
• Did it include .dockerignore patterns?

Improve Your Skill

If you found gaps: