๐งฑ What is a Multi-Stage Build in Docker?
Multi-stage build allows you to use multiple
FROMstatements in a single Dockerfile to:
- Build the app in one stage ๐๏ธ
- Copy only what's needed to a smaller final image ๐ฆ
โ Why Do We Need It?
โ Main Goals:
| ๐ Benefit | ๐ฌ Why it Matters |
|---|---|
| โก Smaller Images | Only copy what's needed into final image |
| ๐ More Secure | No dev tools or secrets in production image |
| ๐ ๏ธ Cleaner CI/CD | Separate build & runtime environment |
| ๐ Better Layer Caching | Speeds up builds |
| ๐ Environment Separation | One image builds everything! |
๐ง Real-World Analogy
Imagine:
- ๐๏ธ Stage 1 = Construction site (messy, heavy tools)
- ๐ Stage 2 = Finished house (clean, cozy)
You build in the messy environment, but only move the furniture into the clean house. ๐งน
๐งช Multi-Stage Build Syntax
# ๐จ Stage 1: Build Stage FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build # ๐ฆ Stage 2: Final Production Image FROM node:20-alpine WORKDIR /app # Copy only final build artifacts (no source or node_modules) COPY --from=builder /app/dist ./dist COPY --from=builder /app/package.json ./ RUN npm ci --omit=dev # Set env vars, port and run ENV PORT=3000 EXPOSE 3000 CMD ["node", "dist/index.js"] ๐ Key Concepts Explained
| Keyword | Meaning |
|---|---|
AS builder | Give a name to this stage |
--from=builder | Copy files from previous stage |
npm ci --omit=dev | Install only production deps |
COPY . . | Used only in build stage to avoid code bloat in final image |
๐ฆ Before vs After: Image Size
| Approach | Image Size | Contents |
|---|---|---|
| ๐ตโ๐ซ Traditional Single Build | ~900MB | Full source code + dev dependencies |
| ๐คฉ Multi-Stage Build | ~200MB | Just built app + runtime dependencies |
๐ฅ Real Project Example: React App
# Step 1: Build React App FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm install COPY . . RUN npm run build # Step 2: Serve using NGINX FROM nginx:alpine COPY --from=builder /app/build /usr/share/nginx/html EXPOSE 80 CMD ["nginx", "-g", "daemon off;"] โ This builds the app with Node.js, and serves the static files via NGINX (no Node.js in final image!)
๐ฏ Common Multi-Stage Use Cases
| Use Case | Description |
|---|---|
| ๐ป Frontend builds | Use node + nginx combo |
| ๐ง Backend builds | Build with TS/Go/Rust, then copy binaries only |
| ๐งช Testing stage | Add test/linting in one stage, skip in final |
| ๐ฆ CI/CD pipelines | Clean, reproducible builds across stages |
๐งฐ Pro Tips & Best Practices
| ๐ก Tip | โ Recommendation |
|---|---|
Use --omit=dev | Strip dev-only packages in final stage |
Use .dockerignore | Exclude node_modules, .git, tests/, etc |
| Use labels | Add metadata like version, author, etc |
| Donโt copy everything | Use exact COPY paths for size control |
| Use named stages | Easier to copy from (--from=builder) |
| Keep final image minimal | Just enough to run your app (no tools!) |
๐ Combine with Docker Compose
You can define multi-stage builds in your Dockerfile and just run:
docker-compose build docker-compose up Your services will use the optimized final image automatically ๐ง โ
๐ ๏ธ Example Multi-Stage for TypeScript API
# Stage 1: Compile TS FROM node:20-alpine AS builder WORKDIR /app COPY . . RUN npm install RUN npm run build # Stage 2: Run with only JS output FROM node:20-alpine WORKDIR /app COPY --from=builder /app/dist ./dist COPY --from=builder /app/package*.json ./ RUN npm ci --omit=dev CMD ["node", "dist/server.js"] โ Summary: When to Use Multi-Stage Builds?
โ Always use if:
- You're using build tools like
tsc,webpack,vite - You want minimal production images
- You want to separate testing/staging/building
- You want faster CI builds & smaller attack surface
๐งพ Final TL;DR Cheatsheet
| Stage | Purpose | Base Image | Output |
|---|---|---|---|
| Stage 1 (builder) | Build, compile, test | node, golang, rust, etc. | /dist, /build, etc. |
| Stage 2 (prod) | Serve/run app only | node:alpine, nginx, etc. | Final slim image |
๐ฆ Full Dockerfile (Context Recap)
FROM node:20-alpine3.19 as base # Stage 1: Build Stuff FROM base as builder WORKDIR /home/build COPY package*.json . COPY tsconfig.json . RUN npm install COPY src/ src/ RUN npm run build # Stage 2: Runner FROM base as runner WORKDIR /home/app COPY --from=builder /home/build/dist dist/ COPY --from=builder /home/build/package*.json . RUN npm install --omit=dev RUN addgroup --system --gid 1001 nodejs RUN adduser --system --uid 1001 nodejs USER nodejs EXPOSE 8000 ENV PORT=8000 CMD [ "npm", "start" ] ๐ฏ A2Z Breakdown of Each Section
๐งฑ FROM node:20-alpine3.19 as base
๐ง What it does:
- Starts from a minimal Node.js 20 Alpine image
- Alpine is lightweight (~5MB), good for small, fast images
-
as basenames this stage for reuse
๐งฉ Think of
baselike a shared template that both stages use.
๐จ Stage 1: Builder
FROM base as builder WORKDIR /home/build ๐ง What happens here:
- We switch to a new build stage, using
baseimage -
WORKDIR /home/buildsets a directory for our build process
COPY package*.json . COPY tsconfig.json . RUN npm install ๐ฆ Install dependencies:
-
package*.jsoncopied to install dependencies -
tsconfig.jsonis required for TypeScript compilation -
npm installinstalls all dependencies (dev + prod)
COPY src/ src/ RUN npm run build ๐ ๏ธ Build your app:
- Copies your app's TypeScript code
-
npm run buildcompiles TS into JS โ typically inside/dist
โ End Result of Stage 1:
A folder
/home/build/distwith compiled production-ready JS output.
๐ Stage 2: Runner
FROM base as runner WORKDIR /home/app ๐ What it does:
- We now create a fresh container just for running the app.
-
WORKDIR /home/appis where your app will run from.
COPY --from=builder /home/build/dist dist/ COPY --from=builder /home/build/package*.json . ๐ Copy built artifacts only:
- Only copy the
dist/folder and package files (no source, no tsconfig) - Ensures the final image is slim & clean
RUN npm install --omit=dev ๐ Production-only install:
- Installs only prod dependencies (no dev tools like
eslint,tsc, etc.) - Keeps final image light and secure โ
๐ฎ Add Secure Non-Root User
RUN addgroup --system --gid 1001 nodejs RUN adduser --system --uid 1001 nodejs USER nodejs ๐ Why?
- Running as
rootis dangerous in containers โ - We create a user
nodejswith limited permissions for safety - UID/GID
1001is just an arbitrary non-root system user
๐ Port & Env Setup
EXPOSE 8000 ENV PORT=8000 -
EXPOSE 8000: Documents that the app uses port 8000 -
ENV PORT=8000: Sets the default port for app to use internally
You still need to use
-pto map it to host:
docker run -p 8000:8000 <image>
๐ฆ Start the App
CMD [ "npm", "start" ] ๐ข Default entrypoint when container runs
- This triggers your
"start"script frompackage.json:
"start": "node dist/index.js" โ Summary Table
| ๐น Section | ๐ Purpose |
|---|---|
FROM base | Reuse image to reduce duplication |
builder | Compiles TypeScript into JS |
runner | Runs a minimal production image |
npm install in builder | Installs full deps for building |
npm install --omit=dev in runner | Installs only what's needed to run |
COPY --from=builder | Efficient file copy without rebuild |
USER nodejs | Enhances container security |
๐ Resulting Benefits
| ๐ Benefit | โ Achieved |
|---|---|
| Small Image | โ Only runtime code in final image |
| Secure | โ Non-root user, no dev tools |
| Faster Builds | โ Reuses build layers |
| Clean Code Separation | โ No TypeScript or build files inside final container |
| Portable | โ Can run on any platform with Node 20 |
๐ง Bonus Tip: View Image Sizes
docker images Compare the multi-stage image (~100MB) vs a single-stage image (~400โ600MB) ๐คฏ
๐ Final Thoughts
This approach follows Docker best practices:
- Multi-stage
- Production-ready
- Secure by default
- Reproducible builds
Top comments (0)