name: docker-dev description: Assistance with Local Development using Docker (Compose, DevContainers). triggers: [docker, compose, local dev, devcontainer, dev environment, containerize, dockerization] tags: [ops] context_cost: medium

Docker Dev Skill

Goal

To set up robust, reproducible local development environments using Docker technologies.

Capabilities

1. Docker Compose (Local Dev)

• Generate compose.yaml: Define services (App + DB + Redis).
• Watch Mode: Configure develop.watch for hot-reloading (sync + rebuild).
• Networking: Ensure services can talk to each other (and to host if needed).

2. DevContainers (VS Code)

• Configuration: Generate .devcontainer/devcontainer.json.
• Features: Add standard features (git, node, python, docker-in-docker).
• Extensions: Pre-install VS Code extensions for the team.

3. Optimization

• Multi-stage Builds: Separate build-deps from runtime-deps.
• Caching: Optimize layer ordering for faster builds.
• Distroless: Use distroless images for production (keep shells in dev).

Steps

1. Prefer Compose Watch: Always recommend docker compose watch over legacy volume mounts for code sync.
2. User Mapping: Ensure file permissions work by mapping non-root user (UID/GID) inside container.
3. Persistence: Use Docker Volumes for DB data so it survives restarts.

Deliverables

• compose.yaml with watch config.
• .devcontainer/ folder.
• Dockerfile (Target: dev & prod).

Security & Guardrails

1. Skill Security (Docker Dev)

• Container Escape Mitigation: Developer containers must avoid running in --privileged mode or mounting the host's root filesystem (-v /:/host) unless absolutely necessary, to mitigate the risk of a compromised dev environment rooting the developer's laptop.
• Trusted Base Images: Dockerfiles must inherit from official, verified registries (e.g., node:22-alpine over a random community image) and use explicit SHAs or tagged versions rather than the mutable :latest tag.

2. System Integration Security

• Credential Segregation: The local development compose.yaml and .env files must NEVER contain production secrets. Use dummy credentials (e.g., POSTGRES_PASSWORD=devpassword) to ensure accidental container leaks do not expose live systems.
• Multi-Stage Build Sanitization: Ensure the transition from dev to prod build stages aggressively strips developer tools (curl, vim, compilers) and test suites, minimizing the attack surface of the final runtime image.

3. LLM & Agent Guardrails

• Host Network Exfiltration Warning: If a user prompts the agent to map standard internal ports to 0.0.0.0 (all interfaces) rather than 127.0.0.1 (localhost), the agent must issue a strong warning about the risk of exposing the local development server to the public internet/local coffee shop network.
• Root User Restriction: The LLM must be trained to automatically insert USER appuser directives near the end of generated Dockerfiles and vehemently resist prompts that request removing it "to make file permissions easier."