Engineering DockerContainersCompose

Docker Expert

Docker mastery: multi-stage builds, layer optimization, security scanning, Compose for dev/prod, networking, volumes, and container debugging.

A Docker expert who builds lean, secure production images and debugs container networking issues under pressure. Covers multi-stage build patterns to shrink Node.js images from 1.2GB to 80MB, Trivy security scanning integrated into CI, Compose override files for dev/staging/prod parity, and live container debugging with exec and nsenter.

Added Mar 20, 2026

$npx skills add johnefemer/skillfish --skill docker-expert

Capabilities Real Examples Get Started Models & Context Works Great With

What This Skill Can Do

Concrete capabilities you get when you install this skill.

Write multi-stage Dockerfiles that minimize final image size and attack surface

Design Docker Compose files with override files for dev, staging, and production

Integrate Trivy or Snyk container scanning into CI/CD pipelines

Debug container networking: DNS, bridge networks, host networking, and inter-service connectivity

Optimize layer caching to minimize rebuild time in CI

Configure health checks, resource limits, and restart policies for production

Real Conversations

See how the Docker Expert skill responds to actual requests. These are representative examples of what your AI agent will produce.

You

My Node.js API Docker image is 1.2GB. My team says that's too large for our ECR registry and slow to pull. How do I shrink it?

Agent

Three techniques to get under 100MB for a typical Node.js API:

1. Multi-stage build (biggest win):

# Stage 1: Install and build
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --include=dev
COPY . .
RUN npm run build  # compiles TypeScript → dist/

# Stage 2: Production image — only runtime deps
FROM node:20-alpine AS runtime
WORKDIR /app
ENV NODE_ENV=production

COPY package*.json ./
RUN npm ci --omit=dev --ignore-scripts && npm cache clean --force

COPY --from=builder /app/dist ./dist

USER node  # never run as root
EXPOSE 3000
CMD ["node", "dist/index.js"]

Size breakdown:

Image	Size
node:20 (default)	~1.1GB
node:20-alpine (full deps)	~350MB
node:20-alpine (prod deps only, multi-stage)	~80–120MB

2. Use .dockerignore:

node_modules
.git
*.test.ts
coverage/
.env*

3. For even smaller images, use node:20-alpine as base and strip dev tools:

RUN apk del --purge apk-tools  # removes package manager from final image

Validate with:

docker build -t myapp:prod --target runtime .
docker images myapp:prod  # check size
dive myapp:prod  # inspect layer contents

You

Service A can't reach Service B in my Docker Compose setup. I get 'connection refused' when hitting http://service-b:8080. Both services show as 'running' in docker ps.

Agent

"Connection refused" means the TCP connection was rejected by the host — not a DNS issue. Work through this in order:

1. Verify DNS resolves (rules out name resolution):

docker compose exec service-a sh -c "nslookup service-b"
# Should return an IP. If not: services are on different networks — see step 3.

2. Check if service-b is actually listening on 8080:

docker compose exec service-b sh -c "netstat -tlnp | grep 8080"
# OR
docker compose exec service-b sh -c "ss -tlnp"
# If empty: service-b isn't bound to port 8080, or is bound to 127.0.0.1 instead of 0.0.0.0

The most common root cause: server bound to localhost only:

// ❌ Binds to 127.0.0.1 — unreachable from other containers
app.listen(8080);  // default in some frameworks

// ✅ Binds to all interfaces — reachable via Docker network
app.listen(8080, '0.0.0.0');

3. Verify both services share a Compose network:

services:
  service-a:
    networks: [backend]  # must include same network as service-b
  service-b:
    networks: [backend]

networks:
  backend:

Without explicit network config, all services in the same Compose file share the default network. If you added a networks: key to one service, you must add it to all.

4. Check healthcheck and depends_on:

service-a:
  depends_on:
    service-b:
      condition: service_healthy  # waits until service-b passes its healthcheck

Without this, service-a starts before service-b is ready.

Get Started

How to install and use this skill in your preferred environment.

Skills are designed for AI coding agents (Claude Code, Cursor, Windsurf) and IDE-based workflows where the agent can read files, run scripts, and act on your codebase.

Models & Context

Which AI models and context windows work best with this skill.

Recommended Models

Claude Sonnet 4 or GPT-4o for Dockerfile optimization and networking. Always validate generated Dockerfiles with a build before deploying.

Context Window

SKILL.md ~4KB. Fits in 32K context; multi-service Compose debugging benefits from 64K+ to hold all service configs.

Pro tips for best results

1

Be specific

Include numbers — users, budget, RPS — so the skill can size the architecture.

2

Share constraints

Compliance needs, team size, and existing stack all improve the output.

3

Iterate

Start with a high-level design, then ask follow-ups for IaC, cost analysis, or security review.

4

Combine skills

Pair with companion skills below for end-to-end coverage.

Works Great With

These skills complement Docker Expert for end-to-end coverage. Install them together for better results.

Senior DevOps

CI/CD, infrastructure automation, containerization, and cloud platforms.

DevOpsCI/CD

Kubernetes Specialist

Kubernetes operations: deployments, services, ingress, Helm charts, operators, RBAC, resource limits, debugging pods, and cluster management for production.

KubernetesHelm

CI/CD Pipeline Builder

Analyze stack and generate GitHub Actions or GitLab CI configs.

CI/CDGitHub Actions

Senior SecOps

Application security, vulnerability management, compliance, and automation.

SecurityCompliance

$ skillfish add johnefemer/skillfish --all # install all skills at once

Ready to try Docker Expert?

Install the skill and start getting expert-level guidance in your workflow — any agent, any IDE.