docker-expert

Complete Docker expertise across Windows/Linux/macOS. PROACTIVELY activate for: ANY Docker task (build/run/debug/optimize); Dockerfile authoring (multi-stage, distroless/Alpine runtimes, pinned versions, non-root user, minimal packages); Docker Compose (networking, service-name DNS, port vs expose, default-network, localhost-in-container pitfalls); security scanning and hardening (Docker Scout, Trivy, CVE, SBOM, supply chain, signed images, provenance, policy gates in CI); image size and build-time optimization (base-image, .dockerignore, layer consolidation, RUN cleanup); production deployments (Swarm, Kubernetes, ECS, AKS); troubleshooting (build failures, networking, volumes, permissions); CIS Docker Benchmark; BuildKit cache mounts and secrets; platform gotchas (Docker Desktop, WSL2, rootless Docker, CRLF/LF, volume-mount paths). Provides best practices and production-ready container configurations.

Latest Docker features (2025-2026) including Docker AI, Enhanced Container Isolation, BuildKit improvements, and Moby. PROACTIVELY activate for: (1) Docker AI / Ask Gordon assistant, (2) Enhanced Container Isolation (ECI) for hardened runtime, (3) Moby 25+ engine features, (4) BuildKit advancements (cache mounts, secrets, SBOM, provenance), (5) Docker Compose v2 features (watch mode, profiles, includes), (6) Docker Desktop new settings (Resource Saver, Synchronized File Shares, virtiofs), (7) Docker Build Cloud, (8) Docker Scout for vulnerability scanning, (9) WSL2 backend updates, (10) ContainerD integration. Provides: feature reference, version-detection snippets, BuildKit cache/secret recipes, Compose v2 watch examples, and migration notes.

Comprehensive Docker best practices for images, containers, and production deployments. PROACTIVELY activate for: (1) writing production-ready Dockerfiles, (2) multi-stage builds for lean images, (3) base image selection (distroless, alpine, scratch, slim), (4) layer caching and ordering, (5) .dockerignore hygiene, (6) HEALTHCHECK and graceful shutdown, (7) non-root user and least-privilege patterns, (8) ENV vs ARG and secret handling, (9) tag/digest pinning and reproducibility, (10) Compose for local development. Provides: Dockerfile templates by language, image-size optimization checklist, .dockerignore template, HEALTHCHECK patterns, and Compose dev-stack examples.

Docker on Windows with Git Bash / MINGW path conversion. PROACTIVELY activate for: (1) Docker commands failing on Windows Git Bash with path errors, (2) volume mount path conversion (-v $(pwd):/app), (3) MSYS_NO_PATHCONV and MSYS2_ARG_CONV_EXCL workarounds, (4) double-slash escapes (//c/foo) for MINGW, (5) docker-compose volume mounts on Windows, (6) WSL2 vs Hyper-V backend path interop, (7) line-ending issues in mounted scripts (CRLF vs LF), (8) UNC path limitations. Provides: MSYS path-conversion explainer, copy-pasteable env-var workarounds, double-slash recipes, line-ending fixes, and compose-mount patterns for Windows.

Platform-specific Docker considerations for Windows, Linux, and macOS. PROACTIVELY activate for: (1) Docker Desktop on Windows (WSL2 vs Hyper-V backends), (2) Docker Desktop on macOS (Apple Silicon, Rosetta, virtiofs), (3) native Docker Engine on Linux, (4) rootless Docker setup, (5) cross-platform image building (--platform, buildx, multi-arch manifests), (6) ARM64 vs x86_64 image selection, (7) volume performance differences (bind mount vs named volume across platforms), (8) Docker Desktop resource tuning per OS. Provides: per-platform setup steps, multi-arch build recipes, rootless setup, performance-tuning checklist, and known platform-specific gotchas.

Comprehensive Docker security guidelines and threat mitigation. PROACTIVELY activate for: (1) container security review, (2) running as non-root user, (3) read-only root filesystems and tmpfs mounts, (4) capability dropping (--cap-drop ALL), (5) seccomp and AppArmor profiles, (6) image vulnerability scanning (Docker Scout, Trivy, Grype), (7) supply-chain security (signed images, SBOM, provenance), (8) secrets management (Docker secrets, BuildKit --secret, external vaults), (9) network segmentation (user-defined networks, no --net=host), (10) CIS Docker Benchmark compliance. Provides: hardening checklist, scan-tool integration recipes, CIS benchmark mapping, secret handling patterns, and capability-drop reference.