Skip to main content

Docker β€” NHS Quickstart

🐳 Containers · Reproducible builds · App Runner / Azure App Service · Secrets · Health checks
Why Docker in the NHS

Standardise runtime environments for dashboards, APIs, and services to eliminate β€œworks on my machine”. Containers are the hand-off unit for AWS App Runner, Azure App Service/Container Apps, or Kubernetes.

Great for: Developer Β· Data Engineer Β· BI Analyst (with deployment role).

βš™οΈ 10-minute install​

  • Windows: Install Docker Desktop; enable WSL2 backend.
  • macOS/Linux: Install Docker Desktop or your distro package.
  • Add your user to the docker group (Linux) and restart your session.

πŸš€ β€œHello NHS” container (FastAPI)​

Folder layout

nhs-kpi-api/
  app.py
  requirements.txt
  Dockerfile
  .dockerignore

requirements.txt

fastapi
uvicorn

app.py

from fastapi import FastAPI

app = FastAPI()

@app.get("/")
def hello():
    return {"msg": "Hello NHS"}

@app.get("/health")
def health():
    return {"status": "ok"}

.dockerignore

__pycache__/
*.pyc
*.pyo
*.env
.venv/
dist/
build/

Dockerfile (simple)

FROM python:3.11-slim
WORKDIR /app
COPY requirements.txt ./
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
ENV PORT=8000
EXPOSE 8000
HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost:8000/health || exit 1
CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "8000"]

Build & run

docker build -t nhs-kpi-api .
docker run -p 8000:8000 nhs-kpi-api
# open http://127.0.0.1:8000

🧱 Production-ready variants​

Dockerfile
FROM python:3.11-slim
WORKDIR /app
COPY requirements.txt ./
RUN pip install --no-cache-dir -r requirements.txt gunicorn
COPY . .
ENV PORT=8000
EXPOSE 8000
HEALTHCHECK --interval=30s --timeout=3s CMD curl -f http://localhost:8000/health || exit 1
CMD ["gunicorn","-w","2","-k","uvicorn.workers.UvicornWorker","-b","0.0.0.0:8000","app:app"]

πŸ§ͺ Docker Compose (local dev)​

compose.yml
services:
  api:
    build: .
    ports: ["8000:8000"]
    env_file: .env
    restart: unless-stopped

Run with:

docker compose up --build

πŸ”’ Secrets & configuration​

  • Use --env-file .env or env_file: .env (Compose) to inject config.
  • Prefer cloud secret stores in production (Key Vault / Secrets Manager).
  • Do not bake secrets into images; keep .env out of Git.

πŸ“¦ Push images (cloud)​

REGION=<region>
REPO=nhs-kpi-api
AWS_ACCOUNT=$(aws sts get-caller-identity --query Account --output text)
aws ecr create-repository --repository-name $REPO --region $REGION || true
aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $AWS_ACCOUNT.dkr.ecr.$REGION.amazonaws.com
docker tag nhs-kpi-api:latest $AWS_ACCOUNT.dkr.ecr.$REGION.amazonaws.com/$REPO:latest
docker push $AWS_ACCOUNT.dkr.ecr.$REGION.amazonaws.com/$REPO:latest

Deploy using the platform pages: AWS Β· Azure.

πŸ›‘ IG & safety checklist​

  • Keep secrets out of images; mount via env or secret stores.
  • Avoid PHI in logs; enable request IDs and health checks.
  • Run as non-root where possible; pin base images; auto-scan in CI.
  • Tag images immutably; use lifecycle policies to clean up old tags.
  • Store DPIA reference and system owner in the repo README/runbook.

πŸ“ Measuring impact​

  • Reliability: container health pass rate; mean time to recovery.
  • Consistency: builds reproduce on CI; identical behaviour across machines.
  • Security: zero committed secrets; scan findings trend; base image freshness.
  • Speed: build time; time to deploy to AWS/Azure.

πŸ”— See also​

See also: AWS Β· Azure Β· Secrets & .env Β· FastAPI Β· Dash Β· SQL Server

What’s next?

You’ve completed the Learn β€” Docker stage. Keep momentum: