๐
Docker
Docker CLI, Dockerfile patterns, Compose, networking, volumes and registry operations
Images
Build, tag, inspect and clean up Docker images
bashยทList images
docker images
bashยทBuild image from Dockerfile
docker build -t myapp:latest .
bashยทBuild with a specific Dockerfile
docker build -f docker/Dockerfile.prod -t myapp:prod .
bashยทBuild with build args
docker build --build-arg NODE_ENV=production --build-arg PORT=8080 -t myapp .
bashยทBuild for a specific platform
docker build --platform linux/amd64 -t myapp:amd64 .
bashยทBuild multi-platform and push
docker buildx build --platform linux/amd64,linux/arm64 -t myrepo/myapp:latest --push .
bashยทTag an image
docker tag myapp:latest myrepo/myapp:1.0.0
bashยทPull image
docker pull nginx:alpine
bashยทPush image to registry
docker push myrepo/myapp:1.0.0
bashยทInspect image layers and metadata
docker inspect myapp:latest
bashยทShow image layer history and sizes
docker history myapp:latest
bashยทRemove image
docker rmi myapp:latest
bashยทRemove all dangling images
docker image prune
bashยทRemove all unused images
docker image prune -a
bashยทSave image to tar file
docker save myapp:latest | gzip > myapp.tar.gz
bashยทLoad image from tar file
docker load < myapp.tar.gz
Containers
Run, stop, inspect and manage container lifecycles
bashยทList running containers
docker ps
bashยทList all containers (including stopped)
docker ps -a
bashยทRun container (foreground)
docker run nginx:alpine
bashยทRun container (detached + named)
docker run -d --name webserver nginx:alpine
bashยทRun with port mapping
docker run -d -p 8080:80 nginx:alpine
bashยทRun with environment variables
docker run -d -e NODE_ENV=production -e PORT=3000 myapp:latest
bashยทRun with env file
docker run -d --env-file .env myapp:latest
bashยทRun with volume mount
docker run -d -v $(pwd)/data:/app/data myapp:latest
bashยทRun interactively and remove on exit
docker run -it --rm ubuntu:22.04 bash
bashยทRun with resource limits
docker run -d --memory=512m --cpus=1.5 myapp:latest
bashยทRun with restart policy
docker run -d --restart=unless-stopped myapp:latest
bashยทStop container
docker stop webserver
bashยทStart stopped container
docker start webserver
bashยทRestart container
docker restart webserver
bashยทRemove container
docker rm webserver
bashยทStop and remove container
docker rm -f webserver
bashยทRemove all stopped containers
docker container prune -f
bashยทStop all running containers
docker stop $(docker ps -q)
Logs, Exec & Inspect
Debug running containers โ logs, shell access and low-level inspection
bashยทStream container logs
docker logs -f webserver
bashยทShow last 100 lines with timestamps
docker logs --tail=100 --timestamps webserver
bashยทLogs since a time
docker logs --since=1h webserver
bashยทExecute command in running container
docker exec webserver cat /etc/nginx/nginx.conf
bashยทOpen interactive shell in container
docker exec -it webserver /bin/sh
bashยทOpen shell as root
docker exec -it -u root webserver /bin/bash
bashยทInspect container (full JSON metadata)
docker inspect webserver
bashยทGet container IP address
docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' webserverbashยทShow live resource usage
docker stats
bashยทShow resource usage (single, no stream)
docker stats webserver --no-stream
bashยทShow running processes inside container
docker top webserver
bashยทCopy file from container
docker cp webserver:/etc/nginx/nginx.conf ./nginx.conf
bashยทCopy file into container
docker cp ./nginx.conf webserver:/etc/nginx/nginx.conf
bashยทDiff filesystem changes vs image
docker diff webserver
Volumes
Create and manage named volumes for persistent data
bashยทList volumes
docker volume ls
bashยทCreate named volume
docker volume create pgdata
bashยทInspect volume
docker volume inspect pgdata
bashยทMount named volume into container
docker run -d -v pgdata:/var/lib/postgresql/data postgres:16
bashยทBind mount current directory
docker run -d -v $(pwd):/app -w /app node:20 node index.js
bashยทRead-only bind mount
docker run -d -v $(pwd)/config:/app/config:ro myapp
bashยทBackup volume to tar
docker run --rm -v pgdata:/data -v $(pwd):/backup alpine tar czf /backup/pgdata.tar.gz -C /data .
bashยทRestore volume from tar
docker run --rm -v pgdata:/data -v $(pwd):/backup alpine tar xzf /backup/pgdata.tar.gz -C /data
bashยทRemove volume
docker volume rm pgdata
bashยทRemove all unused volumes
docker volume prune -f
Networking
Create networks and connect containers together
bashยทList networks
docker network ls
bashยทCreate bridge network
docker network create mynetwork
bashยทCreate network with subnet
docker network create --subnet=172.20.0.0/16 mynetwork
bashยทRun container on specific network
docker run -d --network mynetwork --name api myapp:latest
bashยทConnect running container to network
docker network connect mynetwork webserver
bashยทDisconnect container from network
docker network disconnect mynetwork webserver
bashยทInspect network (see connected containers)
docker network inspect mynetwork
bashยทRemove network
docker network rm mynetwork
bashยทRemove all unused networks
docker network prune -f
Dockerfile Patterns
Production-ready Dockerfile patterns and best practices
dockerยทNode.js multi-stage production build
# โโ deps stage โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ FROM node:20-alpine AS deps WORKDIR /app COPY package*.json ./ RUN npm ci --omit=dev # โโ build stage โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ FROM node:20-alpine AS build WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build # โโ runtime stage โโโโโโโโโโโโโโโโโโโโโโโโโโโโ FROM node:20-alpine AS runtime WORKDIR /app ENV NODE_ENV=production # Non-root user RUN addgroup -S app && adduser -S app -G app USER app COPY --from=deps /app/node_modules ./node_modules COPY --from=build /app/dist ./dist EXPOSE 3000 CMD ["node", "dist/index.js"]
dockerยทPython multi-stage build
# โโ build stage โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
FROM python:3.12-slim AS build
WORKDIR /app
RUN pip install uv
COPY pyproject.toml uv.lock ./
RUN uv sync --frozen --no-dev --no-editable
# โโ runtime stage โโโโโโโโโโโโโโโโโโโโโโโโโโโโ
FROM python:3.12-slim AS runtime
WORKDIR /app
ENV PYTHONDONTWRITEBYTECODE=1 \
PYTHONUNBUFFERED=1
RUN addgroup --system app && adduser --system --ingroup app app
USER app
COPY --from=build /app/.venv ./.venv
COPY src/ ./src/
ENV PATH="/app/.venv/bin:$PATH"
EXPOSE 8000
CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8000"]dockerยทGo โ single binary scratch image
# โโ build stage โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ FROM golang:1.23-alpine AS build WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o server ./cmd/server # โโ runtime stage (minimal) โโโโโโโโโโโโโโโโโโ FROM scratch COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ COPY --from=build /app/server /server EXPOSE 8080 ENTRYPOINT ["/server"]
dockerยทDockerfile best-practice patterns
# Pin base image versions for reproducibility
FROM node:20.18-alpine3.20
# Combine RUN layers to reduce image size
RUN apk add --no-cache curl git && \
rm -rf /var/cache/apk/*
# Copy dependency manifests before source code
# (improves layer cache โ only re-runs npm ci when lockfile changes)
COPY package*.json ./
RUN npm ci --omit=dev
COPY . .
# Use COPY instead of ADD unless you need auto-extraction
COPY config/ ./config/
# Prefer ENTRYPOINT + CMD for flexibility
ENTRYPOINT ["node"]
CMD ["dist/index.js"]
# HEALTHCHECK
HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
CMD curl -f http://localhost:3000/health || exit 1
# Document exposed ports and volumes
EXPOSE 3000
VOLUME ["/app/data"]Docker Compose
Define and run multi-container applications
bashยทStart services (detached)
docker compose up -d
bashยทStart and rebuild images
docker compose up -d --build
bashยทStart specific service
docker compose up -d api
bashยทStop services
docker compose down
bashยทStop and remove volumes
docker compose down -v
bashยทStream logs for all services
docker compose logs -f
bashยทStream logs for one service
docker compose logs -f api
bashยทScale a service
docker compose up -d --scale worker=5
bashยทRun one-off command in service
docker compose run --rm api python manage.py migrate
bashยทExec into running service
docker compose exec api /bin/sh
bashยทRestart a service
docker compose restart api
bashยทPull latest images for all services
docker compose pull
bashยทShow running service status
docker compose ps
bashยทValidate compose file
docker compose config
bashยทUse alternate compose file
docker compose -f docker-compose.prod.yml up -d
yamlยทFull compose.yml example
services:
api:
build:
context: .
dockerfile: Dockerfile
target: runtime
ports:
- "3000:3000"
environment:
- NODE_ENV=production
- DATABASE_URL=postgresql://user:pass@db:5432/app
env_file:
- .env
depends_on:
db:
condition: service_healthy
redis:
condition: service_started
restart: unless-stopped
networks:
- backend
db:
image: postgres:16-alpine
volumes:
- pgdata:/var/lib/postgresql/data
environment:
POSTGRES_USER: user
POSTGRES_PASSWORD: pass
POSTGRES_DB: app
healthcheck:
test: ["CMD-SHELL", "pg_isready -U user -d app"]
interval: 10s
timeout: 5s
retries: 5
networks:
- backend
redis:
image: redis:7-alpine
command: redis-server --save 60 1 --maxmemory 256mb --maxmemory-policy allkeys-lru
volumes:
- redisdata:/data
networks:
- backend
volumes:
pgdata:
redisdata:
networks:
backend:
driver: bridgeRegistry & Security
Login to registries, scan images and manage credentials
bashยทLogin to Docker Hub
docker login
bashยทLogin to private registry
docker login registry.example.com
bashยทLogout
docker logout
bashยทSearch Docker Hub
docker search nginx --limit 10
bashยทScan image for vulnerabilities (Scout)
docker scout cves myapp:latest
bashยทShow Scout recommendations
docker scout recommendations myapp:latest
bashยทRun as non-root (verify)
docker run --rm myapp:latest whoami
bashยทRun read-only filesystem
docker run --read-only --tmpfs /tmp myapp:latest
bashยทDrop all capabilities (least privilege)
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp:latest
bashยทRun with security options
docker run --security-opt=no-new-privileges:true myapp:latest
System & Cleanup
Reclaim disk space and inspect Docker system usage
bashยทShow disk usage by resource type
docker system df
bashยทShow verbose disk usage
docker system df -v
bashยทRemove all unused resources (safe prune)
docker system prune
bashยทRemove everything including volumes
docker system prune -a --volumes
bashยทRemove dangling images only
docker image prune -f
bashยทRemove unused images (including tagged)
docker image prune -a -f
bashยทShow Docker version info
docker version
bashยทShow Docker system info
docker info
bashยทShow all Docker events (live)
docker events
bashยทKill all running containers
docker kill $(docker ps -q)
bashยทRemove all containers, images and volumes (nuclear)
docker stop $(docker ps -q) && docker system prune -a --volumes -f