π³ Docker Cheat Sheet (v28.x) #
A condensed guide to essential Docker commands, Dockerfile best practices, and Docker Compose.
π Core Concepts #
- Image: A lightweight, standalone, executable package that includes everything needed to run a piece of software, including the code, a runtime, libraries, environment variables, and config files.
- Container: A runnable instance of an image. You can create, start, stop, move, or delete a container using the Docker API or CLI.
- Volume: A mechanism for persisting data generated by and used by Docker containers. Volumes are managed by Docker and are the preferred way to handle persistent storage.
- Network: Provides a way to isolate containers from each other and the host machine, but also allows them to communicate with each other, the host, or external networks.
- Dockerfile: A text document that contains all the commands a user could call on the command line to assemble an image.
- Docker Compose: A tool for defining and running multi-container Docker applications. Uses a YAML file to configure the application’s services.
βοΈ Essential Docker CLI Commands #
General & Info #
docker version: Show Docker version information.docker system info: Display system-wide information.docker help: Display a list of all Docker commands.docker <command> --help: Show help for a specific command.
Image Management #
docker build .: Build an image from a Dockerfile in the current directory.docker build -t my-app:1.0 .: Build and tag an image.docker images: List all local images.docker rmi my-app:1.0: Remove an image.docker rmi $(docker images -f "dangling=true" -q): Remove all dangling (unused) images.docker pull nginx:latest: Pull an image from a registry (Docker Hub by default).docker push my-repo/my-app:1.0: Push an image to a registry.docker tag my-app:1.0 my-repo/my-app:1.0: Add a new tag to an existing image.
Container Lifecycle #
docker run -d -p 8080:80 --name my-nginx nginx: Run a container from an image in detached mode with port mapping and a name.docker ps: List all running containers.docker ps -a: List all containers (running and stopped).docker stop my-nginx: Stop a running container gracefully (sends SIGTERM).docker kill my-nginx: Stop a running container immediately (sends SIGKILL).docker start my-nginx: Start a stopped container.docker restart my-nginx: Restart a container.docker rm my-nginx: Remove a stopped container.docker rm -f my-nginx: Force-remove a running container.docker logs my-nginx: Fetch the logs of a container.docker logs -f my-nginx: Follow the log output in real-time.docker exec -it my-nginx /bin/bash: Execute a command in a running container (interactive shell).
Inspection & Resource Management #
docker inspect my-nginx: Display low-level information on Docker objects (containers, images, etc.).docker stats: Display a live stream of container(s) resource usage statistics.docker system df: Show Docker disk usage.docker system prune: Remove all unused data (dangling images, stopped containers, unused networks, and build cache).docker system prune -a --volumes: Remove all unused images (not just dangling ones) and volumes.
Network Management #
docker network ls: List networks.docker network create my-network: Create a new bridge network.docker network inspect my-network: Display detailed information on a network.docker network rm my-network: Remove a network.
Volume Management #
docker volume ls: List volumes.docker volume create my-volume: Create a volume.docker volume inspect my-volume: Display detailed information on a volume.docker volume rm my-volume: Remove a volume.docker volume prune: Remove all unused local volumes.
βοΈ Dockerfile Best Practices #
- Use
.dockerignore: Exclude files and directories not needed for the build to keep the build context small and avoid leaking secrets. - Use Multi-Stage Builds: Separate build-time dependencies from runtime dependencies to create smaller, more secure final images.
- Order Matters for Caching: Place instructions that change less frequently (like installing dependencies) before those that change more frequently (like copying source code).
- Combine
RUNinstructions: Chain commands using&&to reduce the number of image layers. Forapt-get, combineupdate,install, andclean-upin one line.RUN apt-get update && apt-get install -y --no-install-recommends curl && rm -rf /var/lib/apt/lists/* - Use Specific Base Images: Avoid
latest. Use specific tags (e.g.,node:18-alpine) for reproducibility and stability. - Use Minimal Base Images: Prefer smaller base images like
alpine,slim, ordistrolessto reduce the attack surface and image size. COPYoverADD:COPYis more transparent. UseADDonly when you need to auto-extract a tar file or fetch a remote URL.- Run as a Non-Root User: Create a dedicated user and group, and use the
USERinstruction to avoid running containers with root privileges. - Lint Your Dockerfile: Use tools like
hadolintto check for common mistakes and apply best practices automatically.
πΌ Docker Compose (v2 Syntax) #
-
File:
compose.ymlordocker-compose.yml -
Basic Example (
compose.yml):services: webapp: build: . ports: - "8000:5000" volumes: - .:/code environment: - FLASK_ENV=development redis: image: "redis:alpine"
Common Commands #
docker compose up: Create and start containers. Add-dto run in detached mode.docker compose down: Stop and remove containers, networks, and volumes created byup.docker compose ps: List containers for the current project.docker compose logs: View output from services.docker compose logs -f webapp: Follow logs for a specific service.docker compose build: Build or rebuild services.docker compose exec webapp /bin/sh: Execute a command in a running service.docker compose run --rm webapp python manage.py shell: Run a one-off command in a new service container.docker compose config: Validate and view the compose file.
π‘οΈ Security & Scanning #
docker scan my-app:1.0: Scan an image for vulnerabilities (powered by Snyk).docker sbom my-app:1.0: Generate a Software Bill of Materials (SBOM) for an image.