## Table 1: Container Lifecycle Management | **Command** | **Example** | **Description** | |---|---|---| | [**docker run**](https://docs.docker.com/reference/cli/docker/container/run/) | `docker run -d -p 8080:80 --name web nginx` | • Creates and starts a **new container** from an image
• `-d` runs detached, `-p` maps ports, `--name` assigns a custom name. Most commonly used command. | | [**docker start**](https://docs.docker.com/reference/cli/docker/container/start/) | `docker start web` | • Starts an **existing stopped** container
• preserves all container state and configuration. | | [**docker stop**](https://docs.docker.com/reference/cli/docker/container/stop/) | `docker stop web` | Gracefully stops a running container by sending **SIGTERM** then SIGKILL after grace period (default 10s). | | [**docker restart**](https://docs.docker.com/reference/cli/docker/container/restart/) | `docker restart web` | • **Stops then starts** a container
• equivalent to `stop` + `start`. | | [**docker pause**](https://docs.docker.com/reference/cli/docker/container/pause/) | `docker pause web` | • **Freezes** all processes in a container using cgroups
• no CPU/memory usage, instant resume with `unpause`. | | [**docker unpause**](https://docs.docker.com/reference/cli/docker/container/unpause/) | `docker unpause web` | • **Resumes a paused container**
• restores execution exactly where it stopped. | | [**docker rm**](https://docs.docker.com/reference/cli/docker/container/rm/) | `docker rm -f web` | • **Removes a stopped container**
• `-f` forces removal of running containers by killing them first. | | [**docker kill**](https://docs.docker.com/reference/cli/docker/container/kill/) | `docker kill web` | • Immediately stops a container by sending **SIGKILL**
• no graceful shutdown, use for unresponsive containers. | | [**docker create**](https://docs.docker.com/reference/cli/docker/container/create/) | `docker create --name web nginx` | • Creates a container **without starting** it
• useful for preparing containers before `start`. | | [**docker wait**](https://docs.docker.com/reference/cli/docker/container/wait/) | `docker wait web` | • Blocks until a container stops, then prints its **exit code**
• useful in scripts. | | [**docker rename**](https://docs.docker.com/reference/cli/docker/container/rename/) | `docker rename web web-old` | • **Renames** an existing container
• works on running and stopped containers. | | [**docker update**](https://docs.docker.com/reference/cli/docker/container/update/) | `docker update --cpus 2 --memory 1g web` | • Dynamically **updates resource limits** and restart policy on running containers
• avoids container recreation. | ## Table 2: Container Inspection and Interaction | **Command** | **Example** | **Description** | |---|---|---| | [**docker ps**](https://docs.docker.com/reference/cli/docker/container/ls/) | `docker ps -a` | • Lists containers
• default shows **running only**, `-a` includes stopped. | | [**docker logs**](https://docs.docker.com/reference/cli/docker/container/logs/) | `docker logs -f --tail 100 web` | • Shows **container stdout/stderr**
• `-f` follows live output, `--tail` limits lines. | | [**docker exec**](https://docs.docker.com/reference/cli/docker/container/exec/) | `docker exec -it web bash` | • Runs a **new process** inside a running container
• `-it` allocates interactive TTY for shell access. | | [**docker attach**](https://docs.docker.com/reference/cli/docker/container/attach/) | `docker attach web` | • Connects to container's **main process** stdin/stdout
• Ctrl+C stops the container. | | [**docker inspect**](https://docs.docker.com/reference/cli/docker/container/inspect/) | `docker inspect web` | Returns **detailed JSON** with all container metadata including config, state, network, mounts. | | [**docker stats**](https://docs.docker.com/reference/cli/docker/container/stats/) | `docker stats web` | • Live stream of **CPU, memory, network, disk I/O** metrics
• press Ctrl+C to stop. | | [**docker top**](https://docs.docker.com/reference/cli/docker/container/top/) | `docker top web` | • Shows **running processes** inside a container
• equivalent to `ps` inside the container. | | [**docker port**](https://docs.docker.com/reference/cli/docker/container/port/) | `docker port web` | • Lists all **port mappings** for a container
• shows host port → container port bindings. | | [**docker diff**](https://docs.docker.com/reference/cli/docker/container/diff/) | `docker diff web` | Shows **filesystem changes** (A=added, C=changed, D=deleted) since container creation. | ## Table 3: Image Management | **Command** | **Example** | **Description** | |---|---|---| | [**docker build**](https://docs.docker.com/reference/cli/docker/image/build/) | `docker build -t myapp:1.0 .` | • Builds an image from a Dockerfile
• `-t` tags it, `.` specifies **build context** directory. | | [**docker images**](https://docs.docker.com/reference/cli/docker/image/ls/) | `docker images` | Lists **all local images** with repository, tag, image ID, creation date, and size. | | [**docker pull**](https://docs.docker.com/reference/cli/docker/image/pull/) | `docker pull nginx:alpine` | • Downloads an image from a **registry** (default Docker Hub)
• pulls all layers not already cached. | | [**docker push**](https://docs.docker.com/reference/cli/docker/image/push/) | `docker push myuser/myapp:1.0` | • Uploads an image to a **registry**
• requires authentication via `docker login`. | | [**docker tag**](https://docs.docker.com/reference/cli/docker/image/tag/) | `docker tag myapp:1.0 myapp:latest` | • Creates a **new tag** pointing to the same image
• does not copy the image. | | [**docker rmi**](https://docs.docker.com/reference/cli/docker/image/rm/) | `docker rmi nginx:alpine` | • **Removes an image**
• fails if containers use it unless `-f` forces removal. | | [**docker history**](https://docs.docker.com/reference/cli/docker/image/history/) | `docker history nginx` | • Shows **all layers** in an image with size and creation command
• useful for debugging image bloat. | | [**docker save**](https://docs.docker.com/reference/cli/docker/image/save/) | `docker save -o app.tar myapp:1.0` | Exports image to a **tar archive** preserving all layers and metadata. | | [**docker load**](https://docs.docker.com/reference/cli/docker/image/load/) | `docker load -i app.tar` | • Imports image from **tar archive**
• restores all layers and tags. | | [**docker import**](https://docs.docker.com/reference/cli/docker/image/import/) | `docker import rootfs.tar myapp:1.0` | • Creates image from a tarball **filesystem**
• no layer history preserved. | | [**docker export**](https://docs.docker.com/reference/cli/docker/container/export/) | `docker export web -o web.tar` | • Exports container's **filesystem** as tar
• flattens all layers, loses history. | | [**docker commit**](https://docs.docker.com/reference/cli/docker/container/commit/) | `docker commit web myapp:snapshot` | • Creates a **new image** from a container's changes
• useful for debugging, avoid for production workflows. | | [**docker search**](https://docs.docker.com/reference/cli/docker/search/) | `docker search --limit 5 nginx` | • Searches **Docker Hub** for images
• `--limit` restricts results, `--filter` for stars or official status. | ## Table 4: Dockerfile Instructions | **Instruction** | **Example** | **Description** | |---|---|---| | [**FROM**](https://docs.docker.com/reference/dockerfile/#from) | `FROM node:18-alpine` | • Sets the **base image**
• every Dockerfile starts with FROM
• use specific tags, never `latest` in production. | | [**RUN**](https://docs.docker.com/reference/dockerfile/#run) | `RUN apt-get update &&`
` apt-get install -y curl` | • Executes commands during **build time**
• each RUN creates a new layer
• chain commands with `&&` to reduce layers. | | [**CMD**](https://docs.docker.com/reference/dockerfile/#cmd) | `CMD ["npm", "start"]` | • Provides **default command** when container starts
• overridden by `docker run` arguments
• use exec form (JSON array). | | [**ENTRYPOINT**](https://docs.docker.com/reference/dockerfile/#entrypoint) | `ENTRYPOINT ["python", "app.py"]` | • Sets the **main executable**
• not easily overridden, CMD becomes arguments to ENTRYPOINT. | | [**COPY**](https://docs.docker.com/reference/dockerfile/#copy) | `COPY package*.json ./` | • Copies files from **build context** to image
• preferred over ADD for simple file copying. | | [**ADD**](https://docs.docker.com/reference/dockerfile/#add) | `ADD app.tar.gz /app/` | • Like COPY but **auto-extracts** tar archives and supports URLs
• use COPY unless you need extraction. | | [**WORKDIR**](https://docs.docker.com/reference/dockerfile/#workdir) | `WORKDIR /app` | • Sets **working directory** for subsequent instructions
• creates directory if it doesn't exist. | | [**ENV**](https://docs.docker.com/reference/dockerfile/#env) | `ENV NODE_ENV=production` | • Sets **environment variables** available at both build and runtime
• persists in running containers. | | [**ARG**](https://docs.docker.com/reference/dockerfile/#arg) | `ARG VERSION=1.0` | • Defines **build-time variables**
• not available in running containers, used with `--build-arg`. | | [**EXPOSE**](https://docs.docker.com/reference/dockerfile/#expose) | `EXPOSE 8080` | • Documents which **ports** the container listens on
• does not publish ports, only metadata. | | [**VOLUME**](https://docs.docker.com/reference/dockerfile/#volume) | `VOLUME /data` | • Creates a **mount point** for persistent data
• anonymous volume created if not specified at runtime. | | [**USER**](https://docs.docker.com/reference/dockerfile/#user) | `USER node` | • Sets the **user** for running subsequent commands and the container
• critical for security, avoid root. | | [**LABEL**](https://docs.docker.com/reference/dockerfile/#label) | `LABEL version="1.0"` | • Adds **metadata** as key-value pairs
• queryable with `docker inspect`, useful for versioning. | | [**HEALTHCHECK**](https://docs.docker.com/reference/dockerfile/#healthcheck) | HEALTHCHECK CMD curl -f http://localhost/ || exit 1 | • Defines how Docker tests if container is **healthy**
• runs periodically, marks container unhealthy on failure. | | [**STOPSIGNAL**](https://docs.docker.com/reference/dockerfile/#stopsignal) | `STOPSIGNAL SIGQUIT` | • Sets the **system call signal** sent to stop the container
• default is SIGTERM, useful for apps needing different shutdown signals. | | [**SHELL**](https://docs.docker.com/reference/dockerfile/#shell) | `SHELL ["/bin/bash", "-c"]` | • Overrides the **default shell** for shell-form commands
• default is `["/bin/sh", "-c"]` on Linux, enables bash-specific features. | | [**ONBUILD**](https://docs.docker.com/reference/dockerfile/#onbuild) | `ONBUILD COPY . /app` | • Adds a **trigger instruction** executed when image is used as base for another build
• useful for framework base images. | ## Table 5: Build Optimization Techniques | **Technique** | **Example** | **Description** | |---|---|---| | [**Multi-stage builds**](https://docs.docker.com/build/building/multi-stage/) | `FROM golang AS builder`
`FROM alpine`
`COPY --from=builder /app .` | • Uses multiple FROM statements to create **separate build stages**
• copy only artifacts to final image, drastically reduces size. | | [**Layer caching**](https://docs.docker.com/build/cache/) | `COPY package*.json ./`
`RUN npm install`
`COPY . .` | • Docker caches each layer
• order instructions **least to most frequently changed** to maximize cache hits. | | [**COPY --link**](https://docs.docker.com/reference/dockerfile/#copy---link) | `COPY --link requirements.txt .` | • Makes the layer **independent** of its parent layers
• changing earlier layers does not invalidate this layer's cache, improving resilience in multi-stage and large builds. | | [**.dockerignore**](https://docs.docker.com/build/building/context/#dockerignore-files) | `node_modules`
`*.log`
`.git` | • Excludes files from **build context**
• reduces context size and prevents secrets from being copied. | | [**BuildKit cache mounts**](https://docs.docker.com/build/cache/optimize/#use-cache-mounts) | `RUN --mount=type=cache,target=/root/.npm`
` npm install` | • Mounts a **persistent cache** during build
• npm/pip/apt caches survive rebuilds, speeds up dependency installs. | | [**Build secrets**](https://docs.docker.com/build/building/secrets/) | `RUN --mount=type=secret,id=token`
` curl -H "Auth: $(cat /run/secrets/token)"` | • Injects secrets **without storing** in image layers
• secrets never appear in history or cache. | | [**Minimal base images**](https://docs.docker.com/build/building/best-practices/#use-multi-stage-builds) | `FROM alpine:3.21` | • Use **alpine**, **distroless**, or **DHI** images
• reduce attack surface and image size (alpine ~5MB vs ubuntu ~80MB). | | [**Combining RUN commands**](https://docs.docker.com/build/building/best-practices/#minimize-the-number-of-layers) | `RUN apt-get update && apt-get install -y curl`
` && rm -rf /var/lib/apt/lists/*` | • Chain commands with `&&` to create **single layer**
• clean up package caches in same layer to reduce size. | | [**Buildx for multi-platform**](https://docs.docker.com/build/building/multi-platform/) | `docker buildx build --platform`
` linux/amd64,linux/arm64 -t app .` | • Builds images for **multiple architectures** (amd64, arm64) in one command
• essential for M1/M2 Macs and ARM servers. | ## Table 6: Port Publishing and Networking | **Option** | **Example** | **Description** | |---|---|---| | [**-p (publish)**](https://docs.docker.com/engine/network/port-publishing/) | `docker run -p 8080:80 nginx` | • Maps **host port to container port**
• format `hostPort:containerPort`, makes service accessible externally. | | [**-P (publish-all)**](https://docs.docker.com/engine/network/port-publishing/) | `docker run -P nginx` | • Publishes all EXPOSE'd ports to **random high ports** on host
• query with `docker port`. | | [**Specific host IP**](https://docs.docker.com/engine/network/port-publishing/) | `docker run -p 127.0.0.1:8080:80 nginx` | • Binds to a **specific host IP**
• limits access to localhost or a particular network interface. | | [**Port ranges**](https://docs.docker.com/engine/network/port-publishing/) | `docker run -p 8000-8010:8000-8010 app` | • Maps a **range of ports**
• useful for services needing multiple consecutive ports. | | [**UDP ports**](https://docs.docker.com/engine/network/port-publishing/) | `docker run -p 53:53/udp dns` | • Publishes **UDP** instead of TCP
• add `/udp` suffix to port mapping. | ## Table 7: Network Modes | **Mode** | **Example** | **Description** | |---|---|---| | [**bridge (default)**](https://docs.docker.com/engine/network/drivers/bridge/) | `docker run --network bridge nginx` | • Creates a **virtual network** on host
• containers get private IPs, communicate via internal DNS, NAT for external access. | | [**host**](https://docs.docker.com/engine/network/drivers/host/) | `docker run --network host nginx` | • Container shares **host's network stack**
• no isolation, container binds to host ports directly, best performance. | | [**none**](https://docs.docker.com/engine/network/drivers/) | `docker run --network none app` | • **No networking**
• container is completely isolated, useful for batch jobs or maximum security. | | [**overlay**](https://docs.docker.com/engine/network/drivers/overlay/) | `docker network create --driver overlay mynet` | • Enables **multi-host networking** for Swarm
• containers on different hosts communicate as if on same LAN. | | [**macvlan**](https://docs.docker.com/engine/network/drivers/macvlan/) | `docker network create -d macvlan mynet` | • Assigns **MAC address** to container
• appears as physical device on network, useful for legacy apps. | | [**ipvlan**](https://docs.docker.com/engine/network/drivers/ipvlan/) | `docker network create -d ipvlan mynet` | • Like macvlan but containers share **parent interface's MAC**
• avoids MAC address exhaustion. | ## Table 8: Network Management | **Command** | **Example** | **Description** | |---|---|---| | [**docker network create**](https://docs.docker.com/reference/cli/docker/network/create/) | `docker network create mynet` | • Creates a **user-defined bridge network**
• enables automatic DNS resolution between containers. | | [**docker network ls**](https://docs.docker.com/reference/cli/docker/network/ls/) | `docker network ls` | Lists **all networks** with driver type and scope. | | [**docker network connect**](https://docs.docker.com/reference/cli/docker/network/connect/) | `docker network connect mynet web` | • Connects a running container to an **additional network**
• containers can be on multiple networks. | | [**docker network disconnect**](https://docs.docker.com/reference/cli/docker/network/disconnect/) | `docker network disconnect mynet web` | Removes container from a network **while it's running**. | | [**docker network inspect**](https://docs.docker.com/reference/cli/docker/network/inspect/) | `docker network inspect mynet` | Shows detailed network configuration including **connected containers** and IP addresses. | | [**docker network rm**](https://docs.docker.com/reference/cli/docker/network/rm/) | `docker network rm mynet` | • **Removes a network**
• fails if containers are connected. | | [**docker network prune**](https://docs.docker.com/reference/cli/docker/network/prune/) | `docker network prune` | • Removes all **unused networks**
• confirms before deletion. | | [**host.docker.internal**](https://docs.docker.com/desktop/features/networking/) | `curl http://host.docker.internal:3000` | • DNS name resolving to the **host machine** from inside a container
• auto-configured on Mac/Windows; on Linux add `--add-host=host.docker.internal:host-gateway` to `docker run`. | ## Table 9: Volume Management | **Type** | **Example** | **Description** | |---|---|---| | [**Named volumes**](https://docs.docker.com/engine/storage/volumes/) | `docker run -v data:/app/data nginx` | • Docker-managed volumes stored in `/var/lib/docker/volumes/`
• **preferred** for production, portable across hosts. | | [**--mount syntax**](https://docs.docker.com/engine/storage/) | `docker run --mount type=volume,source=mydata,target=/data nginx` | • **Explicit, readable** alternative to the `-v` flag
• supports `type=bind`, `type=volume`, `type=tmpfs`; recommended for clarity and scripting. | | [**Bind mounts**](https://docs.docker.com/engine/storage/bind-mounts/) | `docker run -v /host/path:/container/path nginx` | • Maps a **host directory** to container
• changes sync in real-time, ideal for development. | | [**tmpfs mounts**](https://docs.docker.com/engine/storage/tmpfs/) | `docker run --tmpfs /tmp nginx` | • Stores data in **host memory**
• not persisted to disk, ultra-fast, useful for caches and temporary files. | | [**Anonymous volumes**](https://docs.docker.com/engine/storage/volumes/) | `docker run -v /app/data nginx` | • Created automatically with **random name**
• hard to manage, removed with container unless `--rm` is not used. | | [**Read-only volumes**](https://docs.docker.com/engine/storage/volumes/) | `docker run -v data:/app:ro nginx` | • Mounts volume as **read-only**
• container cannot modify host files, improves security. | | [**volumes-from**](https://docs.docker.com/engine/storage/volumes/) | `docker run --volumes-from web nginx` | • Shares **all volumes** from another container
• useful for backup containers. | ## Table 10: Volume Commands | **Command** | **Example** | **Description** | |---|---|---| | [**docker volume create**](https://docs.docker.com/reference/cli/docker/volume/create/) | `docker volume create mydata` | • Creates a **named volume** before using it
• can specify driver and options. | | [**docker volume ls**](https://docs.docker.com/reference/cli/docker/volume/ls/) | `docker volume ls` | Lists **all volumes** with driver and mount point. | | [**docker volume inspect**](https://docs.docker.com/reference/cli/docker/volume/inspect/) | `docker volume inspect mydata` | Shows volume metadata including **mountpoint** on host filesystem. | | [**docker volume rm**](https://docs.docker.com/reference/cli/docker/volume/rm/) | `docker volume rm mydata` | • **Removes a volume**
• fails if in use by any container. | | [**docker volume prune**](https://docs.docker.com/reference/cli/docker/volume/prune/) | `docker volume prune` | • Deletes all **unused volumes**
• dangerous in production, confirms before deletion. | ## Table 11: Resource Constraints | **Flag** | **Example** | **Description** | |---|---|---| | [**--memory (-m)**](https://docs.docker.com/engine/containers/resource_constraints/) | `docker run -m 512m nginx` | • Limits container **memory**
• container killed if exceeded (OOM), suffix: `b k m g`. | | [**--memory-reservation**](https://docs.docker.com/engine/containers/resource_constraints/) | `docker run --memory-reservation 256m nginx` | • **Soft limit**
• Docker tries to enforce when host memory is low, container can exceed it. | | [**--cpus**](https://docs.docker.com/engine/containers/resource_constraints/) | `docker run --cpus 1.5 nginx` | • Limits container to **1.5 CPU cores**
• can be fractional (0.5 = 50% of one core). | | [**--cpu-shares**](https://docs.docker.com/engine/containers/resource_constraints/) | `docker run --cpu-shares 512 nginx` | • Sets **relative weight** for CPU time
• default 1024, container with 2048 gets 2x CPU time. | | [**--cpuset-cpus**](https://docs.docker.com/engine/containers/resource_constraints/) | `docker run --cpuset-cpus 0,1 nginx` | • Pins container to **specific CPU cores**
• useful for NUMA systems and performance-critical apps. | | [**--pids-limit**](https://docs.docker.com/engine/containers/resource_constraints/) | `docker run --pids-limit 100 nginx` | • Limits **number of PIDs** (processes/threads)
• prevents fork bombs. | | [**--blkio-weight**](https://docs.docker.com/engine/containers/resource_constraints/) | `docker run --blkio-weight 500 nginx` | • Sets **disk I/O priority**
• default 500, range 10-1000. | | [**--gpus**](https://docs.docker.com/engine/containers/resource_constraints/) | `docker run --gpus all nvidia/cuda:12.0-base nvidia-smi` | • Grants container access to **GPU devices**
• requires NVIDIA Container Toolkit; use `"device=0,1"` to target specific GPUs. | ## Table 12: Restart Policies | **Policy** | **Example** | **Description** | |---|---|---| | [**no (default)**](https://docs.docker.com/engine/containers/start-containers-automatically/) | `docker run --restart no nginx` | • **Never restart** container automatically
• manual restart required. | | [**on-failure**](https://docs.docker.com/engine/containers/start-containers-automatically/) | `docker run --restart on-failure:3 nginx` | • Restarts only if container exits with **non-zero code**
• optional max retry count. | | [**always**](https://docs.docker.com/engine/containers/start-containers-automatically/) | `docker run --restart always nginx` | • **Always restarts** container, even after host reboot
• use for critical services. | | [**unless-stopped**](https://docs.docker.com/engine/containers/start-containers-automatically/) | `docker run --restart unless-stopped nginx` | • Like `always` but **respects manual stops**
• doesn't restart if explicitly stopped before reboot. | ## Table 13: Health Checks | **Option** | **Example** | **Description** | |---|---|---| | [**HEALTHCHECK instruction**](https://docs.docker.com/reference/dockerfile/#healthcheck) | `HEALTHCHECK --interval=30s CMD curl -f http://localhost/`
|| exit 1 | • Defines in **Dockerfile** how to test if container is healthy
• runs periodically. | | [**--health-cmd**](https://docs.docker.com/reference/cli/docker/container/run/#health-cmd) | `docker run --health-cmd "curl -f http://localhost/"` | • Runtime **override** of HEALTHCHECK
• useful for testing without rebuilding image. | | [**--health-interval**](https://docs.docker.com/reference/cli/docker/container/run/#health-interval) | `docker run --health-interval=10s nginx` | • Time **between health checks**
• default 30s. | | [**--health-timeout**](https://docs.docker.com/reference/cli/docker/container/run/#health-timeout) | `docker run --health-timeout=5s nginx` | • How long to wait for check to **complete**
• default 30s, fails if exceeded. | | [**--health-retries**](https://docs.docker.com/reference/cli/docker/container/run/#health-retries) | `docker run --health-retries=3 nginx` | • Number of **consecutive failures** before marking unhealthy
• default 3. | | [**--health-start-period**](https://docs.docker.com/reference/cli/docker/container/run/#health-start-period) | `docker run --health-start-period=60s nginx` | • **Grace period** before starting checks
• allows slow apps to initialize, default 0s. | ## Table 14: Docker Compose Services | **Attribute** | **Example** | **Description** | |---|---|---| | [**image**](https://docs.docker.com/reference/compose-file/services/#image) | `image: nginx:alpine` | • Specifies the **image to use**
• pulled from registry if not local. | | [**build**](https://docs.docker.com/reference/compose-file/services/#build) | `build:`
` context: .`
` dockerfile: Dockerfile.prod` | • Builds image from **Dockerfile**
• context is build directory, dockerfile is optional custom name. | | [**ports**](https://docs.docker.com/reference/compose-file/services/#ports) | `ports:`
` - "8080:80"` | • Publishes ports
• **short syntax** `"host:container"` or long syntax with protocol. | | [**volumes**](https://docs.docker.com/reference/compose-file/services/#volumes) | `volumes:`
` - ./data:/data:ro` | • Mounts volumes or bind mounts
• supports **short and long syntax** with options. | | [**environment**](https://docs.docker.com/reference/compose-file/services/#environment) | `environment:`
` NODE_ENV: production` | • Sets **environment variables**
• also supports array syntax and .env files. | | [**depends_on**](https://docs.docker.com/reference/compose-file/services/#depends_on) | `depends_on:`
` db:`
` condition: service_healthy` | • Defines **startup order** and conditions
• `service_healthy` waits for health checks. | | [**networks**](https://docs.docker.com/reference/compose-file/services/#networks) | `networks:`
` - frontend` | • Connects service to **custom networks**
• enables network isolation. | | [**restart**](https://docs.docker.com/reference/compose-file/services/#restart) | `restart: unless-stopped` | • Sets **restart policy**
• options: no, always, on-failure, unless-stopped. | | [**command**](https://docs.docker.com/reference/compose-file/services/#command) | `command: npm run dev` | • Overrides default **CMD** from image
• shell or exec form. | | [**entrypoint**](https://docs.docker.com/reference/compose-file/services/#entrypoint) | `entrypoint: /app/entrypoint.sh` | • Overrides **ENTRYPOINT** from image
• rarely needed. | | [**healthcheck**](https://docs.docker.com/reference/compose-file/services/#healthcheck) | `healthcheck:`
` test: ["CMD", "curl", "-f", "http://localhost/"]`
` interval: 30s` | • Defines a **health check** in Compose
• supports test, interval, timeout, retries, start_period. | | [**deploy**](https://docs.docker.com/reference/compose-file/services/#deploy) | `deploy:`
` resources:`
` limits:`
` memory: 512M` | • Configures **deployment and resource** constraints
• works in Compose for resource limits and GPU reservations. | ## Table 15: Docker Compose Commands | **Command** | **Example** | **Description** | |---|---|---| | [**docker compose up**](https://docs.docker.com/reference/cli/docker/compose/up/) | `docker compose up -d` | • **Creates and starts all services**
• `-d` runs detached, rebuilds if Dockerfile changed. | | [**docker compose down**](https://docs.docker.com/reference/cli/docker/compose/down/) | `docker compose down -v` | • Stops and removes containers, networks
• `-v` also removes **volumes**, dangerous in production. | | [**docker compose ps**](https://docs.docker.com/reference/cli/docker/compose/ps/) | `docker compose ps` | Lists containers for this **Compose project** only. | | [**docker compose logs**](https://docs.docker.com/reference/cli/docker/compose/logs/) | `docker compose logs -f web` | • Shows **logs from services**
• `-f` follows, specify service name to filter. | | [**docker compose exec**](https://docs.docker.com/reference/cli/docker/compose/exec/) | `docker compose exec web sh` | • Runs command in a **running service**
• defaults to first container if replicated. | | [**docker compose build**](https://docs.docker.com/reference/cli/docker/compose/build/) | `docker compose build --no-cache` | • **Builds or rebuilds services**
• `--no-cache` forces full rebuild. | | [**docker compose pull**](https://docs.docker.com/reference/cli/docker/compose/pull/) | `docker compose pull` | Pulls **latest images** for all services from registry. | | [**docker compose restart**](https://docs.docker.com/reference/cli/docker/compose/restart/) | `docker compose restart web` | Restarts running services **without recreating containers**. | | [**docker compose stop**](https://docs.docker.com/reference/cli/docker/compose/stop/) | `docker compose stop` | • Stops services **without removing containers**
• faster than `down`. | | [**docker compose start**](https://docs.docker.com/reference/cli/docker/compose/start/) | `docker compose start` | • **Starts stopped services**
• doesn't create new containers. | | [**docker compose run**](https://docs.docker.com/reference/cli/docker/compose/run/) | `docker compose run --rm web npm test` | • Runs a **one-off command** against a service
• `--rm` removes container after exit, does not start linked services by default. | | [**docker compose watch**](https://docs.docker.com/reference/cli/docker/compose/watch/) | `docker compose watch` | • Watches for **file changes** and auto-updates running services
• actions: sync, rebuild, sync+restart. | ## Table 16: Docker Compose Advanced Features | **Feature** | **Example** | **Description** | |---|---|---| | [**profiles**](https://docs.docker.com/compose/how-tos/profiles/) | `profiles: [debug]` | • Groups services for **selective activation**
• `docker compose --profile debug up` only starts debug services. | | [**extends**](https://docs.docker.com/compose/how-tos/multiple-compose-files/extends/) | `extends:`
` file: common.yml`
` service: base` | • **Inherits configuration** from another service
• enables reusable base definitions. | | [**override files**](https://docs.docker.com/compose/how-tos/multiple-compose-files/merge/) | `docker-compose.override.yml` | • Automatically merged with `docker-compose.yml`
• **environment-specific overrides** without modifying base file. | | [**include**](https://docs.docker.com/compose/how-tos/multiple-compose-files/include/) | `include:`
` - monitoring.yml` | • Includes **separate Compose files**
• combines multiple projects into one. | | [**env_file**](https://docs.docker.com/compose/how-tos/environment-variables/set-environment-variables/) | `env_file:`
` - .env.prod` | • Loads environment variables from **files**
• keeps secrets out of Compose file. | | [**secrets**](https://docs.docker.com/reference/compose-file/services/#secrets) | `secrets:`
` - db_password` | • Injects secrets as **files** in container
• mounted at `/run/secrets/`. | | [**configs**](https://docs.docker.com/reference/compose-file/services/#configs) | `configs:`
` - nginx.conf` | • Like secrets but for **non-sensitive config files**
• also mounted as files. | | [**develop (watch)**](https://docs.docker.com/compose/how-tos/file-watch/) | `develop:`
` watch:`
` - action: sync`
` path: ./src`
` target: /app/src` | • Configures **hot-reload** for development
• actions: `sync` (copy files), `rebuild` (rebuild image), `sync+restart` (copy and restart). | | [**YAML anchors**](https://docs.docker.com/reference/compose-file/fragments/) | `x-common: &common`
` restart: always`
`services:`
` web:`
` <<: *common` | • Reuses config blocks with **anchors and aliases**
• `x-` prefix defines extension fields that Compose ignores. | | [**GPU support**](https://docs.docker.com/compose/how-tos/gpu-support/) | `deploy:`
` resources:`
` reservations:`
` devices:`
` - driver: nvidia`
` count: 1`
` capabilities: [gpu]` | • Requests **GPU access** for a service
• requires NVIDIA Container Toolkit installed on host. | ## Table 17: Registry and Authentication | **Command** | **Example** | **Description** | |---|---|---| | [**docker login**](https://docs.docker.com/reference/cli/docker/login/) | `docker login registry.example.com` | • **Authenticates to a registry**
• stores credentials in `~/.docker/config.json`. | | [**docker logout**](https://docs.docker.com/reference/cli/docker/logout/) | `docker logout` | Removes **stored credentials** for default registry or specified one. | | [**Username/password login**](https://docs.docker.com/reference/cli/docker/login/) | `docker login -u user -p pass` | • Non-interactive login
• **avoid in scripts**, use stdin or token instead. | | [**Token authentication**](https://docs.docker.com/reference/cli/docker/login/) | echo $TOKEN | docker login -u user --password-stdin | • Passes password via **stdin**
• more secure than command-line password. | ## Table 18: Image Tagging Strategies | **Strategy** | **Example** | **Description** | |---|---|---| | [**Semantic versioning**](https://www.docker.com/blog/docker-best-practices-using-tags-and-labels-to-manage-docker-image-sprawl/) | `myapp:1.2.3` | • Uses **major.minor.patch** format
• best practice for release tracking and rollbacks. | | [**Git commit SHA**](https://www.docker.com/blog/docker-best-practices-using-tags-and-labels-to-manage-docker-image-sprawl/) | `myapp:a3f2c1b` | • Tags with **Git commit hash**
• enables exact source code traceability. | | [**Environment tags**](https://www.docker.com/blog/docker-best-practices-using-tags-and-labels-to-manage-docker-image-sprawl/) | `myapp:prod-1.2.3` | • Includes **environment prefix**
• clearly indicates deployment target. | | [**Date-based tags**](https://www.docker.com/blog/docker-best-practices-using-tags-and-labels-to-manage-docker-image-sprawl/) | `myapp:2026-03-01` | • Timestamps with **YYYY-MM-DD**
• useful for nightly builds or time-based releases. | | [**Branch tags**](https://www.docker.com/blog/docker-best-practices-using-tags-and-labels-to-manage-docker-image-sprawl/) | `myapp:feature-auth` | • Tags with **branch name**
• tracks feature development images. | ## Table 19: Cleanup and Maintenance | **Command** | **Example** | **Description** | |---|---|---| | [**docker system prune**](https://docs.docker.com/engine/manage-resources/pruning/) | `docker system prune -a` | • Removes stopped containers, unused networks, **dangling images**
• `-a` removes all unused images. | | [**docker image prune**](https://docs.docker.com/reference/cli/docker/image/prune/) | `docker image prune -a --filter "until=168h"` | • Removes unused images
• `--filter "until=168h"` keeps images created in **last 7 days**. | | [**docker container prune**](https://docs.docker.com/reference/cli/docker/container/prune/) | `docker container prune` | • Removes all **stopped containers**
• confirms before deletion. | | [**docker volume prune**](https://docs.docker.com/reference/cli/docker/volume/prune/) | `docker volume prune` | • Deletes **unused volumes**
• extremely dangerous in production, back up first. | | [**docker network prune**](https://docs.docker.com/reference/cli/docker/network/prune/) | `docker network prune` | • Removes **unused networks**
• safe operation. | | [**docker builder prune**](https://docs.docker.com/reference/cli/docker/builder/prune/) | `docker builder prune` | • Clears **BuildKit cache**
• frees disk space from layer caching. | ## Table 20: Logging Drivers | **Driver** | **Example** | **Description** | |---|---|---| | [**json-file (default)**](https://docs.docker.com/engine/logging/configure/) | `--log-driver json-file` | • Stores logs as **JSON** on disk
• queryable with `docker logs`, limited rotation. | | [**local**](https://docs.docker.com/engine/logging/configure/) | `--log-driver local` | • Optimized **local file** driver with automatic log rotation
• better performance than json-file. | | [**syslog**](https://docs.docker.com/engine/logging/drivers/syslog/) | `--log-driver syslog --log-opt syslog-address=udp://host:514` | • Forwards logs to **syslog daemon**
• integrates with centralized logging. | | [**journald**](https://docs.docker.com/engine/logging/drivers/journald/) | `--log-driver journald` | • Sends logs to **systemd journal**
• query with `journalctl`. | | [**fluentd**](https://docs.docker.com/engine/logging/drivers/fluentd/) | `--log-driver fluentd --log-opt fluentd-address=host:24224` | • Forwards to **Fluentd** collector
• popular for Kubernetes and centralized logging. | | [**awslogs**](https://docs.docker.com/engine/logging/drivers/awslogs/) | `--log-driver awslogs --log-opt awslogs-group=myapp` | • Sends logs to **AWS CloudWatch Logs**
• requires AWS credentials. | | [**gcplogs**](https://docs.docker.com/engine/logging/drivers/gcplogs/) | `--log-driver gcplogs` | • Forwards to **Google Cloud Logging**
• auto-detects GCP metadata. | | [**splunk**](https://docs.docker.com/engine/logging/drivers/splunk/) | `--log-driver splunk --log-opt splunk-token=XXX` | • Sends logs to **Splunk HTTP Event Collector**
• enterprise logging solution. | ## Table 21: Security Practices | **Practice** | **Example** | **Description** | |---|---|---| | [**Run as non-root user**](https://docs.docker.com/build/building/best-practices/#user) | `USER node` | • Creates and switches to **non-root user**
• prevents privilege escalation attacks. | | [**Read-only root filesystem**](https://docs.docker.com/reference/cli/docker/container/run/#read-only) | `docker run --read-only nginx` | • Makes container filesystem **immutable**
• prevents tampering, use tmpfs for writable dirs. | | [**Drop capabilities**](https://docs.docker.com/reference/cli/docker/container/run/#cap-drop) | `docker run --cap-drop ALL --cap-add NET_BIND_SERVICE nginx` | • Removes **Linux capabilities**
• principle of least privilege, drop ALL then add only needed ones. | | [**Use secrets**](https://docs.docker.com/build/building/secrets/) | `RUN --mount=type=secret,id=token` | • Never hardcode secrets in images
• use **BuildKit secrets** or runtime secrets. | | [**Scan images**](https://docs.docker.com/scout/) | `docker scout cves nginx:latest` | • Scans for **vulnerabilities**
• integrates with Docker Scout, Trivy, Snyk. | | [**Minimal base images**](https://docs.docker.com/build/building/best-practices/#use-multi-stage-builds) | `FROM gcr.io/distroless/static` | • Use **distroless** or alpine
• fewer packages = smaller attack surface. | | [**No privileged mode**](https://docs.docker.com/reference/cli/docker/container/run/#privileged) | Avoid `--privileged` | • **Never use** in production
• gives full host access, defeats containerization. | | [**Security profiles**](https://docs.docker.com/reference/cli/docker/container/run/#security-opt) | `--security-opt seccomp=profile.json` | • Apply **seccomp/AppArmor/SELinux** profiles
• restricts syscalls and actions. | | [**Rootless mode**](https://docs.docker.com/engine/security/rootless/) | `dockerd-rootless-setuptool.sh install` | • Runs Docker daemon **without root privileges**
• mitigates potential vulnerabilities in daemon and container runtime. | | [**--no-new-privileges**](https://docs.docker.com/reference/cli/docker/container/run/#security-opt) | `docker run --security-opt no-new-privileges nginx` | • Prevents processes from **gaining additional privileges** via setuid/setgid
• critical for defense in depth. | | [**Docker Hardened Images (DHI)**](https://www.docker.com/products/hardened-images/) | `FROM dhi.io/python:3.12` | • Docker's **distroless-based, CVE-free** base images
• free since Dec 2025, auto-patched within 24hrs, include SBOM and provenance attestations. | ## Table 22: Signal Handling | **Signal** | **Example** | **Description** | |---|---|---| | [**SIGTERM**](https://docs.docker.com/engine/containers/start-containers-automatically/) | Sent by `docker stop` | • **Graceful shutdown** signal
• application should clean up resources and exit within grace period (default 10s). | | [**SIGKILL**](https://docs.docker.com/reference/cli/docker/container/kill/) | Sent after grace period | • **Force kill** signal
• cannot be caught or ignored, immediate termination. | | [**SIGINT**](https://docs.docker.com/reference/cli/docker/container/run/) | Ctrl+C in attached mode | • **Interrupt signal**
• often handled same as SIGTERM by applications. | | [**SIGHUP**](https://docs.docker.com/reference/cli/docker/container/kill/) | `docker kill -s SIGHUP web` | • Hangup signal
• commonly used to **reload configuration** without restart. | | [**Exec form vs shell form**](https://docs.docker.com/reference/dockerfile/#cmd) | `CMD ["app"]` vs `CMD app` | • **Exec form** (JSON array) makes app PID 1, receives signals
• shell form wraps in `/bin/sh -c`, signals go to shell. | ## Table 23: Context and Remote Docker | **Command** | **Example** | **Description** | |---|---|---| | [**docker context create**](https://docs.docker.com/reference/cli/docker/context/create/) | `docker context create remote --docker "host=ssh://user@host"` | • Creates a **remote Docker context**
• enables managing remote Docker daemons. | | [**docker context use**](https://docs.docker.com/reference/cli/docker/context/use/) | `docker context use remote` | • **Switches active context**
• all docker commands target this daemon. | | [**docker context ls**](https://docs.docker.com/reference/cli/docker/context/ls/) | `docker context ls` | Lists **all contexts** with current one marked by `*`. | | [**docker context rm**](https://docs.docker.com/reference/cli/docker/context/rm/) | `docker context rm remote` | • **Removes a context**
• cannot remove active context. | | [**DOCKER_HOST variable**](https://docs.docker.com/reference/cli/docker/#environment-variables) | `export DOCKER_HOST=ssh://user@host` | • Sets remote daemon via **environment variable**
• alternative to contexts. | ## Table 24: Docker Swarm Basics | **Command** | **Example** | **Description** | |---|---|---| | [**docker swarm init**](https://docs.docker.com/reference/cli/docker/swarm/init/) | `docker swarm init` | • Initializes a **Swarm cluster**
• current node becomes manager. | | [**docker swarm join**](https://docs.docker.com/reference/cli/docker/swarm/join/) | `docker swarm join --token TOKEN host:2377` | Joins a node to existing Swarm as **worker or manager**. | | [**docker service create**](https://docs.docker.com/reference/cli/docker/service/create/) | `docker service create --replicas 3 nginx` | Creates a Swarm service with **replicas** across cluster. | | [**docker service scale**](https://docs.docker.com/reference/cli/docker/service/scale/) | `docker service scale web=5` | Scales service to specified **number of replicas**. | | [**docker service update**](https://docs.docker.com/reference/cli/docker/service/update/) | `docker service update --image nginx:1.21 web` | • **Rolling update** of service
• updates containers one by one. | | [**docker node ls**](https://docs.docker.com/reference/cli/docker/node/ls/) | `docker node ls` | Lists all nodes in Swarm with **status and availability**. | | [**docker stack deploy**](https://docs.docker.com/reference/cli/docker/stack/deploy/) | `docker stack deploy -c compose.yml myapp` | • Deploys a **Compose file** to Swarm
• creates all services, networks, volumes. | ## Table 25: Environment Variables | **Method** | **Example** | **Description** | |---|---|---| | [**-e flag**](https://docs.docker.com/reference/cli/docker/container/run/#env) | `docker run -e NODE_ENV=prod nginx` | • Sets **single variable**
• most direct method, visible in `docker inspect`. | | [**--env-file**](https://docs.docker.com/reference/cli/docker/container/run/#env-file) | `docker run --env-file .env nginx` | • Loads variables from **file**
• one VAR=value per line, comments with `#`. | | [**ENV in Dockerfile**](https://docs.docker.com/reference/dockerfile/#env) | `ENV NODE_ENV=production` | • Bakes variables into **image**
• persists in all containers, bad for secrets. | | [**ARG in Dockerfile**](https://docs.docker.com/reference/dockerfile/#arg) | `ARG VERSION=1.0` | • **Build-time only** variables
• passed with `--build-arg`, not in final image. | | [**Compose environment**](https://docs.docker.com/compose/how-tos/environment-variables/set-environment-variables/) | `environment:`
` NODE_ENV: prod` | • Sets variables **in Compose file**
• applies to that service only. | | [**Compose env_file**](https://docs.docker.com/compose/how-tos/environment-variables/set-environment-variables/) | `env_file: .env` | • Loads variables **from file** in Compose
• supports multiple files. | ## Table 26: Inspect and Debug | **Command** | **Example** | **Description** | |---|---|---| | [**docker inspect**](https://docs.docker.com/reference/cli/docker/inspect/) | `docker inspect --format '{{.State.Status}}' web` | • Shows **raw JSON** config
• use `--format` with Go templates to extract specific fields. | | [**docker events**](https://docs.docker.com/reference/cli/docker/system/events/) | `docker events --filter type=container` | • Live stream of **daemon events**
• shows create, start, stop, die, etc. | | [**docker system df**](https://docs.docker.com/reference/cli/docker/system/df/) | `docker system df -v` | • Shows **disk usage** by images, containers, volumes
• `-v` for detailed breakdown. | | [**docker system info**](https://docs.docker.com/reference/cli/docker/system/info/) | `docker system info` | Displays **system-wide information** including storage driver, kernel version, containers count. | | [**docker version**](https://docs.docker.com/reference/cli/docker/version/) | `docker version` | Shows **client and server** versions with API version and Go version. | | [**docker debug**](https://docs.docker.com/reference/cli/docker/debug/) | `docker debug web` | • Launches a **debug shell** attached to container's namespaces
• requires Docker Desktop; works even on containers without a shell. | | [**docker init**](https://docs.docker.com/reference/cli/docker/init/) | `docker init` | • Generates **Dockerfile, compose.yaml, .dockerignore** for a project
• supports Go, Node, Python, Rust, Java, PHP, ASP.NET templates. | ## Table 27: Copy Operations | **Command** | **Example** | **Description** | |---|---|---| | [**docker cp (container to host)**](https://docs.docker.com/reference/cli/docker/container/cp/) | `docker cp web:/app/log.txt ./log.txt` | • Copies file from **container to host**
• works on running and stopped containers. | | [**docker cp (host to container)**](https://docs.docker.com/reference/cli/docker/container/cp/) | `docker cp ./config.yml web:/app/config.yml` | • Copies file from **host to container**
• immediately available in running container. | | [**Copy directories**](https://docs.docker.com/reference/cli/docker/container/cp/) | `docker cp web:/app/logs ./logs` | Recursively copies **entire directories**. | | [**Archive mode**](https://docs.docker.com/reference/cli/docker/container/cp/) | `docker cp -a web:/app ./backup` | • Preserves **UID/GID** and permissions
• equivalent to `cp -a`. | ## Table 28: BuildKit Advanced Features | **Feature** | **Example** | **Description** | |---|---|---| | [**Cache mounts**](https://docs.docker.com/build/cache/optimize/#use-cache-mounts) | `RUN --mount=type=cache,target=/root/.cache/pip`
` pip install -r requirements.txt` | • Persists **package manager cache** across builds
• dramatically speeds up dependency installs. | | [**SSH mounts**](https://docs.docker.com/build/building/secrets/#ssh-mounts) | `RUN --mount=type=ssh git clone git@github.com:repo` | • Forwards **SSH agent** into build
• enables private Git repos without storing keys. | | [**Bind mounts**](https://docs.docker.com/build/cache/optimize/#use-bind-mounts) | `RUN --mount=type=bind,source=.,target=/src`
` make build` | • Mounts files into build **without COPY**
• doesn't add to image layers. | | [**External cache**](https://docs.docker.com/build/cache/backends/) | `docker build --cache-from type=registry,ref=myapp:cache` | • Uses **remote cache** from registry
• enables cache sharing across CI runners. | | [**Inline cache**](https://docs.docker.com/build/cache/backends/inline/) | `docker build --cache-to type=inline` | • Embeds cache metadata **in image**
• simplest cache sharing method. | | [**SBOM attestation**](https://docs.docker.com/build/metadata/attestations/sbom/) | `docker buildx build --sbom=true -t myapp .` | • Embeds a **Software Bill of Materials** as an OCI attestation
• lists all packages and dependencies discovered in the image. | | [**Provenance attestation**](https://docs.docker.com/build/metadata/attestations/slsa-provenance/) | `docker buildx build --provenance=mode=max -t myapp .` | • Records **SLSA-compliant build provenance**
• cryptographically proves what commit, CI runner, and inputs produced the image. | | [**Buildx bake**](https://docs.docker.com/build/bake/) | `docker buildx bake -f docker-bake.hcl` | • Builds multiple targets from an **HCL/JSON/Compose** definition file
• enables complex build pipelines with shared variables and matrix builds. | ## Table 29: Docker Scout Commands | **Command** | **Example** | **Description** | |---|---|---| | [**docker scout cves**](https://docs.docker.com/reference/cli/docker/scout/cves/) | `docker scout cves nginx:latest` | • Scans an image for **CVEs**
• shows severity, CVSS score, affected package, and fix availability. | | [**docker scout quickview**](https://docs.docker.com/reference/cli/docker/scout/quickview/) | `docker scout quickview nginx:latest` | • Displays a **summary** of vulnerabilities and policy compliance
• fast overview without printing the full CVE list. | | [**docker scout recommendations**](https://docs.docker.com/reference/cli/docker/scout/recommendations/) | `docker scout recommendations nginx:latest` | • Suggests **base image upgrades** that reduce the CVE count
• shows how many CVEs each alternative version would eliminate. | | [**docker scout sbom**](https://docs.docker.com/reference/cli/docker/scout/sbom/) | `docker scout sbom nginx:latest` | • Generates a **Software Bill of Materials**
• lists all packages, versions, and licenses found in the image. | | [**docker scout compare**](https://docs.docker.com/reference/cli/docker/scout/compare/) | `docker scout compare nginx:1.25 --to nginx:latest` | • **Compares vulnerability profiles** of two images
• useful to verify CVE reduction after a base image update. | | [**docker scout enroll**](https://docs.docker.com/reference/cli/docker/scout/enroll/) | `docker scout enroll myorg` | • **Enrolls an organization** in Docker Scout
• enables policy enforcement, repository integration, and team dashboards. | ## Table 30: Docker Model Runner | **Command** | **Example** | **Description** | |---|---|---| | [**docker model pull**](https://docs.docker.com/reference/cli/docker/model/pull/) | `docker model pull ai/llama3.2` | • Downloads an **AI model** from Docker Hub
• models are versioned and stored locally, managed like images. | | [**docker model run**](https://docs.docker.com/reference/cli/docker/model/run/) | `docker model run ai/llama3.2` | • Runs a model **interactively** in the terminal
• provides a live chat interface for direct prompting. | | [**docker model run -d**](https://docs.docker.com/reference/cli/docker/model/run/) | `docker model run -d --name llm ai/llama3.2` | • Starts model as a **background service**
• accessible via OpenAI-compatible REST API from host or other containers. | | [**docker model list**](https://docs.docker.com/reference/cli/docker/model/ls/) | `docker model list` | Lists all **locally downloaded** AI models with size and status. | | [**docker model rm**](https://docs.docker.com/reference/cli/docker/model/rm/) | `docker model rm ai/llama3.2` | Removes a **downloaded model** from local storage. | | [**OpenAI-compatible API**](https://docs.docker.com/ai/model-runner/api-reference/) | `curl http://model-runner.docker.internal/engines/v1/chat/completions` | • Access running model via **OpenAI-compatible endpoint**
• use from other containers; also accessible on host at `http://localhost:12434/engines/v1`. | ## Table 31: Docker Build Cloud | **Feature** | **Example** | **Description** | |---|---|---| | [**Create cloud builder**](https://docs.docker.com/build-cloud/setup/) | `docker buildx create --driver cloud myorg/mybuilder` | • Creates a **remote cloud-based builder**
• builds run in Docker's infrastructure, not on the local machine. | | [**Build with cloud**](https://docs.docker.com/build-cloud/) | `docker buildx build --builder cloud-myorg/mybuilder -t myapp .` | • Sends build to **cloud infrastructure**
• more CPU/RAM than local, shared cache across the whole team. | | [**Set as default builder**](https://docs.docker.com/reference/cli/docker/buildx/use/) | `docker buildx use cloud-myorg/mybuilder` | Sets the cloud builder as **default** for all subsequent `docker buildx build` commands. | | [**List builders**](https://docs.docker.com/reference/cli/docker/buildx/ls/) | `docker buildx ls` | Lists all **available builders** including cloud builders and their status. | | [**Shared build cache**](https://docs.docker.com/build-cloud/) | (automatic across team) | • All team members share a **persistent remote cache**
• first build warms cache, subsequent team builds dramatically faster. | ## Table 32: Compose Dependency Conditions | **Condition** | **Example** | **Description** | |---|---|---| | [**service_started**](https://docs.docker.com/reference/compose-file/services/#depends_on) | `depends_on:`
` db:`
` condition: service_started` | • Waits for service to be **started**
• doesn't guarantee it's ready, default behavior. | | [**service_healthy**](https://docs.docker.com/reference/compose-file/services/#depends_on) | `depends_on:`
` db:`
` condition: service_healthy` | • Waits for **health check to pass**
• requires HEALTHCHECK in image or Compose. | | [**service_completed_successfully**](https://docs.docker.com/reference/compose-file/services/#depends_on) | `depends_on:`
` migrate:`
` condition: service_completed_successfully` | • Waits for **one-off task** to exit with code 0
• useful for migrations. | ## Table 33: Distroless and Minimal Images | **Image** | **Example** | **Description** | |---|---|---| | [**Alpine Linux**](https://hub.docker.com/_/alpine) | `FROM alpine:3.21` | • Lightweight **5MB base**
• uses musl libc, may have compatibility issues with compiled binaries. | | [**Distroless**](https://github.com/GoogleContainerTools/distroless) | `FROM gcr.io/distroless/static-debian12` | • **No shell, no package manager**
• only runtime dependencies, ultimate security and size reduction. | | [**Scratch**](https://hub.docker.com/_/scratch) | `FROM scratch` | • **Empty base image**
• use for static binaries only (Go, Rust), absolute minimal size. | | [**Distroless with shell (debug)**](https://github.com/GoogleContainerTools/distroless#debug-images) | `FROM gcr.io/distroless/base-debian12:debug` | • Adds busybox shell to distroless
• **only for debugging**, never production. | | [**Docker Hardened Images (DHI)**](https://www.docker.com/products/hardened-images/) | `FROM dhi.io/python:3.12` | • Docker's **distroless-based, CVE-free** official images
• free since Dec 2025, auto-patched within 24hrs, include SBOM and provenance attestations. |

Docker Cheat Sheet

Docker Cheat Sheet

Docker Cheat Sheet

Docker Cheat Sheet