Docker Cheat Sheet

Updated 2026-04-01

Docker is a containerization platform that packages applications with their dependencies into lightweight, portable containers. It revolutionized software deployment by solving the "works on my machine" problem through consistent, isolated environments that run identically across development, testing, and production. Docker containers share the host OS kernel, making them far more efficient than traditional virtual machines while maintaining strong isolation. Docker Engine uses BuildKit as its default builder and Docker Compose V2 as the standard for multi-container orchestration. The 2025–2026 release cycle significantly expanded Docker's scope: Docker Model Runner enables local AI inference with an OpenAI-compatible API; Docker Scout provides integrated vulnerability scanning and SBOM analysis; Docker Hardened Images (DHI) offer free, distroless-based images with CVE patches within 24 hours; and Docker Build Cloud offloads builds to remote infrastructure for faster CI. The key mental model: a container is a running instance of an image, where images are immutable blueprints built in layers, and layers are cached for speed—understanding this layer caching mechanism is critical for optimizing build times and image sizes.

Quick Index244 entries · 33 tables

Mind Map

33 tables, 244 concepts. Select a concept node to jump to its table row.

Preparing mind map...

Table 1: Container Lifecycle Management

Command	Example	Description
docker run	`docker run -d -p 8080:80 --name web nginx`	• Creates and starts a new container from an image • `-d` runs detached, `-p` maps ports, `--name` assigns a custom name. Most commonly used command.
docker start	`docker start web`	• Starts an existing stopped container • preserves all container state and configuration.
docker stop	`docker stop web`	Gracefully stops a running container by sending SIGTERM then SIGKILL after grace period (default 10s).
docker restart	`docker restart web`	• Stops then starts a container • equivalent to `stop` + `start`.
docker pause	`docker pause web`	• Freezes all processes in a container using cgroups • no CPU/memory usage, instant resume with `unpause`.
docker unpause	`docker unpause web`	• Resumes a paused container • restores execution exactly where it stopped.
docker rm	`docker rm -f web`	• Removes a stopped container • `-f` forces removal of running containers by killing them first.
docker kill	`docker kill web`	• Immediately stops a container by sending SIGKILL • no graceful shutdown, use for unresponsive containers.
docker create	`docker create --name web nginx`	• Creates a container without starting it • useful for preparing containers before `start`.
docker wait	`docker wait web`	• Blocks until a container stops, then prints its exit code • useful in scripts.
docker rename	`docker rename web web-old`	• Renames an existing container • works on running and stopped containers.
docker update	`docker update --cpus 2 --memory 1g web`	• Dynamically updates resource limits and restart policy on running containers • avoids container recreation.

Table 2: Container Inspection and Interaction

Command	Example	Description
docker ps	`docker ps -a`	• Lists containers • default shows running only, `-a` includes stopped.
docker logs	`docker logs -f --tail 100 web`	• Shows container stdout/stderr • `-f` follows live output, `--tail` limits lines.
docker exec	`docker exec -it web bash`	• Runs a new process inside a running container • `-it` allocates interactive TTY for shell access.
docker attach	`docker attach web`	• Connects to container's main process stdin/stdout • Ctrl+C stops the container.
docker inspect	`docker inspect web`	Returns detailed JSON with all container metadata including config, state, network, mounts.
docker stats	`docker stats web`	• Live stream of CPU, memory, network, disk I/O metrics • press Ctrl+C to stop.
docker top	`docker top web`	• Shows running processes inside a container • equivalent to `ps` inside the container.
docker port	`docker port web`	• Lists all port mappings for a container • shows host port → container port bindings.
docker diff	`docker diff web`	Shows filesystem changes (A=added, C=changed, D=deleted) since container creation.

Table 3: Image Management

Command	Example	Description
docker build	`docker build -t myapp:1.0 .`	• Builds an image from a Dockerfile • `-t` tags it, `.` specifies build context directory.
docker images	`docker images`	Lists all local images with repository, tag, image ID, creation date, and size.
docker pull	`docker pull nginx:alpine`	• Downloads an image from a registry (default Docker Hub) • pulls all layers not already cached.
docker push	`docker push myuser/myapp:1.0`	• Uploads an image to a registry • requires authentication via `docker login`.
docker tag	`docker tag myapp:1.0 myapp:latest`	• Creates a new tag pointing to the same image • does not copy the image.
docker rmi	`docker rmi nginx:alpine`	• Removes an image • fails if containers use it unless `-f` forces removal.
docker history	`docker history nginx`	• Shows all layers in an image with size and creation command • useful for debugging image bloat.
docker save	`docker save -o app.tar myapp:1.0`	Exports image to a tar archive preserving all layers and metadata.
docker load	`docker load -i app.tar`	• Imports image from tar archive • restores all layers and tags.
docker import	`docker import rootfs.tar myapp:1.0`	• Creates image from a tarball filesystem • no layer history preserved.
docker export	`docker export web -o web.tar`	• Exports container's filesystem as tar • flattens all layers, loses history.
docker commit	`docker commit web myapp:snapshot`	• Creates a new image from a container's changes • useful for debugging, avoid for production workflows.
docker search	`docker search --limit 5 nginx`	• Searches Docker Hub for images • `--limit` restricts results, `--filter` for stars or official status.

Table 4: Dockerfile Instructions

Instruction	Example	Description
FROM	`FROM node:18-alpine`	• Sets the base image • every Dockerfile starts with FROM • use specific tags, never `latest` in production.
RUN	`RUN apt-get update &&` `apt-get install -y curl`	• Executes commands during build time • each RUN creates a new layer • chain commands with `&&` to reduce layers.
CMD	`CMD ["npm", "start"]`	• Provides default command when container starts • overridden by `docker run` arguments • use exec form (JSON array).
ENTRYPOINT	`ENTRYPOINT ["python", "app.py"]`	• Sets the main executable • not easily overridden, CMD becomes arguments to ENTRYPOINT.
COPY	`COPY package*.json ./`	• Copies files from build context to image • preferred over ADD for simple file copying.
ADD	`ADD app.tar.gz /app/`	• Like COPY but auto-extracts tar archives and supports URLs • use COPY unless you need extraction.
WORKDIR	`WORKDIR /app`	• Sets working directory for subsequent instructions • creates directory if it doesn't exist.
ENV	`ENV NODE_ENV=production`	• Sets environment variables available at both build and runtime • persists in running containers.
ARG	`ARG VERSION=1.0`	• Defines build-time variables • not available in running containers, used with `--build-arg`.
EXPOSE	`EXPOSE 8080`	• Documents which ports the container listens on • does not publish ports, only metadata.
VOLUME	`VOLUME /data`	• Creates a mount point for persistent data • anonymous volume created if not specified at runtime.
USER	`USER node`	• Sets the user for running subsequent commands and the container • critical for security, avoid root.
LABEL	`LABEL version="1.0"`	• Adds metadata as key-value pairs • queryable with `docker inspect`, useful for versioning.
HEALTHCHECK	`HEALTHCHECK CMD curl -f \|\| exit 1`	• Defines how Docker tests if container is healthy • runs periodically, marks container unhealthy on failure.
STOPSIGNAL	`STOPSIGNAL SIGQUIT`	• Sets the system call signal sent to stop the container • default is SIGTERM, useful for apps needing different shutdown signals.
SHELL	`SHELL ["/bin/bash", "-c"]`	• Overrides the default shell for shell-form commands • default is `["/bin/sh", "-c"]` on Linux, enables bash-specific features.
ONBUILD	`ONBUILD COPY . /app`	• Adds a trigger instruction executed when image is used as base for another build • useful for framework base images.

Table 5: Build Optimization Techniques

Technique	Example	Description
Multi-stage builds	`FROM golang AS builder` `FROM alpine` `COPY --from=builder /app .`	• Uses multiple FROM statements to create separate build stages • copy only artifacts to final image, drastically reduces size.
Layer caching	`COPY package*.json ./` `RUN npm install` `COPY . .`	• Docker caches each layer • order instructions least to most frequently changed to maximize cache hits.
COPY --link	`COPY --link requirements.txt .`	• Makes the layer independent of its parent layers • changing earlier layers does not invalidate this layer's cache, improving resilience in multi-stage and large builds.
.dockerignore	`node_modules` `*.log` `.git`	• Excludes files from build context • reduces context size and prevents secrets from being copied.
BuildKit cache mounts	`RUN --mount=type=cache,target=/root/.npm` `npm install`	• Mounts a persistent cache during build • npm/pip/apt caches survive rebuilds, speeds up dependency installs.
Build secrets	`RUN --mount=type=secret,id=token` `curl -H "Auth: $(cat /run/secrets/token)"`	• Injects secrets without storing in image layers • secrets never appear in history or cache.
Minimal base images	`FROM alpine:3.21`	• Use alpine, distroless, or DHI images • reduce attack surface and image size (alpine ~5MB vs ubuntu ~80MB).
Combining RUN commands	`RUN apt-get update && apt-get install -y curl` `&& rm -rf /var/lib/apt/lists/*`	• Chain commands with `&&` to create single layer • clean up package caches in same layer to reduce size.
Buildx for multi-platform	`docker buildx build --platform` `linux/amd64,linux/arm64 -t app .`	• Builds images for multiple architectures (amd64, arm64) in one command • essential for M1/M2 Macs and ARM servers.

Table 6: Port Publishing and Networking

Option	Example	Description
-p (publish)	`docker run -p 8080:80 nginx`	• Maps host port to container port • format `hostPort:containerPort`, makes service accessible externally.
-P (publish-all)	`docker run -P nginx`	• Publishes all EXPOSE'd ports to random high ports on host • query with `docker port`.
Specific host IP	`docker run -p 127.0.0.1:8080:80 nginx`	• Binds to a specific host IP • limits access to localhost or a particular network interface.
Port ranges	`docker run -p 8000-8010:8000-8010 app`	• Maps a range of ports • useful for services needing multiple consecutive ports.
UDP ports	`docker run -p 53:53/udp dns`	• Publishes UDP instead of TCP • add `/udp` suffix to port mapping.

Table 7: Network Modes

Mode	Example	Description
bridge (default)	`docker run --network bridge nginx`	• Creates a virtual network on host • containers get private IPs, communicate via internal DNS, NAT for external access.
host	`docker run --network host nginx`	• Container shares host's network stack • no isolation, container binds to host ports directly, best performance.
none	`docker run --network none app`	• No networking • container is completely isolated, useful for batch jobs or maximum security.
overlay	`docker network create --driver overlay mynet`	• Enables multi-host networking for Swarm • containers on different hosts communicate as if on same LAN.
macvlan	`docker network create -d macvlan mynet`	• Assigns MAC address to container • appears as physical device on network, useful for legacy apps.
ipvlan	`docker network create -d ipvlan mynet`	• Like macvlan but containers share parent interface's MAC • avoids MAC address exhaustion.

Table 8: Network Management

Command	Example	Description
docker network create	`docker network create mynet`	• Creates a user-defined bridge network • enables automatic DNS resolution between containers.
docker network ls	`docker network ls`	Lists all networks with driver type and scope.
docker network connect	`docker network connect mynet web`	• Connects a running container to an additional network • containers can be on multiple networks.
docker network disconnect	`docker network disconnect mynet web`	Removes container from a network while it's running.
docker network inspect	`docker network inspect mynet`	Shows detailed network configuration including connected containers and IP addresses.
docker network rm	`docker network rm mynet`	• Removes a network • fails if containers are connected.
docker network prune	`docker network prune`	• Removes all unused networks • confirms before deletion.
host.docker.internal	`curl http://host.docker.internal:3000`	• DNS name resolving to the host machine from inside a container • auto-configured on Mac/Windows; on Linux add `--add-host=host.docker.internal:host-gateway` to `docker run`.

Table 9: Volume Management

Type	Example	Description
Named volumes	`docker run -v data:/app/data nginx`	• Docker-managed volumes stored in `/var/lib/docker/volumes/` • preferred for production, portable across hosts.
--mount syntax	`docker run --mount type=volume,source=mydata,target=/data nginx`	• Explicit, readable alternative to the `-v` flag • supports `type=bind`, `type=volume`, `type=tmpfs`; recommended for clarity and scripting.
Bind mounts	`docker run -v /host/path:/container/path nginx`	• Maps a host directory to container • changes sync in real-time, ideal for development.
tmpfs mounts	`docker run --tmpfs /tmp nginx`	• Stores data in host memory • not persisted to disk, ultra-fast, useful for caches and temporary files.
Anonymous volumes	`docker run -v /app/data nginx`	• Created automatically with random name • hard to manage, removed with container unless `--rm` is not used.
Read-only volumes	`docker run -v data:/app:ro nginx`	• Mounts volume as read-only • container cannot modify host files, improves security.
volumes-from	`docker run --volumes-from web nginx`	• Shares all volumes from another container • useful for backup containers.

Table 10: Volume Commands

Command	Example	Description
docker volume create	`docker volume create mydata`	• Creates a named volume before using it • can specify driver and options.
docker volume ls	`docker volume ls`	Lists all volumes with driver and mount point.
docker volume inspect	`docker volume inspect mydata`	Shows volume metadata including mountpoint on host filesystem.
docker volume rm	`docker volume rm mydata`	• Removes a volume • fails if in use by any container.
docker volume prune	`docker volume prune`	• Deletes all unused volumes • dangerous in production, confirms before deletion.

Table 11: Resource Constraints

Flag	Example	Description
--memory (-m)	`docker run -m 512m nginx`	• Limits container memory • container killed if exceeded (OOM), suffix: `b k m g`.
--memory-reservation	`docker run --memory-reservation 256m nginx`	• Soft limit • Docker tries to enforce when host memory is low, container can exceed it.
--cpus	`docker run --cpus 1.5 nginx`	• Limits container to 1.5 CPU cores • can be fractional (0.5 = 50% of one core).
--cpu-shares	`docker run --cpu-shares 512 nginx`	• Sets relative weight for CPU time • default 1024, container with 2048 gets 2x CPU time.
--cpuset-cpus	`docker run --cpuset-cpus 0,1 nginx`	• Pins container to specific CPU cores • useful for NUMA systems and performance-critical apps.
--pids-limit	`docker run --pids-limit 100 nginx`	• Limits number of PIDs (processes/threads) • prevents fork bombs.
--blkio-weight	`docker run --blkio-weight 500 nginx`	• Sets disk I/O priority • default 500, range 10-1000.
--gpus	`docker run --gpus all nvidia/cuda:12.0-base nvidia-smi`	• Grants container access to GPU devices • requires NVIDIA Container Toolkit; use `"device=0,1"` to target specific GPUs.

Table 12: Restart Policies

Policy	Example	Description
no (default)	`docker run --restart no nginx`	• Never restart container automatically • manual restart required.
on-failure	`docker run --restart on-failure:3 nginx`	• Restarts only if container exits with non-zero code • optional max retry count.
always	`docker run --restart always nginx`	• Always restarts container, even after host reboot • use for critical services.
unless-stopped	`docker run --restart unless-stopped nginx`	• Like `always` but respects manual stops • doesn't restart if explicitly stopped before reboot.

Table 13: Health Checks

Option	Example	Description
HEALTHCHECK instruction	`HEALTHCHECK --interval=30s CMD curl -f http://localhost/` `\|\| exit 1`	• Defines in Dockerfile how to test if container is healthy • runs periodically.
--health-cmd	`docker run --health-cmd "curl -f http://localhost/"`	• Runtime override of HEALTHCHECK • useful for testing without rebuilding image.
--health-interval	`docker run --health-interval=10s nginx`	• Time between health checks • default 30s.
--health-timeout	`docker run --health-timeout=5s nginx`	• How long to wait for check to complete • default 30s, fails if exceeded.
--health-retries	`docker run --health-retries=3 nginx`	• Number of consecutive failures before marking unhealthy • default 3.
--health-start-period	`docker run --health-start-period=60s nginx`	• Grace period before starting checks • allows slow apps to initialize, default 0s.

Table 14: Docker Compose Services

Attribute	Example	Description
image	`image: nginx:alpine`	• Specifies the image to use • pulled from registry if not local.
build	`build:` `context: .` `dockerfile: Dockerfile.prod`	• Builds image from Dockerfile • context is build directory, dockerfile is optional custom name.
ports	`ports:` `- "8080:80"`	• Publishes ports • short syntax `"host:container"` or long syntax with protocol.
volumes	`volumes:` `- ./data:/data:ro`	• Mounts volumes or bind mounts • supports short and long syntax with options.
environment	`environment:` `NODE_ENV: production`	• Sets environment variables • also supports array syntax and .env files.
depends_on	`depends_on:` `db:` `condition: service_healthy`	• Defines startup order and conditions • `service_healthy` waits for health checks.
networks	`networks:` `- frontend`	• Connects service to custom networks • enables network isolation.
restart	`restart: unless-stopped`	• Sets restart policy • options: no, always, on-failure, unless-stopped.
command	`command: npm run dev`	• Overrides default CMD from image • shell or exec form.
entrypoint	`entrypoint: /app/entrypoint.sh`	• Overrides ENTRYPOINT from image • rarely needed.
healthcheck	`healthcheck:` `test: ["CMD", "curl", "-f", "http://localhost/"]` `interval: 30s`	• Defines a health check in Compose • supports test, interval, timeout, retries, start_period.
deploy	`deploy:` `resources:` `limits:` `memory: 512M`	• Configures deployment and resource constraints • works in Compose for resource limits and GPU reservations.

Table 15: Docker Compose Commands

Command	Example	Description
docker compose up	`docker compose up -d`	• Creates and starts all services • `-d` runs detached, rebuilds if Dockerfile changed.
docker compose down	`docker compose down -v`	• Stops and removes containers, networks • `-v` also removes volumes, dangerous in production.
docker compose ps	`docker compose ps`	Lists containers for this Compose project only.
docker compose logs	`docker compose logs -f web`	• Shows logs from services • `-f` follows, specify service name to filter.
docker compose exec	`docker compose exec web sh`	• Runs command in a running service • defaults to first container if replicated.
docker compose build	`docker compose build --no-cache`	• Builds or rebuilds services • `--no-cache` forces full rebuild.
docker compose pull	`docker compose pull`	Pulls latest images for all services from registry.
docker compose restart	`docker compose restart web`	Restarts running services without recreating containers.
docker compose stop	`docker compose stop`	• Stops services without removing containers • faster than `down`.
docker compose start	`docker compose start`	• Starts stopped services • doesn't create new containers.
docker compose run	`docker compose run --rm web npm test`	• Runs a one-off command against a service • `--rm` removes container after exit, does not start linked services by default.
docker compose watch	`docker compose watch`	• Watches for file changes and auto-updates running services • actions: sync, rebuild, sync+restart.

Table 16: Docker Compose Advanced Features

Feature	Example	Description
profiles	`profiles: [debug]`	• Groups services for selective activation • `docker compose --profile debug up` only starts debug services.
extends	`extends:` `file: common.yml` `service: base`	• Inherits configuration from another service • enables reusable base definitions.
override files	`docker-compose.override.yml`	• Automatically merged with `docker-compose.yml` • environment-specific overrides without modifying base file.
include	`include:` `- monitoring.yml`	• Includes separate Compose files • combines multiple projects into one.
env_file	`env_file:` `- .env.prod`	• Loads environment variables from files • keeps secrets out of Compose file.
secrets	`secrets:` `- db_password`	• Injects secrets as files in container • mounted at `/run/secrets/`.
configs	`configs:` `- nginx.conf`	• Like secrets but for non-sensitive config files • also mounted as files.
develop (watch)	`develop:` `watch:` `- action: sync` `path: ./src` `target: /app/src`	• Configures hot-reload for development • actions: `sync` (copy files), `rebuild` (rebuild image), `sync+restart` (copy and restart).
YAML anchors	`x-common: &common` `restart: always` `services:` `web:` `<<: *common`	• Reuses config blocks with anchors and aliases • `x-` prefix defines extension fields that Compose ignores.
GPU support	`deploy:` `resources:` `reservations:` `devices:` `- driver: nvidia` `count: 1` `capabilities: [gpu]`	• Requests GPU access for a service • requires NVIDIA Container Toolkit installed on host.

Table 17: Registry and Authentication

Command	Example	Description
docker login	`docker login registry.example.com`	• Authenticates to a registry • stores credentials in `~/.docker/config.json`.
docker logout	`docker logout`	Removes stored credentials for default registry or specified one.
Username/password login	`docker login -u user -p pass`	• Non-interactive login • avoid in scripts, use stdin or token instead.
Token authentication	`echo $TOKEN \| docker login -u user --password-stdin`	• Passes password via stdin • more secure than command-line password.

Table 18: Image Tagging Strategies

Strategy	Example	Description
Semantic versioning	`myapp:1.2.3`	• Uses major.minor.patch format • best practice for release tracking and rollbacks.
Git commit SHA	`myapp:a3f2c1b`	• Tags with Git commit hash • enables exact source code traceability.
Environment tags	`myapp:prod-1.2.3`	• Includes environment prefix • clearly indicates deployment target.
Date-based tags	`myapp:2026-03-01`	• Timestamps with YYYY-MM-DD • useful for nightly builds or time-based releases.
Branch tags	`myapp:feature-auth`	• Tags with branch name • tracks feature development images.

Table 19: Cleanup and Maintenance

Command	Example	Description
docker system prune	`docker system prune -a`	• Removes stopped containers, unused networks, dangling images • `-a` removes all unused images.
docker image prune	`docker image prune -a --filter "until=168h"`	• Removes unused images • `--filter "until=168h"` keeps images created in last 7 days.
docker container prune	`docker container prune`	• Removes all stopped containers • confirms before deletion.
docker volume prune	`docker volume prune`	• Deletes unused volumes • extremely dangerous in production, back up first.
docker network prune	`docker network prune`	• Removes unused networks • safe operation.
docker builder prune	`docker builder prune`	• Clears BuildKit cache • frees disk space from layer caching.

Table 20: Logging Drivers

Driver	Example	Description
json-file (default)	`--log-driver json-file`	• Stores logs as JSON on disk • queryable with `docker logs`, limited rotation.
local	`--log-driver local`	• Optimized local file driver with automatic log rotation • better performance than json-file.
syslog	`--log-driver syslog --log-opt syslog-address=udp://host:514`	• Forwards logs to syslog daemon • integrates with centralized logging.
journald	`--log-driver journald`	• Sends logs to systemd journal • query with `journalctl`.
fluentd	`--log-driver fluentd --log-opt fluentd-address=host:24224`	• Forwards to Fluentd collector • popular for Kubernetes and centralized logging.
awslogs	`--log-driver awslogs --log-opt awslogs-group=myapp`	• Sends logs to AWS CloudWatch Logs • requires AWS credentials.
gcplogs	`--log-driver gcplogs`	• Forwards to Google Cloud Logging • auto-detects GCP metadata.
splunk	`--log-driver splunk --log-opt splunk-token=XXX`	• Sends logs to Splunk HTTP Event Collector • enterprise logging solution.

Table 21: Security Practices

Practice	Example	Description
Run as non-root user	`USER node`	• Creates and switches to non-root user • prevents privilege escalation attacks.
Read-only root filesystem	`docker run --read-only nginx`	• Makes container filesystem immutable • prevents tampering, use tmpfs for writable dirs.
Drop capabilities	`docker run --cap-drop ALL --cap-add NET_BIND_SERVICE nginx`	• Removes Linux capabilities • principle of least privilege, drop ALL then add only needed ones.
Use secrets	`RUN --mount=type=secret,id=token`	• Never hardcode secrets in images • use BuildKit secrets or runtime secrets.
Scan images	`docker scout cves nginx:latest`	• Scans for vulnerabilities • integrates with Docker Scout, Trivy, Snyk.
Minimal base images	`FROM gcr.io/distroless/static`	• Use distroless or alpine • fewer packages = smaller attack surface.
No privileged mode	Avoid `--privileged`	• Never use in production • gives full host access, defeats containerization.
Security profiles	`--security-opt seccomp=profile.json`	• Apply seccomp/AppArmor/SELinux profiles • restricts syscalls and actions.
Rootless mode	`dockerd-rootless-setuptool.sh install`	• Runs Docker daemon without root privileges • mitigates potential vulnerabilities in daemon and container runtime.
--no-new-privileges	`docker run --security-opt no-new-privileges nginx`	• Prevents processes from gaining additional privileges via setuid/setgid • critical for defense in depth.
Docker Hardened Images (DHI)	`FROM dhi.io/python:3.12`	• Docker's distroless-based, CVE-free base images • free since Dec 2025, auto-patched within 24hrs, include SBOM and provenance attestations.

Table 22: Signal Handling

Signal	Example	Description
SIGTERM	Sent by `docker stop`	• Graceful shutdown signal • application should clean up resources and exit within grace period (default 10s).
SIGKILL	Sent after grace period	• Force kill signal • cannot be caught or ignored, immediate termination.
SIGINT	Ctrl+C in attached mode	• Interrupt signal • often handled same as SIGTERM by applications.
SIGHUP	`docker kill -s SIGHUP web`	• Hangup signal • commonly used to reload configuration without restart.
Exec form vs shell form	`CMD ["app"]` vs `CMD app`	• Exec form (JSON array) makes app PID 1, receives signals • shell form wraps in `/bin/sh -c`, signals go to shell.

Table 23: Context and Remote Docker

Command	Example	Description
docker context create	`docker context create remote --docker "host=ssh://user@host"`	• Creates a remote Docker context • enables managing remote Docker daemons.
docker context use	`docker context use remote`	• Switches active context • all docker commands target this daemon.
docker context ls	`docker context ls`	Lists all contexts with current one marked by `*`.
docker context rm	`docker context rm remote`	• Removes a context • cannot remove active context.
DOCKER_HOST variable	`export DOCKER_HOST=ssh://user@host`	• Sets remote daemon via environment variable • alternative to contexts.

Table 24: Docker Swarm Basics

Command	Example	Description
docker swarm init	`docker swarm init`	• Initializes a Swarm cluster • current node becomes manager.
docker swarm join	`docker swarm join --token TOKEN host:2377`	Joins a node to existing Swarm as worker or manager.
docker service create	`docker service create --replicas 3 nginx`	Creates a Swarm service with replicas across cluster.
docker service scale	`docker service scale web=5`	Scales service to specified number of replicas.
docker service update	`docker service update --image nginx:1.21 web`	• Rolling update of service • updates containers one by one.
docker node ls	`docker node ls`	Lists all nodes in Swarm with status and availability.
docker stack deploy	`docker stack deploy -c compose.yml myapp`	• Deploys a Compose file to Swarm • creates all services, networks, volumes.

Table 25: Environment Variables

Method	Example	Description
-e flag	`docker run -e NODE_ENV=prod nginx`	• Sets single variable • most direct method, visible in `docker inspect`.
--env-file	`docker run --env-file .env nginx`	• Loads variables from file • one VAR=value per line, comments with `#`.
ENV in Dockerfile	`ENV NODE_ENV=production`	• Bakes variables into image • persists in all containers, bad for secrets.
ARG in Dockerfile	`ARG VERSION=1.0`	• Build-time only variables • passed with `--build-arg`, not in final image.
Compose environment	`environment:` `NODE_ENV: prod`	• Sets variables in Compose file • applies to that service only.
Compose env_file	`env_file: .env`	• Loads variables from file in Compose • supports multiple files.

Table 26: Inspect and Debug

Command	Example	Description
docker inspect	`docker inspect --format '{{.State.Status}}' web`	• Shows raw JSON config • use `--format` with Go templates to extract specific fields.
docker events	`docker events --filter type=container`	• Live stream of daemon events • shows create, start, stop, die, etc.
docker system df	`docker system df -v`	• Shows disk usage by images, containers, volumes • `-v` for detailed breakdown.
docker system info	`docker system info`	Displays system-wide information including storage driver, kernel version, containers count.
docker version	`docker version`	Shows client and server versions with API version and Go version.
docker debug	`docker debug web`	• Launches a debug shell attached to container's namespaces • requires Docker Desktop; works even on containers without a shell.
docker init	`docker init`	• Generates Dockerfile, compose.yaml, .dockerignore for a project • supports Go, Node, Python, Rust, Java, PHP, ASP.NET templates.

Table 27: Copy Operations

Command	Example	Description
docker cp (container to host)	`docker cp web:/app/log.txt ./log.txt`	• Copies file from container to host • works on running and stopped containers.
docker cp (host to container)	`docker cp ./config.yml web:/app/config.yml`	• Copies file from host to container • immediately available in running container.
Copy directories	`docker cp web:/app/logs ./logs`	Recursively copies entire directories.
Archive mode	`docker cp -a web:/app ./backup`	• Preserves UID/GID and permissions • equivalent to `cp -a`.

Table 28: BuildKit Advanced Features

Feature	Example	Description
Cache mounts	`RUN --mount=type=cache,target=/root/.cache/pip` `pip install -r requirements.txt`	• Persists package manager cache across builds • dramatically speeds up dependency installs.
SSH mounts	`RUN --mount=type=ssh git clone git@github.com:repo`	• Forwards SSH agent into build • enables private Git repos without storing keys.
Bind mounts	`RUN --mount=type=bind,source=.,target=/src` `make build`	• Mounts files into build without COPY • doesn't add to image layers.
External cache	`docker build --cache-from type=registry,ref=myapp:cache`	• Uses remote cache from registry • enables cache sharing across CI runners.
Inline cache	`docker build --cache-to type=inline`	• Embeds cache metadata in image • simplest cache sharing method.
SBOM attestation	`docker buildx build --sbom=true -t myapp .`	• Embeds a Software Bill of Materials as an OCI attestation • lists all packages and dependencies discovered in the image.
Provenance attestation	`docker buildx build --provenance=mode=max -t myapp .`	• Records SLSA-compliant build provenance • cryptographically proves what commit, CI runner, and inputs produced the image.
Buildx bake	`docker buildx bake -f docker-bake.hcl`	• Builds multiple targets from an HCL/JSON/Compose definition file • enables complex build pipelines with shared variables and matrix builds.

Table 29: Docker Scout Commands

Command	Example	Description
docker scout cves	`docker scout cves nginx:latest`	• Scans an image for CVEs • shows severity, CVSS score, affected package, and fix availability.
docker scout quickview	`docker scout quickview nginx:latest`	• Displays a summary of vulnerabilities and policy compliance • fast overview without printing the full CVE list.
docker scout recommendations	`docker scout recommendations nginx:latest`	• Suggests base image upgrades that reduce the CVE count • shows how many CVEs each alternative version would eliminate.
docker scout sbom	`docker scout sbom nginx:latest`	• Generates a Software Bill of Materials • lists all packages, versions, and licenses found in the image.
docker scout compare	`docker scout compare nginx:1.25 --to nginx:latest`	• Compares vulnerability profiles of two images • useful to verify CVE reduction after a base image update.
docker scout enroll	`docker scout enroll myorg`	• Enrolls an organization in Docker Scout • enables policy enforcement, repository integration, and team dashboards.

Table 30: Docker Model Runner

Command	Example	Description
docker model pull	`docker model pull ai/llama3.2`	• Downloads an AI model from Docker Hub • models are versioned and stored locally, managed like images.
docker model run	`docker model run ai/llama3.2`	• Runs a model interactively in the terminal • provides a live chat interface for direct prompting.
docker model run -d	`docker model run -d --name llm ai/llama3.2`	• Starts model as a background service • accessible via OpenAI-compatible REST API from host or other containers.
docker model list	`docker model list`	Lists all locally downloaded AI models with size and status.
docker model rm	`docker model rm ai/llama3.2`	Removes a downloaded model from local storage.
OpenAI-compatible API	`curl http://model-runner.docker.internal/engines/v1/chat/completions`	• Access running model via OpenAI-compatible endpoint • use from other containers; also accessible on host at `http://localhost:12434/engines/v1`.

Table 31: Docker Build Cloud

Feature	Example	Description
Create cloud builder	`docker buildx create --driver cloud myorg/mybuilder`	• Creates a remote cloud-based builder • builds run in Docker's infrastructure, not on the local machine.
Build with cloud	`docker buildx build --builder cloud-myorg/mybuilder -t myapp .`	• Sends build to cloud infrastructure • more CPU/RAM than local, shared cache across the whole team.
Set as default builder	`docker buildx use cloud-myorg/mybuilder`	Sets the cloud builder as default for all subsequent `docker buildx build` commands.
List builders	`docker buildx ls`	Lists all available builders including cloud builders and their status.
Shared build cache	(automatic across team)	• All team members share a persistent remote cache • first build warms cache, subsequent team builds dramatically faster.

Table 32: Compose Dependency Conditions

Condition	Example	Description
service_started	`depends_on:` `db:` `condition: service_started`	• Waits for service to be started • doesn't guarantee it's ready, default behavior.
service_healthy	`depends_on:` `db:` `condition: service_healthy`	• Waits for health check to pass • requires HEALTHCHECK in image or Compose.
service_completed_successfully	`depends_on:` `migrate:` `condition: service_completed_successfully`	• Waits for one-off task to exit with code 0 • useful for migrations.

Table 33: Distroless and Minimal Images

Image	Example	Description
Alpine Linux	`FROM alpine:3.21`	• Lightweight 5MB base • uses musl libc, may have compatibility issues with compiled binaries.
Distroless	`FROM gcr.io/distroless/static-debian12`	• No shell, no package manager • only runtime dependencies, ultimate security and size reduction.
Scratch	`FROM scratch`	• Empty base image • use for static binaries only (Go, Rust), absolute minimal size.
Distroless with shell (debug)	`FROM gcr.io/distroless/base-debian12:debug`	• Adds busybox shell to distroless • only for debugging, never production.
Docker Hardened Images (DHI)	`FROM dhi.io/python:3.12`	• Docker's distroless-based, CVE-free official images • free since Dec 2025, auto-patched within 24hrs, include SBOM and provenance attestations.

Back to Containers Orchestration

Next Topic: Docker Compose Cheat Sheet

References

Docker Cheat Sheet

Table 1: Container Lifecycle Management

Table 2: Container Inspection and Interaction

Table 3: Image Management

Table 4: Dockerfile Instructions

Table 5: Build Optimization Techniques

Table 6: Port Publishing and Networking

Table 7: Network Modes

Table 8: Network Management

Table 9: Volume Management

Table 10: Volume Commands

Table 11: Resource Constraints

Table 12: Restart Policies

Table 13: Health Checks

Table 14: Docker Compose Services

Table 15: Docker Compose Commands

Table 16: Docker Compose Advanced Features

Table 17: Registry and Authentication

Table 18: Image Tagging Strategies

Table 19: Cleanup and Maintenance

Table 20: Logging Drivers

Table 21: Security Practices

Table 22: Signal Handling

Table 23: Context and Remote Docker

Table 24: Docker Swarm Basics

Table 25: Environment Variables

Table 26: Inspect and Debug

Table 27: Copy Operations

Table 28: BuildKit Advanced Features

Table 29: Docker Scout Commands

Table 30: Docker Model Runner

Table 31: Docker Build Cloud

Table 32: Compose Dependency Conditions

Table 33: Distroless and Minimal Images

References

Official Documentation

Technical Blogs & Tutorials

Building Best Practices

Multi-Stage Builds & Optimization

BuildKit & Caching

Security Best Practices

Networking

Storage & Volumes

Docker Compose

Resource Management & Monitoring

Logging

Registry & Authentication

Health Checks & Restart Policies

Signal Handling & Graceful Shutdown

Multi-Platform Builds

Cleanup & Maintenance

User Permissions & Security

Environment Variables

Image Management & Tagging

Inspection & Debugging

Docker Init & Debug

Docker Compose Watch & Development

Container Management CLIs

Dockerfile Advanced Instructions

BuildKit Advanced & Bake

Security Advanced

Docker Swarm & Orchestration

Distroless & Minimal Images

Docker Model Runner & AI

Docker Build Cloud

Additional 2026 Resources