liminfo

Docker Reference

Free reference guide: Docker Reference

45 results

About Docker Reference

The Docker Reference is a searchable cheat sheet covering the full Docker CLI and configuration surface across eight categories. Basic Commands covers day-to-day container lifecycle operations: docker run (with detach, name, and port flags), docker ps (including stopped containers with -a), docker stop/start, docker rm, docker exec for interactive or one-off commands inside running containers, docker logs with follow and tail options, and docker inspect for detailed JSON metadata. Dockerfile instructions span FROM (base image), WORKDIR, COPY/ADD, RUN, CMD/ENTRYPOINT, ENV, EXPOSE, and multi-stage builds for producing lean production images. Images covers docker build with custom Dockerfiles, docker images, docker pull/push to registries, docker rmi, and docker save/load for air-gapped transfers.

Container management entries address interactive containers with docker run -it, file transfers with docker cp, real-time resource monitoring with docker stats, committing container state with docker commit, and restart policies (always, on-failure, unless-stopped). The Networking category explains creating custom bridge networks, connecting containers, listing networks, host networking mode, and DNS-based container-to-container communication. Volumes includes named volume creation, bind mounts with -v, explicit --mount syntax with readonly support, volume listing and pruning, and tmpfs in-memory mounts. Docker Compose entries show docker compose up/down (with volume cleanup), the compose.yaml service structure with depends_on and environment variables, log streaming, and horizontal scaling with --scale.

The Security section is particularly valuable for hardening containers in production: --security-opt for seccomp profiles and no-new-privileges, --read-only for immutable container filesystems, --cap-drop ALL / --cap-add for Linux capability control, --user for running as non-root, and docker scout for vulnerability scanning. Entries are grouped into eight filterable categories and every example is a complete, runnable command ready to paste into a terminal.

Key Features

  • Basic commands: docker run, ps, stop/start, rm, exec, logs, and inspect with all critical flags
  • Dockerfile: FROM, WORKDIR, COPY/ADD, RUN, CMD/ENTRYPOINT, ENV, EXPOSE, and multi-stage build pattern
  • Image management: docker build, images, pull/push, rmi, and save/load for offline transfer
  • Container ops: interactive run, docker cp file transfer, docker stats, docker commit, and restart policies
  • Networking: custom bridge networks, container DNS, host networking, and network connect/inspect
  • Volumes: named volumes, bind mounts (-v), explicit --mount, volume pruning, and tmpfs mounts
  • Docker Compose: up/down, compose.yaml structure with services/volumes, log tailing, and --scale
  • Security hardening: --security-opt, --read-only, --cap-drop/--cap-add, --user, and docker scout CVE scanning

Frequently Asked Questions

What is the difference between CMD and ENTRYPOINT in a Dockerfile?

ENTRYPOINT defines the executable that always runs when the container starts (e.g., ["node"]). CMD provides default arguments that can be overridden at runtime (e.g., ["server.js"]). Used together, ENTRYPOINT ["node"] CMD ["server.js"] means the container runs node server.js by default, but you can override the file by passing a different argument to docker run. If only CMD is used, the entire command can be replaced.

What is a multi-stage Docker build and why should I use it?

A multi-stage build uses multiple FROM instructions in one Dockerfile. Each stage can use a different base image. Only the files explicitly copied with COPY --from=<stage> make it into the final image, discarding build tools, source code, and intermediate artifacts. This drastically reduces image size — a Node.js app built with node:20 can be shipped in a node:20-alpine image containing only the compiled output.

What is the difference between a bind mount and a named volume?

A bind mount (-v /host/path:/container/path) maps a specific directory from the host filesystem into the container. Changes are immediately visible on both sides, making it ideal for development. A named volume (docker volume create my-data; docker run -v my-data:/app/data) is managed by Docker and stored in a Docker-controlled location. Named volumes persist independently of any container and are preferred for production data because they are portable and not tied to host paths.

How does Docker container DNS work on a custom network?

Containers on the same user-defined bridge network can reach each other using the container name as a hostname. For example, if a postgres container is named 'db' and your app container is named 'app', the app can connect to db:5432. This automatic service discovery only works on custom networks, not the default bridge network.

What does --restart=unless-stopped do?

The --restart=unless-stopped policy automatically restarts a container after the Docker daemon restarts or the host reboots, as long as you didn't manually stop it with docker stop. 'always' restarts even after a manual stop. 'on-failure[:N]' only restarts if the container exits with a non-zero status (optionally limiting retries). Use unless-stopped for production services that should survive reboots.

How do I reduce container attack surface with capability control?

Start by dropping all Linux capabilities with --cap-drop ALL, then add back only what the application needs with --cap-add. For example, a web server binding to port 80 needs --cap-add NET_BIND_SERVICE. This principle of least privilege means a compromised container process cannot perform privileged operations like loading kernel modules or changing network configuration.

What is the difference between docker compose up and docker compose up --build?

docker compose up starts the services defined in compose.yaml, pulling images that are not yet local. docker compose up --build forces a rebuild of any service whose build context is defined, ensuring you run the latest code. Use --build during development after changing application code; omit it in production where image tags are pinned.

How can I scan a Docker image for security vulnerabilities?

Use docker scout quickview <image> for a quick summary or docker scout cves <image> for a detailed CVE list. Docker Scout analyzes the image layers against vulnerability databases and reports affected packages with severity levels. You can also integrate scanning into CI/CD pipelines to block promotion of images with critical CVEs.