🐳 Docker

Command Reference & Compose Guide

Containers

docker run -d -p 8080:80 image

Run container detached, map host:container port

docker run -it --rm image bash

Interactive shell, auto-remove on exit

docker run --name myapp -e KEY=val image

Named container with environment variable

docker run -v ./data:/data image

Bind-mount host directory into container

docker ps

List running containers

docker ps -a

List all containers including stopped

docker stop id|name

Gracefully stop a container (SIGTERM → SIGKILL)

docker rm id|name

Remove a stopped container

docker exec -it name bash

Shell into a running container

docker logs -f name

Stream live container logs

docker inspect name

Full JSON metadata for a container or image

docker stats

Live CPU/mem/net usage for all containers

Images

docker pull image:tag

Download image from registry

docker build -t name:tag .

Build image from Dockerfile in current dir

docker build --no-cache -t name:tag .

Force full rebuild, ignore layer cache

docker images

List local images

docker rmi image:tag

Remove a local image

docker tag src:tag dst:tag

Alias an image with a new name/tag

docker push name:tag

Push image to registry

docker history image

Show layers and sizes of an image

Volumes & Networks

docker volume create vol

Create a named volume

docker volume ls

List all volumes

docker volume rm vol

Delete a volume

docker network create net

Create a bridge network

docker network ls

List networks

docker network inspect net

Show containers attached and subnet info

Cleanup

docker system prune

Remove stopped containers, dangling images, unused networks

docker system prune -a

Also remove all unused images (not just dangling)

docker image prune -a

Remove all images not used by a running container

docker volume prune

Remove all unused volumes

# compose.yaml — annotated example
services:

  web:
    image: nginx:alpine          # use a pre-built image
    build: ./app                 # — or build from Dockerfile
    restart: unless-stopped
    ports:
      - "80:80"                   # host:container
      - "443:443"
    environment:
      - NODE_ENV=production
      - DB_HOST=db               # service name = hostname
    volumes:
      - ./html:/usr/share/nginx/html:ro
      - data-vol:/data           # named volume
    depends_on:
      - db
    networks:
      - frontend
      - backend
    healthcheck:
      test: ["CMD","curl","-f","http://localhost"]
      interval: 30s
      timeout: 10s
      retries: 3

  db:
    image: postgres:16-alpine
    restart: unless-stopped
    environment:
      POSTGRES_PASSWORD: secret
      POSTGRES_DB: mydb
    volumes:
      - pg-data:/var/lib/postgresql/data
    networks:
      - backend

volumes:
  data-vol:            # managed by Docker
  pg-data:

networks:
  frontend:
  backend:
    driver: bridge

key: — directive value — string 30s — duration/number # comment — ignored

Common Compose Commands

docker compose up -d

Start all services in background

docker compose up --build -d

Rebuild images then start

docker compose down

Stop and remove containers and networks

docker compose down -v

Also remove named volumes

docker compose ps

Show service status

docker compose logs -f service

Tail logs for a specific service

docker compose exec service bash

Shell into a running service container

docker compose restart service

Restart a single service

docker compose pull

Pull latest images for all services

docker compose config

Validate and print the resolved compose config

Patterns

restart policies

no — never restart
always — always restart
unless-stopped — restart unless manually stopped
on-failure — only on non-zero exit

service discovery

Services on the same network reach each other by service name as hostname. No extra DNS config needed.

env files

Use env_file: .env to load variables from a file instead of listing them inline. Keep secrets out of compose.yaml.

build context

build: ./dir uses ./dir/Dockerfile. Use build.context + build.dockerfile for custom paths.

profiles

Tag services with profiles: [dev] and start them selectively with --profile dev.

depends_on

Only waits for container start, not readiness. Use healthcheck + depends_on.condition: service_healthy for true readiness.

📦

Container

A running instance of an image

A container is an isolated Linux process (or group of processes) that shares the host OS kernel but has its own filesystem, network stack, and process namespace. It starts from an image and runs your application in a sandboxed environment.

Isolation

Uses Linux namespaces (pid, net, mnt, uts, ipc) to isolate processes and cgroups to limit CPU/memory.

Ephemeral by default

Filesystem changes exist only while the container runs. On removal, all writes are lost unless a volume is attached.

Lifecycle

created → running → paused → stopped → removed. A stopped container retains its writable layer until docker rm.

Not a VM

No hypervisor, no guest OS. Starts in milliseconds. Shares the host kernel — far lighter than a virtual machine.

Analogy: An image is a cookie-cutter; a container is the cookie. You can cut many identical cookies from one cutter, and eating one doesn't affect the others.

🖼️

Image

A read-only template used to create containers

An image is an immutable, read-only snapshot of a filesystem and its metadata (entry point, env vars, exposed ports). It's built from a Dockerfile layer-by-layer and stored locally or in a registry. Running an image creates a container.

Layered filesystem

Each Dockerfile instruction adds a read-only layer. Layers are shared across images, saving disk space.

Content-addressed

Images are identified by a SHA256 digest. Tags (nginx:alpine) are just human-readable aliases for a digest.

Base images

Every image starts FROM a parent. FROM scratch builds from nothing — used for minimal static binaries.

Multi-platform

A single tag can point to a manifest list with images for amd64, arm64, etc. Docker pulls the right one automatically.

Analogy: An image is a class definition in OOP; a container is an instance of that class. Many instances can share one class, each with its own runtime state.

💾

Volume

Persistent storage that outlives containers

A volume is a Docker-managed directory that persists data independently of the container lifecycle. Unlike the container's writable layer, volumes survive docker rm and can be shared across multiple containers simultaneously.

Named volumes

Created with docker volume create or declared in compose. Stored under /var/lib/docker/volumes/ on the host.

Bind mounts

Mount any host path (-v ./src:/app) directly. Good for dev; less portable than named volumes.

tmpfs mounts

Stored in host RAM only — never written to disk. Useful for sensitive data or high-speed scratch space.

Sharing

Multiple containers can mount the same volume concurrently. Applications must handle their own locking/coordination.

Analogy: A volume is a USB drive. You can plug it into any container, unplug it without losing data, and plug it into a different container later.

🌐

Network

Virtual network connecting containers

Docker networks are software-defined virtual networks that control how containers communicate with each other and the outside world. Containers on the same network can reach each other by service name — no IPs needed.

bridge (default)

Private internal network on the host. Containers communicate via IP; port publishing exposes them externally. Default for docker run.

host

Container shares the host's network stack directly. No isolation, best performance. Linux only; not available on Docker Desktop.

none

No network at all — fully air-gapped container. Useful for batch jobs that need maximum isolation.

overlay

Spans multiple Docker hosts via VXLAN. Required for Docker Swarm multi-host service communication.

DNS resolution

Containers on a user-defined bridge resolve each other by container/service name automatically — no /etc/hosts editing.

Port mapping

-p 8080:80 binds host port 8080 to container port 80. Without it, the container is unreachable from outside Docker.

Analogy: A Docker network is a private LAN in a building. Services on the same LAN can talk freely; the outside world can only reach them through specific published ports.

📄

Dockerfile

Recipe for building a Docker image

A Dockerfile is a plain-text script of instructions that Docker executes in order to assemble an image. Each instruction creates a new read-only layer. The final image is the union of all layers.

FROM

Sets the base image. Every Dockerfile must start with this. FROM node:22-alpine — choose minimal tags for smaller images.

RUN

Executes a shell command and commits the result as a new layer. Chain commands with && to reduce layer count.

COPY / ADD

COPY copies files from build context into the image. ADD also handles URLs and tar extraction (prefer COPY).

CMD / ENTRYPOINT

ENTRYPOINT is the fixed executable; CMD provides default args. Together: ENTRYPOINT ["node"] + CMD ["server.js"].

ENV / ARG

ENV sets runtime environment variables. ARG is build-time only — use for version pins, not secrets.

Multi-stage builds

Use multiple FROM statements to separate build tools from the final image. Copy only artifacts between stages to keep images tiny.

Analogy: A Dockerfile is a recipe. Running docker build is like following the recipe step-by-step in a kitchen to produce the final dish (image).

🗄️

Registry

Storage and distribution for Docker images

A registry is a server that stores Docker images organized into repositories. docker pull downloads images from a registry; docker push uploads them. Docker Hub is the default public registry; private registries are common in production.

Docker Hub

Default public registry at hub.docker.com. Images without a hostname prefix are pulled from here (e.g., nginx:alpine).

Private registries

AWS ECR, Google Artifact Registry, GitHub Container Registry, self-hosted Registry. Prefix image name with the registry hostname.

Image naming

[registry/][user/]name[:tag][@digest]. Tag defaults to latest. Digest pins to an exact immutable version.

Authentication

docker login registry.example.com stores credentials. Private images require authentication to pull.

Analogy: A registry is like npm or PyPI — a central store where you publish and consume versioned packages, except the packages are entire application environments.

🥞

Layer

Immutable diff that makes up an image

An image is built from a stack of read-only layers. Each Dockerfile instruction that changes the filesystem produces one layer — a diff recording what was added, modified, or deleted. At runtime, Docker adds a thin writable layer on top for the container.

Union filesystem

Docker uses overlay2 (default) to merge layers into a unified view. Lower layers are never modified — only the top writable layer changes.

Layer caching

If a layer's inputs haven't changed, Docker reuses the cached layer during docker build. Order instructions by change frequency — least-changed first.

Shared layers

Layers with the same SHA256 are stored once on disk and shared across all images that use them. FROM node:22 in 10 projects = one copy on disk.

Copy-on-write

When a container writes to a file from a lower layer, Docker copies it up to the writable layer first (CoW). The original layer is unchanged.

Minimizing layers

Chain RUN apt-get update && apt-get install -y pkg && rm -rf /var/lib/apt/lists/* in one instruction to avoid bloated intermediate layers.

Inspecting layers

docker history image shows each layer's size and instruction. docker image inspect image lists layer SHAs.

Analogy: Layers are like Git commits — each records a diff from the previous state, and the final result is the sum of all commits applied in order.

2008

dotCloud Foundedcompany

Solomon Hykes founds dotCloud in Paris — a platform-as-a-service startup. The internal container tooling built to run customer workloads becomes the seed of Docker.

Mar 2013

Docker 0.1 — PyCon Demomilestone

Solomon Hykes demos Docker in a 5-minute lightning talk at PyCon Santa Clara. The live demo of container isolation sparks immediate viral interest. Docker is open-sourced the same day on GitHub.

Jun 2013

dotCloud Rebrands to Docker, Inc.company

The company pivots entirely around Docker, drops the PaaS business, and renames itself Docker, Inc. The GitHub repo hits 10,000 stars within weeks of the pivot announcement.

Jun 2014

Docker 1.0 — Production Readyrelease

Docker 1.0 ships at DockerCon in San Francisco, declaring the runtime production-stable. Google, IBM, Microsoft, Red Hat, and Rackspace are launch partners. 100+ ships at the conference.

Jul 2014

Docker Hub Launchesecosystem

Docker Hub goes live as the public image registry. Developers can push and pull images with a single command. Within a year it hosts over 100,000 images from the community.

Oct 2014

Microsoft Partnershipcompany

Microsoft and Docker announce deep integration — Docker Engine support for Windows Server and native Azure tooling. Satya Nadella demos Docker on stage at the Microsoft event, signaling Windows' embrace of Linux containers.

Jan 2015

Docker Compose (née Fig) Adoptedecosystem

Docker acquires Orchard and folds Fig — the popular multi-container orchestration tool — into the official Docker toolset, renaming it Docker Compose. The docker-compose.yml format becomes the standard for local dev stacks.

Jun 2015

Open Container Initiative Foundedecosystem

Docker, CoreOS, Google, Microsoft, and others form the OCI under the Linux Foundation to standardize container image and runtime specs. Docker donates its runc runtime as the OCI reference implementation.

Jun 2016

Docker 1.12 — Swarm Mode Built-Inrelease

Docker 1.12 ships with Swarm mode integrated directly into the engine — no separate cluster manager needed. A single docker swarm init creates a production-grade cluster. Services, rolling updates, and load balancing are all built in.

Mar 2016

Docker for Mac & Windows Betarelease

Docker for Mac and Docker for Windows enter public beta, replacing Docker Toolbox. Native hypervisor integration (HyperKit on Mac, Hyper-V on Windows) eliminates the VirtualBox dependency and delivers near-native I/O performance.

Jan 2017

Docker CE / EE Splitcompany

Docker splits into Community Edition (free, monthly releases) and Enterprise Edition (paid, quarterly, with support SLA). Version numbers shift to a year-month scheme: 17.03, 17.06, etc.

Apr 2017

Moby Project — Open Source Componentsecosystem

Docker open-sources the assembly framework behind Docker itself as "Moby" — a set of reusable components for building container systems. Separates the upstream project from the commercial Docker product.

Oct 2017

Kubernetes Support Addedmilestone

Docker adds native Kubernetes support to Docker Desktop and Docker EE at DockerCon Europe — conceding that Kubernetes had won the orchestration war. Users can run a local single-node k8s cluster alongside Swarm from Docker Desktop.

2019

BuildKit — Next-Gen Build Enginerelease

BuildKit becomes the default build backend, bringing parallel stage execution, better caching, secret mounts, and SSH forwarding to Dockerfiles. Build times for large multi-stage images drop dramatically.

Nov 2019

Docker Enterprise Sold to Mirantiscompany

Docker, Inc. sells its Enterprise division to Mirantis and refocuses entirely on developers and Docker Desktop. The sale includes Docker EE, UCP, and DTR. Docker, Inc. continues with Docker Hub, Docker Desktop, and Docker Compose.

May 2020

Docker Desktop + WSL2 Backendrelease

Docker Desktop ships WSL2 backend support on Windows, enabling near-native Linux container performance without Hyper-V overhead. File system performance improves 2–3× for volume-mounted workloads.

May 2022

Docker Compose V2 — Go Rewriterelease

Docker Compose V2 replaces the original Python implementation with a Go rewrite integrated directly into the Docker CLI as a plugin. The command changes from docker-compose to docker compose. Startup is 2–5× faster.

Sep 2022

Docker Extensions Marketplaceecosystem

Docker Desktop launches the Extensions marketplace, allowing third-party tools (Snyk, Grafana, Portainer, etc.) to embed directly inside Docker Desktop as first-class UI panels. Over 50 extensions ship at launch.

2024

Docker Desktop 4.x & AI Toolingmilestone

Docker Desktop 4.x ships with GPU-accelerated AI model runners, allowing developers to run local LLMs (Llama, Phi, etc.) via the Docker model CLI. Docker becomes a first-class platform for local AI development alongside cloud workloads. Over 20 million developers active monthly.