Docker Cheatsheet

Container Lifecycle

# Run a container (pulls image if not local)
docker run nginx:alpine

# Common run flags
docker run \
  --name my-app \          # assign a name
  -d \                     # detached (background)
  -p 8080:80 \             # host:container port mapping
  -e NODE_ENV=production \ # environment variable
  --rm \                   # auto-remove on exit
  --restart unless-stopped \ # restart policy
  nginx:alpine

# Interactive shell in a new container
docker run -it --rm ubuntu:24.04 bash

# Start / stop / restart existing containers
docker start my-app
docker stop my-app          # SIGTERM → SIGKILL after grace period
docker restart my-app

# Kill immediately (SIGKILL, no grace period)
docker kill my-app

# Pause / unpause (freezes process, keeps memory)
docker pause my-app
docker unpause my-app

# Remove a stopped container
docker rm my-app

# Remove a running container forcefully
docker rm -f my-app

# Remove all stopped containers
docker container prune

Exec & Logs

# Open a shell in a running container
docker exec -it my-app bash
docker exec -it my-app sh           # for Alpine / minimal images

# Run a one-off command
docker exec my-app cat /etc/os-release

# Stream logs
docker logs -f my-app

# Last 50 lines with timestamps
docker logs --tail 50 --timestamps my-app

# Logs since a point in time
docker logs --since 1h my-app

Inspecting Containers

# List running containers
docker ps

# List all containers (including stopped)
docker ps -a

# Full JSON metadata
docker inspect my-app

# Extract a specific field (jq or Go template)
docker inspect -f '{{ .NetworkSettings.IPAddress }}' my-app

# Resource usage (live)
docker stats

# Stats snapshot (no stream)
docker stats --no-stream

# List running processes inside a container
docker top my-app

# Port mappings
docker port my-app

Copying Files

# Host → container
docker cp ./config.yaml my-app:/app/config.yaml

# Container → host
docker cp my-app:/var/log/app.log ./app.log

---

Image Management

# Pull an image
docker pull nginx:alpine

# Pull by digest (immutable)
docker pull nginx@sha256:abc123...

# List local images
docker images
docker image ls

# Build from Dockerfile in current directory
docker build -t my-app:1.0 .

# Build with a non-standard Dockerfile
docker build -f Dockerfile.prod -t my-app:prod .

# Pass a build argument
docker build --build-arg APP_VERSION=1.2 -t my-app:1.2 .

# Force a full rebuild (bypass cache)
docker build --no-cache -t my-app:1.0 .

# Tag an existing image
docker tag my-app:1.0 myregistry.io/team/my-app:1.0

# Remove an image
docker rmi my-app:1.0

# Remove all dangling (untagged) images
docker image prune

# Remove all unused images (not just dangling)
docker image prune -a

# Show layer history and sizes
docker history my-app:1.0

# Full JSON metadata
docker inspect my-app:1.0

# Save image(s) to a TAR archive (preserves layers + tags)
docker save -o my-app.tar my-app:1.0

# Load images from a TAR archive
docker load -i my-app.tar

Note

docker save / docker load preserve full layer history and tags. They are for images. docker export / docker import operate on container filesystems and produce a single flat layer with no history.

---

Registry

# Login to Docker Hub
docker login

# Login to a private registry
docker login myregistry.azurecr.io

# Push an image
docker push myregistry.io/team/my-app:1.0

# Pull from a private registry (must be logged in)
docker pull myregistry.io/team/my-app:1.0

# Logout
docker logout myregistry.io

Caution

Credentials are stored as base64 in ~/.docker/config.json - not encrypted. Use a credential helper (docker-credential-pass, docker-credential-osxkeychain) to store them securely.

---

Volumes & Mounts

# Create a named volume
docker volume create app-data

# List volumes
docker volume ls

# Inspect a volume (shows mount path on host)
docker volume inspect app-data

# Run with a named volume
docker run -d -v app-data:/app/data my-app:1.0

# Run with a bind mount (host path → container path)
docker run -d -v "$(pwd)/data":/app/data my-app:1.0

# Read-only bind mount
docker run -d -v "$(pwd)/config":/app/config:ro my-app:1.0

# Temporary in-memory filesystem (tmpfs)
docker run --tmpfs /tmp my-app:1.0

# Remove a volume
docker volume rm app-data

# Remove all unused volumes
docker volume prune

---

Networking

# List networks
docker network ls

# Inspect a network
docker network inspect bridge

# Create a custom bridge network
docker network create my-net

# Create with a specific subnet
docker network create --subnet 172.20.0.0/16 my-net

# Run a container on a specific network
docker run -d --network my-net --name db postgres:16

# Connect a running container to a network
docker network connect my-net my-app

# Disconnect a container from a network
docker network disconnect my-net my-app

# Remove a network
docker network rm my-net

# Remove all unused networks
docker network prune

Tip

Containers on the same custom bridge network can reach each other by container name (built-in DNS). Containers on the default bridge network cannot - you must use IP addresses.

---

Docker Compose

# Start services (detached), build if needed
docker compose up -d --build

# Start a specific service
docker compose up -d db

# Stop and remove containers + networks
docker compose down

# Also remove named volumes
docker compose down -v

# View running services
docker compose ps

# Stream logs for all services
docker compose logs -f

# Stream logs for one service
docker compose logs -f api

# Execute a command in a running service container
docker compose exec api sh

# Run a one-off command (new container, then remove)
docker compose run --rm api python manage.py migrate

# Scale a service
docker compose up -d --scale worker=3

# Rebuild images without starting
docker compose build

# Pull latest images for all services
docker compose pull

# Validate and view the merged config
docker compose config

---

System & Maintenance

# Disk usage summary (images, containers, volumes, cache)
docker system df

# Verbose disk usage (per object)
docker system df -v

# Remove all stopped containers, unused networks,
# dangling images, and build cache
docker system prune

# Also remove unused images and volumes (aggressive)
docker system prune -a --volumes

# Live event stream from the Docker daemon
docker events

# Filter events by type
docker events --filter type=container --filter event=die

# Display Docker version info
docker version

# Display system-wide info (daemon config, runtime)
docker info

Caution

docker system prune -a --volumes is destructive - it removes all unused images (not just dangling) and all volumes not attached to a running container. Always run docker system df -v first to review what will be removed.

---

Quick Reference: docker run Flags

Flag	Short	Meaning
--detach	-d	Run in background
--interactive	-i	Keep STDIN open
--tty	-t	Allocate a pseudo-TTY (use with -i)
--name		Assign a name to the container
--publish	-p	Map host:container port
--publish-all	-P	Map all exposed ports to random host ports
--env	-e	Set an environment variable
--env-file		Load env vars from a file
--volume	-v	Mount a volume or bind mount
--mount		Explicit mount syntax (preferred over -v)
--network		Connect to a specific network
--rm		Remove container automatically on exit
--restart		Restart policy (no, always, unless-stopped, on-failure)
--user	-u	Run as a specific user (uid:gid)
--cpus		Limit CPU usage (e.g. --cpus 0.5)
--memory	-m	Limit memory (e.g. -m 512m)
--read-only		Mount container root filesystem as read-only
--entrypoint		Override the image ENTRYPOINT
--platform		Target platform (e.g. linux/arm64)

---

Quick Reference: Restart Policies

Policy	Behaviour
no	Never restart (default)
always	Always restart, including on daemon start
unless-stopped	Always restart unless explicitly stopped by the user
on-failure[:n]	Restart only on non-zero exit code; optional max retry count