Cheat sheet · No. IX
Docker.
An image is a frozen filesystem; a container is one process started from it. Everything else — volumes, networks, compose — exists to feed that process data and neighbours.
The reference
IMAGES
docker build -t app:dev .- Build from ./Dockerfile
docker pull nginx:1.27- Fetch (pin the tag)
docker images- Local images + sizes
docker tag app:dev repo/app:v1- Add a name for pushing
docker push repo/app:v1- Upload to registry
docker history app:dev- Layers + their sizes
CONTAINERS
docker run -d --name web -p 8080:80 nginx- Detached, host 8080 → container 80
docker run --rm -it alpine sh- Throwaway interactive shell
docker ps -a- All containers, incl. stopped
docker stop web- SIGTERM, then SIGKILL after 10s
docker rm -f web- Kill and remove
DEBUG
docker logs -f --tail 100 web- Follow last 100 lines
docker exec -it web sh- Shell inside a running container
docker inspect web- Full JSON: IP, mounts, env
docker stats- Live CPU / memory per container
docker top web- Processes inside
docker cp web:/var/log/app.log .- Copy a file out
VOLUMES & NETWORKS
docker volume create data- Named volume
docker run -v data:/var/lib/pg …- Mount it (survives the container)
docker run -v "$PWD":/app …- Bind-mount the working dir
docker network create net- User-defined bridge
docker run --network net …- Join it; containers resolve each other by name
COMPOSE
docker compose up -d- Start the stack, detached
docker compose up -d --build- Rebuild images first
docker compose logs -f api- Follow one service
docker compose exec api sh- Shell into a service
docker compose ps- Stack status
docker compose down -v- Stop and remove, volumes too
CLEANUP
docker system df- What's eating disk
docker system prune- Stopped containers, dangling images, unused networks
docker system prune -a- Also every image with no container
docker volume prune- Unused volumes (data loss — check first)
docker builder prune- Build cache
Field notes
Containers are disposable
Anything written inside the container filesystem dies with it. Data you care about belongs in a volume or a bind mount.
prune -a is greedy
docker system prune removes dangling leftovers; add -a and it deletes every image no container is using. Know which one you typed before pressing y.
exec vs run
exec opens a shell inside the container that is misbehaving; run starts a brand-new one. Debugging the fresh copy instead of the sick one wastes an afternoon.
Cap your logs
The default json-file log driver grows without bound. Set max-size and max-file in daemon.json, or watch a disk fill up very quietly.