{"id":13394651,"url":"https://github.com/wsargent/docker-cheat-sheet","last_synced_at":"2026-03-03T17:02:44.636Z","repository":{"id":19415407,"uuid":"22657662","full_name":"wsargent/docker-cheat-sheet","owner":"wsargent","description":"Docker Cheat Sheet","archived":false,"fork":false,"pushed_at":"2024-12-31T03:00:47.000Z","size":796,"stargazers_count":22184,"open_issues_count":8,"forks_count":4651,"subscribers_count":742,"default_branch":"master","last_synced_at":"2025-01-08T20:36:10.334Z","etag":null,"topics":["cheet-sheet","docker"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wsargent.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-08-05T20:04:20.000Z","updated_at":"2025-01-08T19:18:43.000Z","dependencies_parsed_at":"2024-09-20T21:02:16.935Z","dependency_job_id":"92ee532d-735a-4d63-bc34-3ff4d521d935","html_url":"https://github.com/wsargent/docker-cheat-sheet","commit_stats":{"total_commits":309,"total_committers":107,"mean_commits":"2.8878504672897196","dds":0.6245954692556634,"last_synced_commit":"ea7edbf5348e6a00f131cb1c4eb89754b921890a"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wsargent%2Fdocker-cheat-sheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wsargent%2Fdocker-cheat-sheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wsargent%2Fdocker-cheat-sheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wsargent%2Fdocker-cheat-sheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wsargent","download_url":"https://codeload.github.com/wsargent/docker-cheat-sheet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240808746,"owners_count":19860965,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cheet-sheet","docker"],"created_at":"2024-07-30T17:01:27.097Z","updated_at":"2026-03-03T17:02:39.565Z","avatar_url":"https://github.com/wsargent.png","language":null,"readme":"# Docker Cheat Sheet\n\n**Want to improve this cheat sheet?  See the [Contributing](#contributing) section!**\n\n## Table of Contents\n\n* [Why Docker](#why-docker)\n* [Prerequisites](#prerequisites)\n* [Installation](#installation)\n* [Containers](#containers)\n* [Images](#images)\n* [Networks](#networks)\n* [Registry and Repository](#registry--repository)\n* [Dockerfile](#dockerfile)\n* [Layers](#layers)\n* [Links](#links)\n* [Volumes](#volumes)\n* [Exposing Ports](#exposing-ports)\n* [Best Practices](#best-practices)\n* [Docker-Compose](#docker-compose)\n* [Security](#security)\n* [Tips](#tips)\n* [Contributing](#contributing)\n\n## Why Docker\n\n\"With Docker, developers can build any app in any language using any toolchain. “Dockerized” apps are completely portable and can run anywhere - colleagues’ OS X and Windows laptops, QA servers running Ubuntu in the cloud, and production data center VMs running Red Hat.\n\nDevelopers can get going quickly by starting with one of the 13,000+ apps available on Docker Hub. Docker manages and tracks changes and dependencies, making it easier for sysadmins to understand how the apps that developers build work. And with Docker Hub, developers can automate their build pipeline and share artifacts with collaborators through public or private repositories.\n\nDocker helps developers build and ship higher-quality applications, faster.\" -- [What is Docker](https://www.docker.com/what-docker#copy1)\n\n## Prerequisites\n\nI use [Oh My Zsh](https://github.com/ohmyzsh/oh-my-zsh) with the [Docker plugin](https://github.com/robbyrussell/oh-my-zsh/wiki/Plugins#docker) for autocompletion of docker commands. YMMV.\n\n### Linux\n\nThe 3.10.x kernel is [the minimum requirement](https://docs.docker.com/engine/installation/binaries/#check-kernel-dependencies) for Docker.\n\n### MacOS\n\n10.8 “Mountain Lion” or newer is required.\n\n### Windows 10\n\nHyper-V must be enabled in BIOS\n\nVT-D must also be enabled if available (Intel Processors).\n\n### Windows Server\n\nWindows Server 2016 is the minimum version required to install docker and docker-compose. Limitations exist on this version, such as multiple virtual networks and Linux containers. Windows Server 2019 and later are recommended. \n\n## Installation\n\n### Linux\n\nRun this quick and easy install script provided by Docker:\n\n```sh\ncurl -sSL https://get.docker.com/ | sh\n```\n\nIf you're not willing to run a random shell script, please see the [installation](https://docs.docker.com/engine/installation/linux/) instructions for your distribution.\n\nIf you are a complete Docker newbie, you should follow the [series of tutorials](https://docs.docker.com/engine/getstarted/) now.\n\n### macOS\n\nDownload and install [Docker Community Edition](https://www.docker.com/community-edition). if you have Homebrew-Cask, just type `brew install --cask docker`. Or Download and install [Docker Toolbox](https://docs.docker.com/toolbox/overview/).  [Docker For Mac](https://docs.docker.com/docker-for-mac/) is nice, but it's not quite as finished as the VirtualBox install.  [See the comparison](https://docs.docker.com/docker-for-mac/docker-toolbox/).\n\n\u003e **NOTE** Docker Toolbox is legacy. You should to use Docker Community Edition, See [Docker Toolbox](https://docs.docker.com/toolbox/overview/).\n\nOnce you've installed Docker Community Edition, click the docker icon in Launchpad. Then start up a container:\n\n```sh\ndocker run hello-world\n```\n\nThat's it, you have a running Docker container.\n\nIf you are a complete Docker newbie, you should probably follow the [series of tutorials](https://docs.docker.com/engine/getstarted/) now.\n\n### Windows 10\n\nInstructions to install Docker Desktop for Windows can be found [here](https://docs.docker.com/desktop/windows/install/)\n\nOnce installed, open powershell as administrator and run:\n\n```powershell\n# Display the version of docker installed:\ndocker version\n\n# Pull, create, and run 'hello-world':\ndocker run hello-world\n```\n\nTo continue with this cheat sheet, right click the Docker icon in the system tray, and go to settings. In order to mount volumes, the C:/ drive will need to be enabled in the settings to that information can be passed into the containers (later described in this article). \n\nTo switch between Windows containers and Linux containers, right click the icon in the system tray and click the button to switch container operating system Doing this will stop the current containers that are running, and make them unaccessible until the container OS is switched back.\n\nAdditionally, if you have WSL or WSL2 installed on your desktop, you might want to install the Linux Kernel for Windows. Instructions can be found [here](https://techcommunity.microsoft.com/t5/windows-dev-appconsult/using-wsl2-in-a-docker-linux-container-on-windows-to-run-a/ba-p/1482133). This requires the Windows Subsystem for Linux feature. This will allow for containers to be accessed by WSL operating systems, as well as the efficiency gain from running WSL operating systems in docker. It is also preferred to use [Windows terminal](https://docs.microsoft.com/en-us/windows/terminal/get-started) for this.\n\n### Windows Server 2016 / 2019\n\nFollow Microsoft's instructions that can be found [here](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/deploy-containers-on-server#install-docker)\n\nIf using the latest edge version of 2019, be prepared to only work in powershell, as it is only a servercore image (no desktop interface). When starting this machine, it will login and go straight to a powershell window. It is recommended to install text editors and other tools using [Chocolatey](https://chocolatey.org/install).\n\nAfter installing, these commands will work:\n\n```powershell\n# Display the version of docker installed:\ndocker version\n\n# Pull, create, and run 'hello-world':\ndocker run hello-world\n```\n\nWindows Server 2016 is not able to run Linux images. \n\nWindows Server Build 2004 is capable of running both linux and windows containers simultaneously through Hyper-V isolation. When running containers, use the ```--isolation=hyperv``` command, which will isolate the container using a separate kernel instance. \n\n### Check Version\n\nIt is very important that you always know the current version of Docker you are currently running on at any point in time. This is very helpful because you get to know what features are compatible with what you have running. This is also important because you know what containers to run from the docker store when you are trying to get template containers. That said let see how to know which version of docker we have running currently.\n\n* [`docker version`](https://docs.docker.com/engine/reference/commandline/version/) shows which version of docker you have running.\n\nGet the server version:\n\n```console\n$ docker version --format '{{.Server.Version}}'\n1.8.0\n```\n\nYou can also dump raw JSON data:\n\n```console\n$ docker version --format '{{json .}}'\n{\"Client\":{\"Version\":\"1.8.0\",\"ApiVersion\":\"1.20\",\"GitCommit\":\"f5bae0a\",\"GoVersion\":\"go1.4.2\",\"Os\":\"linux\",\"Arch\":\"am\"}\n```\n\n## Containers\n\n[Your basic isolated Docker process](http://etherealmind.com/basics-docker-containers-hypervisors-coreos/). Containers are to Virtual Machines as threads are to processes. Or you can think of them as chroots on steroids.\n\n### Lifecycle\n\n* [`docker create`](https://docs.docker.com/engine/reference/commandline/create) creates a container but does not start it.\n* [`docker rename`](https://docs.docker.com/engine/reference/commandline/rename/) allows the container to be renamed.\n* [`docker run`](https://docs.docker.com/engine/reference/commandline/run) creates and starts a container in one operation.\n* [`docker rm`](https://docs.docker.com/engine/reference/commandline/rm) deletes a container.\n* [`docker update`](https://docs.docker.com/engine/reference/commandline/update/) updates a container's resource limits.\n\nNormally if you run a container without options it will start and stop immediately, if you want keep it running you can use the command, `docker run -td container_id` this will use the option `-t` that will allocate a pseudo-TTY session and `-d` that will detach automatically the container (run container in background and print container ID).\n\nIf you want a transient container, `docker run --rm` will remove the container after it stops.\n\nIf you want to map a directory on the host to a docker container, `docker run -v $HOSTDIR:$DOCKERDIR`. Also see [Volumes](https://github.com/wsargent/docker-cheat-sheet/#volumes).\n\nIf you want to remove also the volumes associated with the container, the deletion of the container must include the `-v` switch like in `docker rm -v`.\n\nThere's also a [logging driver](https://docs.docker.com/engine/admin/logging/overview/) available for individual containers in docker 1.10. To run docker with a custom log driver (i.e., to syslog), use `docker run --log-driver=syslog`.\n\nAnother useful option is `docker run --name yourname docker_image` because when you specify the `--name` inside the run command this will allow you to start and stop a container by calling it with the name the you specified when you created it.\n\n### Starting and Stopping\n\n* [`docker start`](https://docs.docker.com/engine/reference/commandline/start) starts a container so it is running.\n* [`docker stop`](https://docs.docker.com/engine/reference/commandline/stop) stops a running container.\n* [`docker restart`](https://docs.docker.com/engine/reference/commandline/restart) stops and starts a container.\n* [`docker pause`](https://docs.docker.com/engine/reference/commandline/pause/) pauses a running container, \"freezing\" it in place.\n* [`docker unpause`](https://docs.docker.com/engine/reference/commandline/unpause/) will unpause a running container.\n* [`docker wait`](https://docs.docker.com/engine/reference/commandline/wait) blocks until running container stops.\n* [`docker kill`](https://docs.docker.com/engine/reference/commandline/kill) sends a SIGKILL to a running container.\n* [`docker attach`](https://docs.docker.com/engine/reference/commandline/attach) will connect to a running container.\n\nIf you want to detach from a running container, use `Ctrl + p, Ctrl + q`.\nIf you want to integrate a container with a [host process manager](https://docs.docker.com/engine/admin/host_integration/), start the daemon with `-r=false` then use `docker start -a`.\n\nIf you want to expose container ports through the host, see the [exposing ports](#exposing-ports) section.\n\nRestart policies on crashed docker instances are [covered here](http://container42.com/2014/09/30/docker-restart-policies/).\n\n#### CPU Constraints\n\nYou can limit CPU, either using a percentage of all CPUs, or by using specific cores.  \n\nFor example, you can tell the [`cpu-shares`](https://docs.docker.com/engine/reference/run/#/cpu-share-constraint) setting.  The setting is a bit strange -- 1024 means 100% of the CPU, so if you want the container to take 50% of all CPU cores, you should specify 512.  See \u003chttps://goldmann.pl/blog/2014/09/11/resource-management-in-docker/#_cpu\u003e for more:\n\n```sh\ndocker run -it -c 512 agileek/cpuset-test\n```\n\nYou can also only use some CPU cores using [`cpuset-cpus`](https://docs.docker.com/engine/reference/run/#/cpuset-constraint).  See \u003chttps://agileek.github.io/docker/2014/08/06/docker-cpuset/\u003e for details and some nice videos:\n\n```sh\ndocker run -it --cpuset-cpus=0,4,6 agileek/cpuset-test\n```\n\nNote that Docker can still **see** all of the CPUs inside the container -- it just isn't using all of them.  See \u003chttps://github.com/docker/docker/issues/20770\u003e for more details.\n\n#### Memory Constraints\n\nYou can also set [memory constraints](https://docs.docker.com/engine/reference/run/#/user-memory-constraints) on Docker:\n\n```sh\ndocker run -it -m 300M ubuntu:14.04 /bin/bash\n```\n\n#### Capabilities\n\nLinux capabilities can be set by using `cap-add` and `cap-drop`.  See \u003chttps://docs.docker.com/engine/reference/run/#/runtime-privilege-and-linux-capabilities\u003e for details.  This should be used for greater security.\n\nTo mount a FUSE based filesystem, you need to combine both --cap-add and --device:\n\n```sh\ndocker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse sshfs\n```\n\nGive access to a single device:\n\n```sh\ndocker run -it --device=/dev/ttyUSB0 debian bash\n```\n\nGive access to all devices:\n\n```sh\ndocker run -it --privileged -v /dev/bus/usb:/dev/bus/usb debian bash\n```\n\nMore info about privileged containers [here](\nhttps://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities).\n\n### Info\n\n* [`docker ps`](https://docs.docker.com/engine/reference/commandline/ps) shows running containers.\n* [`docker logs`](https://docs.docker.com/engine/reference/commandline/logs) gets logs from container.  (You can use a custom log driver, but logs is only available for `json-file` and `journald` in 1.10).\n* [`docker inspect`](https://docs.docker.com/engine/reference/commandline/inspect) looks at all the info on a container (including IP address).\n* [`docker events`](https://docs.docker.com/engine/reference/commandline/events) gets events from container.\n* [`docker port`](https://docs.docker.com/engine/reference/commandline/port) shows public facing port of container.\n* [`docker top`](https://docs.docker.com/engine/reference/commandline/top) shows running processes in container.\n* [`docker stats`](https://docs.docker.com/engine/reference/commandline/stats) shows containers' resource usage statistics.\n* [`docker diff`](https://docs.docker.com/engine/reference/commandline/diff) shows changed files in the container's FS.\n\n`docker ps -a` shows running and stopped containers.\n\n`docker stats --all` shows a list of all containers, default shows just running.\n\n### Import / Export\n\n* [`docker cp`](https://docs.docker.com/engine/reference/commandline/cp) copies files or folders between a container and the local filesystem.\n* [`docker export`](https://docs.docker.com/engine/reference/commandline/export) turns container filesystem into tarball archive stream to STDOUT.\n\n### Executing Commands\n\n* [`docker exec`](https://docs.docker.com/engine/reference/commandline/exec) to execute a command in container.\n\nTo enter a running container, attach a new shell process to a running container called foo, use: `docker exec -it foo /bin/bash`.\n\n## Images\n\nImages are just [templates for docker containers](https://docs.docker.com/engine/understanding-docker/#how-does-a-docker-image-work).\n\n### Lifecycle\n\n* [`docker images`](https://docs.docker.com/engine/reference/commandline/images) shows all images.\n* [`docker import`](https://docs.docker.com/engine/reference/commandline/import) creates an image from a tarball.\n* [`docker build`](https://docs.docker.com/engine/reference/commandline/build) creates image from Dockerfile.\n* [`docker commit`](https://docs.docker.com/engine/reference/commandline/commit) creates image from a container, pausing it temporarily if it is running.\n* [`docker rmi`](https://docs.docker.com/engine/reference/commandline/rmi) removes an image.\n* [`docker load`](https://docs.docker.com/engine/reference/commandline/load) loads an image from a tar archive as STDIN, including images and tags (as of 0.7).\n* [`docker save`](https://docs.docker.com/engine/reference/commandline/save) saves an image to a tar archive stream to STDOUT with all parent layers, tags \u0026 versions (as of 0.7).\n\n### Info\n\n* [`docker history`](https://docs.docker.com/engine/reference/commandline/history) shows history of image.\n* [`docker tag`](https://docs.docker.com/engine/reference/commandline/tag) tags an image to a name (local or registry).\n\n### Cleaning up\n\nWhile you can use the `docker rmi` command to remove specific images, there's a tool called [docker-gc](https://github.com/spotify/docker-gc) that will safely clean up images that are no longer used by any containers. As of docker 1.13, `docker image prune` is also available for removing unused images. See [Prune](#prune).\n\n### Load/Save image\n\nLoad an image from file:\n\n```sh\ndocker load \u003c my_image.tar.gz\n```\n\nSave an existing image:\n\n```sh\ndocker save my_image:my_tag | gzip \u003e my_image.tar.gz\n```\n\n### Import/Export container\n\nImport a container as an image from file:\n\n```sh\ncat my_container.tar.gz | docker import - my_image:my_tag\n```\n\nExport an existing container:\n\n```sh\ndocker export my_container | gzip \u003e my_container.tar.gz\n```\n\n### Difference between loading a saved image and importing an exported container as an image\n\nLoading an image using the `load` command creates a new image including its history.  \nImporting a container as an image using the `import` command creates a new image excluding the history which results in a smaller image size compared to loading an image.\n\n## Networks\n\nDocker has a [networks](https://docs.docker.com/engine/userguide/networking/) feature. Docker automatically creates 3 network interfaces when you install it (bridge, host none). A new container is launched into the bridge network by default. To enable communication between multiple containers, you can create a new network and launch containers in it. This enables containers to communicate to each other while being isolated from containers that are not connected to the network. Furthermore, it allows to map container names to their IP addresses. See [working with networks](https://docs.docker.com/engine/userguide/networking/work-with-networks/) for more details.\n\n### Lifecycle\n\n* [`docker network create`](https://docs.docker.com/engine/reference/commandline/network_create/) NAME Create a new network (default type: bridge).\n* [`docker network rm`](https://docs.docker.com/engine/reference/commandline/network_rm/) NAME Remove one or more networks by name or identifier. No containers can be connected to the network when deleting it.\n\n### Info\n\n* [`docker network ls`](https://docs.docker.com/engine/reference/commandline/network_ls/) List networks\n* [`docker network inspect`](https://docs.docker.com/engine/reference/commandline/network_inspect/) NAME Display detailed information on one or more networks.\n\n### Connection\n\n* [`docker network connect`](https://docs.docker.com/engine/reference/commandline/network_connect/) NETWORK CONTAINER Connect a container to a network\n* [`docker network disconnect`](https://docs.docker.com/engine/reference/commandline/network_disconnect/) NETWORK CONTAINER Disconnect a container from a network\n\nYou can specify a [specific IP address for a container](https://blog.jessfraz.com/post/ips-for-all-the-things/):\n\n```sh\n# create a new bridge network with your subnet and gateway for your ip block\ndocker network create --subnet 203.0.113.0/24 --gateway 203.0.113.254 iptastic\n\n# run a nginx container with a specific ip in that block\n$ docker run --rm -it --net iptastic --ip 203.0.113.2 nginx\n\n# curl the ip from any other place (assuming this is a public ip block duh)\n$ curl 203.0.113.2\n```\n\n## Registry \u0026 Repository\n\nA repository is a *hosted* collection of tagged images that together create the file system for a container.\n\nA registry is a *host* -- a server that stores repositories and provides an HTTP API for [managing the uploading and downloading of repositories](https://docs.docker.com/engine/tutorials/dockerrepos/).\n\nDocker.com hosts its own [index](https://hub.docker.com/) to a central registry which contains a large number of repositories.  Having said that, the central docker registry [does not do a good job of verifying images](https://titanous.com/posts/docker-insecurity) and should be avoided if you're worried about security.\n\n* [`docker login`](https://docs.docker.com/engine/reference/commandline/login) to login to a registry.\n* [`docker logout`](https://docs.docker.com/engine/reference/commandline/logout) to logout from a registry.\n* [`docker search`](https://docs.docker.com/engine/reference/commandline/search) searches registry for image.\n* [`docker pull`](https://docs.docker.com/engine/reference/commandline/pull) pulls an image from registry to local machine.\n* [`docker push`](https://docs.docker.com/engine/reference/commandline/push) pushes an image to the registry from local machine.\n\n### Run local registry\n\nYou can run a local registry by using the [docker distribution](https://github.com/docker/distribution) project and looking at the [local deploy](https://github.com/docker/docker.github.io/blob/master/registry/deploying.md) instructions.\n\nAlso see the [mailing list](https://groups.google.com/a/dockerproject.org/forum/#!forum/distribution).\n\n## Dockerfile\n\n[The configuration file](https://docs.docker.com/engine/reference/builder/). Sets up a Docker container when you run `docker build` on it. Vastly preferable to `docker commit`.  \n\nHere are some common text editors and their syntax highlighting modules you could use to create Dockerfiles:\n\n* If you use [jEdit](http://jedit.org), I've put up a syntax highlighting module for [Dockerfile](https://github.com/wsargent/jedit-docker-mode) you can use.\n* [Sublime Text 2](https://packagecontrol.io/packages/Dockerfile%20Syntax%20Highlighting)\n* [Atom](https://atom.io/packages/language-docker)\n* [Vim](https://github.com/ekalinin/Dockerfile.vim)\n* [Emacs](https://github.com/spotify/dockerfile-mode)\n* [TextMate](https://github.com/docker/docker/tree/master/contrib/syntax/textmate)\n* [VS Code](https://github.com/Microsoft/vscode-docker)\n* Also see [Docker meets the IDE](https://domeide.github.io/)\n\n### Instructions\n\n* [.dockerignore](https://docs.docker.com/engine/reference/builder/#dockerignore-file)\n* [FROM](https://docs.docker.com/engine/reference/builder/#from) Sets the Base Image for subsequent instructions.\n* [MAINTAINER (deprecated - use LABEL instead)](https://docs.docker.com/engine/reference/builder/#maintainer-deprecated) Set the Author field of the generated images.\n* [RUN](https://docs.docker.com/engine/reference/builder/#run) execute any commands in a new layer on top of the current image and commit the results.\n* [CMD](https://docs.docker.com/engine/reference/builder/#cmd) provide defaults for an executing container.\n* [EXPOSE](https://docs.docker.com/engine/reference/builder/#expose) informs Docker that the container listens on the specified network ports at runtime.  NOTE: does not actually make ports accessible.\n* [ENV](https://docs.docker.com/engine/reference/builder/#env) sets environment variable.\n* [ADD](https://docs.docker.com/engine/reference/builder/#add) copies new files, directories or remote file to container.  Invalidates caches. Avoid `ADD` and use `COPY` instead.\n* [COPY](https://docs.docker.com/engine/reference/builder/#copy) copies new files or directories to container.  By default this copies as root regardless of the USER/WORKDIR settings.  Use `--chown=\u003cuser\u003e:\u003cgroup\u003e` to give ownership to another user/group.  (Same for `ADD`.)\n* [ENTRYPOINT](https://docs.docker.com/engine/reference/builder/#entrypoint) configures a container that will run as an executable.\n* [VOLUME](https://docs.docker.com/engine/reference/builder/#volume) creates a mount point for externally mounted volumes or other containers.\n* [USER](https://docs.docker.com/engine/reference/builder/#user) sets the user name for following RUN / CMD / ENTRYPOINT commands.\n* [WORKDIR](https://docs.docker.com/engine/reference/builder/#workdir) sets the working directory.\n* [ARG](https://docs.docker.com/engine/reference/builder/#arg) defines a build-time variable.\n* [ONBUILD](https://docs.docker.com/engine/reference/builder/#onbuild) adds a trigger instruction when the image is used as the base for another build.\n* [STOPSIGNAL](https://docs.docker.com/engine/reference/builder/#stopsignal) sets the system call signal that will be sent to the container to exit.\n* [LABEL](https://docs.docker.com/config/labels-custom-metadata/) apply key/value metadata to your images, containers, or daemons.\n* [SHELL](https://docs.docker.com/engine/reference/builder/#shell) override default shell is used by docker to run commands.\n* [HEALTHCHECK](https://docs.docker.com/engine/reference/builder/#healthcheck) tells docker how to test a container to check that it is still working.\n\n### Tutorial\n\n* [Flux7's Dockerfile Tutorial](https://www.flux7.com/tutorial/docker-tutorial-series-part-3-automation-is-the-word-using-dockerfile/)\n\n### Examples\n\n* [Examples](https://docs.docker.com/engine/reference/builder/#dockerfile-examples)\n* [Best practices for writing Dockerfiles](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/)\n* [Michael Crosby](http://crosbymichael.com/) has some more [Dockerfiles best practices](http://crosbymichael.com/dockerfile-best-practices.html) / [take 2](http://crosbymichael.com/dockerfile-best-practices-take-2.html).\n* [Building Good Docker Images](http://jonathan.bergknoff.com/journal/building-good-docker-images) / [Building Better Docker Images](http://jonathan.bergknoff.com/journal/building-better-docker-images)\n* [Managing Container Configuration with Metadata](https://speakerdeck.com/garethr/managing-container-configuration-with-metadata)\n* [How to write excellent Dockerfiles](https://rock-it.pl/how-to-write-excellent-dockerfiles/)\n\n## Layers\n\nThe versioned filesystem in Docker is based on layers. They're like [git commits or changesets for filesystems](https://docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/).\n\n## Links\n\nLinks are how Docker containers talk to each other [through TCP/IP ports](https://docs.docker.com/engine/userguide/networking/default_network/dockerlinks/). [Atlassian](https://blogs.atlassian.com/2013/11/docker-all-the-things-at-atlassian-automation-and-wiring/) show worked examples. You can also resolve [links by hostname](https://docs.docker.com/engine/userguide/networking/default_network/dockerlinks/#/updating-the-etchosts-file).\n\nThis has been deprecated to some extent by [user-defined networks](https://docs.docker.com/network/).\n\nNOTE: If you want containers to ONLY communicate with each other through links, start the docker daemon with `-icc=false` to disable inter process communication.\n\nIf you have a container with the name CONTAINER (specified by `docker run --name CONTAINER`) and in the Dockerfile, it has an exposed port:\n\n```\nEXPOSE 1337\n```\n\nThen if we create another container called LINKED like so:\n\n```sh\ndocker run -d --link CONTAINER:ALIAS --name LINKED user/wordpress\n```\n\nThen the exposed ports and aliases of CONTAINER will show up in LINKED with the following environment variables:\n\n```sh\n$ALIAS_PORT_1337_TCP_PORT\n$ALIAS_PORT_1337_TCP_ADDR\n```\n\nAnd you can connect to it that way.\n\nTo delete links, use `docker rm --link`.\n\nGenerally, linking between docker services is a subset of \"service discovery\", a big problem if you're planning to use Docker at scale in production.  Please read [The Docker Ecosystem: Service Discovery and Distributed Configuration Stores](https://www.digitalocean.com/community/tutorials/the-docker-ecosystem-service-discovery-and-distributed-configuration-stores) for more info.\n\n## Volumes\n\nDocker volumes are [free-floating filesystems](https://docs.docker.com/engine/tutorials/dockervolumes/). They don't have to be connected to a particular container. You can use volumes mounted from [data-only containers](https://medium.com/@ramangupta/why-docker-data-containers-are-good-589b3c6c749e) for portability. As of Docker 1.9.0, Docker has named volumes which replace data-only containers. Consider using named volumes to implement it rather than data containers.\n\n### Lifecycle\n\n* [`docker volume create`](https://docs.docker.com/engine/reference/commandline/volume_create/)\n* [`docker volume rm`](https://docs.docker.com/engine/reference/commandline/volume_rm/)\n\n### Info\n\n* [`docker volume ls`](https://docs.docker.com/engine/reference/commandline/volume_ls/)\n* [`docker volume inspect`](https://docs.docker.com/engine/reference/commandline/volume_inspect/)\n\nVolumes are useful in situations where you can't use links (which are TCP/IP only). For instance, if you need to have two docker instances communicate by leaving stuff on the filesystem.\n\nYou can mount them in several docker containers at once, using `docker run --volumes-from`.\n\nBecause volumes are isolated filesystems, they are often used to store state from computations between transient containers. That is, you can have a stateless and transient container run from a recipe, blow it away, and then have a second instance of the transient container pick up from where the last one left off.\n\nSee [advanced volumes](http://crosbymichael.com/advanced-docker-volumes.html) for more details. [Container42](http://container42.com/2014/11/03/docker-indepth-volumes/) is also helpful.\n\nYou can [map MacOS host directories as docker volumes](https://docs.docker.com/engine/tutorials/dockervolumes/#mount-a-host-directory-as-a-data-volume):\n\n```sh\ndocker run -v /Users/wsargent/myapp/src:/src\n```\n\nYou can use remote NFS volumes if you're [feeling brave](https://docs.docker.com/engine/tutorials/dockervolumes/#/mount-a-shared-storage-volume-as-a-data-volume).\n\nYou may also consider running data-only containers as described [here](http://container42.com/2013/12/16/persistent-volumes-with-docker-container-as-volume-pattern/) to provide some data portability.\n\nBe aware that you can [mount files as volumes](#volumes-can-be-files).\n\n## Exposing ports\n\nExposing incoming ports through the host container is [fiddly but doable](https://docs.docker.com/engine/reference/run/#expose-incoming-ports).\n\nThis is done by mapping the container port to the host port (only using localhost interface) using `-p`:\n\n```sh\ndocker run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT \\\n  --name CONTAINER \\\n  -t someimage\n```\n\nYou can tell Docker that the container listens on the specified network ports at runtime by using [EXPOSE](https://docs.docker.com/engine/reference/builder/#expose):\n\n```Dockerfile\nEXPOSE \u003cCONTAINERPORT\u003e\n```\n\nNote that `EXPOSE` does not expose the port itself - only `-p` will do that. \n\nTo expose the container's port on your localhost's port, run:\n\n```sh\niptables -t nat -A DOCKER -p tcp --dport \u003cLOCALHOSTPORT\u003e -j DNAT --to-destination \u003cCONTAINERIP\u003e:\u003cPORT\u003e\n```\n\nIf you're running Docker in Virtualbox, you then need to forward the port there as well, using [forwarded_port](https://docs.vagrantup.com/v2/networking/forwarded_ports.html). Define a range of ports in your Vagrantfile like this so you can dynamically map them:\n\n```\nVagrant.configure(VAGRANTFILE_API_VERSION) do |config|\n  ...\n\n  (49000..49900).each do |port|\n    config.vm.network :forwarded_port, :host =\u003e port, :guest =\u003e port\n  end\n\n  ...\nend\n```\n\nIf you forget what you mapped the port to on the host container, use `docker port` to show it:\n\n```sh\ndocker port CONTAINER $CONTAINERPORT\n```\n\n## Best Practices\n\nThis is where general Docker best practices and war stories go:\n\n* [The Rabbit Hole of Using Docker in Automated Tests](http://gregoryszorc.com/blog/2014/10/16/the-rabbit-hole-of-using-docker-in-automated-tests/)\n* [Bridget Kromhout](https://twitter.com/bridgetkromhout) has a useful blog post on [running Docker in production](http://sysadvent.blogspot.co.uk/2014/12/day-1-docker-in-production-reality-not.html) at Dramafever.\n* There's also a best practices [blog post](http://developers.lyst.com/devops/2014/12/08/docker/) from Lyst.\n* [Building a Development Environment With Docker](https://tersesystems.com/2013/11/20/building-a-development-environment-with-docker/)\n* [Discourse in a Docker Container](https://samsaffron.com/archive/2013/11/07/discourse-in-a-docker-container)\n\n## Docker-Compose\n\nCompose is a tool for defining and running multi-container Docker applications. With Compose, you use a YAML file to configure your application’s services. Then, with a single command, you create and start all the services from your configuration. To learn more about all the features of Compose, see the [list of features](https://docs.docker.com/compose/overview/#features).\n\nBy using the following command you can start up your application:\n\n```sh\ndocker-compose -f \u003cdocker-compose-file\u003e up\n```\n\nYou can also run docker-compose in detached mode using -d flag, then you can stop it whenever needed by the following command:\n\n```sh\ndocker-compose stop\n```\n\nYou can bring everything down, removing the containers entirely, with the down command. Pass `--volumes` to also remove the data volume.\n\n## Security\n\nThis is where security tips about Docker go. The Docker [security](https://docs.docker.com/engine/security/security/) page goes into more detail.\n\nFirst things first: Docker runs as root. If you are in the `docker` group, you effectively [have root access](https://web.archive.org/web/20161226211755/http://reventlov.com/advisories/using-the-docker-command-to-root-the-host). If you expose the docker unix socket to a container, you are giving the container [root access to the host](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/).\n\nDocker should not be your only defense. You should secure and harden it.\n\nFor an understanding of what containers leave exposed, you should read [Understanding and Hardening Linux Containers](https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1.pdf) by [Aaron Grattafiori](https://twitter.com/dyn___). This is a complete and comprehensive guide to the issues involved with containers, with a plethora of links and footnotes leading on to yet more useful content. The security tips following are useful if you've already hardened containers in the past, but are not a substitute for understanding.\n\n### Security Tips\n\nFor greatest security, you want to run Docker inside a virtual machine. This is straight from the Docker Security Team Lead -- [slides](http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and-security) / [notes](http://www.projectatomic.io/blog/2014/08/is-it-safe-a-look-at-docker-and-security-from-linuxcon/). Then, run with AppArmor / seccomp / SELinux / grsec etc to [limit the container permissions](http://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/). See the [Docker 1.10 security features](https://blog.docker.com/2016/02/docker-engine-1-10-security/) for more details.\n\nDocker image ids are [sensitive information](https://medium.com/@quayio/your-docker-image-ids-are-secrets-and-its-time-you-treated-them-that-way-f55e9f14c1a4) and should not be exposed to the outside world. Treat them like passwords.\n\nSee the [Docker Security Cheat Sheet](https://github.com/konstruktoid/Docker/blob/master/Security/CheatSheet.adoc) by [Thomas Sjögren](https://github.com/konstruktoid): some good stuff about container hardening in there.\n\nCheck out the [docker bench security script](https://github.com/docker/docker-bench-security), download the [white papers](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/).\n\nSnyk's [10 Docker Image Security Best Practices cheat sheet](https://snyk.io/blog/10-docker-image-security-best-practices/)\n\nYou should start off by using a kernel with unstable patches for grsecurity / pax compiled in, such as [Alpine Linux](https://en.wikipedia.org/wiki/Alpine_Linux). If you are using grsecurity in production, you should spring for [commercial support](https://grsecurity.net/business_support.php) for the [stable patches](https://grsecurity.net/announce.php), same as you would do for RedHat. It's $200 a month, which is nothing to your devops budget.\n\nSince docker 1.11 you can easily limit the number of active processes running inside a container to prevent fork bombs. This requires a linux kernel \u003e= 4.3 with CGROUP_PIDS=y to be in the kernel configuration.\n\n```sb\ndocker run --pids-limit=64\n```\n\nAlso available since docker 1.11 is the ability to prevent processes from gaining new privileges. This feature have been in the linux kernel since version 3.5. You can read more about it in [this](http://www.projectatomic.io/blog/2016/03/no-new-privs-docker/) blog post.\n\n```sh\ndocker run --security-opt=no-new-privileges\n```\n\nFrom the [Docker Security Cheat Sheet](http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf) (it's in PDF which makes it hard to use, so copying below) by [Container Solutions](http://container-solutions.com/is-docker-safe-for-production/):\n\nTurn off interprocess communication with:\n\n```sh\ndocker -d --icc=false --iptables\n```\n\nSet the container to be read-only:\n\n```sh\ndocker run --read-only\n```\n\nVerify images with a hashsum:\n\n```sh\ndocker pull debian@sha256:a25306f3850e1bd44541976aa7b5fd0a29be\n```\n\nSet volumes to be read only:\n\n```sh\ndocker run -v $(pwd)/secrets:/secrets:ro debian\n```\n\nDefine and run a user in your Dockerfile so you don't run as root inside the container:\n\n```Dockerfile\nRUN groupadd -r user \u0026\u0026 useradd -r -g user user\nUSER user\n```\n\n### User Namespaces\n\nThere's also work on [user namespaces](https://s3hh.wordpress.com/2013/07/19/creating-and-using-containers-without-privilege/) -- it is in 1.10 but is not enabled by default.\n\nTo enable user namespaces (\"remap the userns\") in Ubuntu 15.10, [follow the blog example](https://raesene.github.io/blog/2016/02/04/Docker-User-Namespaces/).\n\n### Security Videos\n\n* [Using Docker Safely](https://youtu.be/04LOuMgNj9U)\n* [Securing your applications using Docker](https://youtu.be/KmxOXmPhZbk)\n* [Container security: Do containers actually contain?](https://youtu.be/a9lE9Urr6AQ)\n* [Linux Containers: Future or Fantasy?](https://www.youtube.com/watch?v=iN6QbszB1R8)\n\n### Security Roadmap\n\nThe Docker roadmap talks about [seccomp support](https://github.com/docker/docker/blob/master/ROADMAP.md#11-security).\nThere is an AppArmor policy generator called [bane](https://github.com/jfrazelle/bane), and they're working on [security profiles](https://github.com/docker/docker/issues/17142).\n\n## Tips\n\nSources:\n\n* [15 Docker Tips in 5 minutes](http://sssslide.com/speakerdeck.com/bmorearty/15-docker-tips-in-5-minutes)\n* [CodeFresh Everyday Hacks Docker](https://codefresh.io/blog/everyday-hacks-docker/)\n\n### Prune\n\nThe new [Data Management Commands](https://github.com/docker/docker/pull/26108) have landed as of Docker 1.13:\n\n* `docker system prune`\n* `docker volume prune`\n* `docker network prune`\n* `docker container prune`\n* `docker image prune`\n\n### df\n\n`docker system df` presents a summary of the space currently used by different docker objects.\n\n### Heredoc Docker Container\n\n```sh\ndocker build -t htop - \u003c\u003c EOF\nFROM alpine\nRUN apk --no-cache add htop\nEOF\n```\n\n### Last IDs\n\n```sh\nalias dl='docker ps -l -q'\ndocker run ubuntu echo hello world\ndocker commit $(dl) helloworld\n```\n\n### Commit with command (needs Dockerfile)\n\n```sh\ndocker commit -run='{\"Cmd\":[\"postgres\", \"-too -many -opts\"]}' $(dl) postgres\n```\n\n### Get IP address\n\n```sh\ndocker inspect $(dl) | grep -wm1 IPAddress | cut -d '\"' -f 4\n```\n\nOr with [jq](https://stedolan.github.io/jq/) installed:\n\n```sh\ndocker inspect $(dl) | jq -r '.[0].NetworkSettings.IPAddress'\n```\n\nOr using a [go template](https://docs.docker.com/engine/reference/commandline/inspect):\n\n```sh\ndocker inspect -f '{{ .NetworkSettings.IPAddress }}' \u003ccontainer_name\u003e\n```\n\nOr when building an image from Dockerfile, when you want to pass in a build argument:\n\n```sh\nDOCKER_HOST_IP=`ifconfig | grep -E \"([0-9]{1,3}\\.){3}[0-9]{1,3}\" | grep -v 127.0.0.1 | awk '{ print $2 }' | cut -f2 -d: | head -n1`\necho DOCKER_HOST_IP = $DOCKER_HOST_IP\ndocker build \\\n  --build-arg ARTIFACTORY_ADDRESS=$DOCKER_HOST_IP \n  -t sometag \\\n  some-directory/\n```\n\n### Get port mapping\n\n```sh\ndocker inspect -f '{{range $p, $conf := .NetworkSettings.Ports}} {{$p}} -\u003e {{(index $conf 0).HostPort}} {{end}}' \u003ccontainername\u003e\n```\n\n### Find containers by regular expression\n\n```sh\nfor i in $(docker ps -a | grep \"REGEXP_PATTERN\" | cut -f1 -d\" \"); do echo $i; done\n```\n\n### Get Environment Settings\n\n```sh\ndocker run --rm ubuntu env\n```\n\n### Kill running containers\n\n```sh\nif [ \"$(docker ps -q)\" ]; then docker kill $(docker ps -q); else echo \"No running containers.\"; fi\n\n```\n\n### Delete all containers (force!! running or stopped containers)\n\n```sh\nif [ \"$(docker ps -qa)\" ]; then docker rm -f $(docker ps -qa); else echo \"No containers to delete.\"; fi\n\n```\n\n### Delete old containers\n\n```sh\ndocker ps -a | grep 'weeks ago' | awk '{print $1}' | xargs docker rm\n```\n\n### Delete stopped containers\n\n```sh\ndocker rm -v $(docker ps -a -q -f status=exited)\n```\n\n### Delete containers after stopping\n\n```sh\ndocker stop $(docker ps -aq) \u0026\u0026 docker rm -v $(docker ps -aq)\n```\n\n### Delete dangling images\n\n```sh\ndocker rmi $(docker images -q -f dangling=true)\n```\n\n### Delete all images\n\n```sh\ndocker rmi $(docker images -q)\n```\n\n### Delete dangling volumes\n\nAs of Docker 1.9:\n\n```sh\ndocker volume rm $(docker volume ls -q -f dangling=true)\n```\n\nIn 1.9.0, the filter `dangling=false` does _not_ work - it is ignored and will list all volumes.\n\n### Show image dependencies\n\n```sh\ndocker images -viz | dot -Tpng -o docker.png\n```\n\n### Slimming down Docker containers\n\n- Cleaning APT in a `RUN` layer - This should be done in the same layer as other `apt` commands. Otherwise, the previous layers still persist the original information and your images will still be fat.\n    ```Dockerfile\n    RUN {apt commands} \\\n      \u0026\u0026 apt-get clean \\\n      \u0026\u0026 rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*\n    ```\n- Flatten an image\n    ```sh\n    ID=$(docker run -d image-name /bin/bash)\n    docker export $ID | docker import – flat-image-name\n    ```\n- For backup\n    ```sh\n    ID=$(docker run -d image-name /bin/bash)\n    (docker export $ID | gzip -c \u003e image.tgz)\n    gzip -dc image.tgz | docker import - flat-image-name\n    ```\n\n### Monitor system resource utilization for running containers\n\nTo check the CPU, memory, and network I/O usage of a single container, you can use:\n\n```sh\ndocker stats \u003ccontainer\u003e\n```\n\nFor all containers listed by ID:\n\n```sh\ndocker stats $(docker ps -q)\n```\n\nFor all containers listed by name:\n\n```sh\ndocker stats $(docker ps --format '{{.Names}}')\n```\n\nFor all containers listed by image:\n\n```sh\ndocker ps -a -f ancestor=ubuntu\n```\n\nRemove all untagged images:\n\n```sh\ndocker rmi $(docker images | grep “^” | awk '{split($0,a,\" \"); print a[3]}')\n```\n\nRemove container by a regular expression:\n\n```sh\ndocker ps -a | grep wildfly | awk '{print $1}' | xargs docker rm -f\n```\n\nRemove all exited containers:\n\n```sh\ndocker rm -f $(docker ps -a | grep Exit | awk '{ print $1 }')\n```\n\n### Volumes can be files\n\nBe aware that you can mount files as volumes. For example you can inject a configuration file like this:\n\n```sh\n# copy file from container\ndocker run --rm httpd cat /usr/local/apache2/conf/httpd.conf \u003e httpd.conf\n\n# edit file\nvim httpd.conf\n\n# start container with modified configuration\ndocker run --rm -it -v \"$PWD/httpd.conf:/usr/local/apache2/conf/httpd.conf:ro\" -p \"80:80\" httpd\n```\n\n## Contributing\n\nHere's how to contribute to this cheat sheet.\n\n### Open README.md\n\nClick [README.md](https://github.com/wsargent/docker-cheat-sheet/blob/master/README.md) \u003c-- this link\n\n![Click This](images/click.png)\n\n### Edit Page\n\n![Edit This](images/edit.png)\n\n### Make Changes and Commit\n\n![Change This](images/change.png)\n\n![Commit](images/commit.png)\n","funding_links":[],"categories":["Others","Uncategorized","miscellaneous","Platforms","Main Resources","Utilities","HarmonyOS","non-CLI tools","General cheat sheets","General","Docker","docker","Cheat sheets","Don't forget to give a :star: to make the project popular","Others (1002)","Misc","Backend","Computer Networking and Security","📋 Cheatsheets"],"sub_categories":["Uncategorized","Windows Manager","Cheat Sheet","Devops","Miscellaneous"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwsargent%2Fdocker-cheat-sheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwsargent%2Fdocker-cheat-sheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwsargent%2Fdocker-cheat-sheet/lists"}