Containers core

In CI, build Docker images with docker build, tag with registry and version, and push with docker push. Use a registry (Docker Hub, ECR, GCR) and authenticate with a token or role. Use this when automating image builds in a pipeline.

Define a multi-container stack in a compose file (docker-compose.yml): services, networks, volumes. Run with docker compose up -d; manage with docker compose down and docker compose logs. Use this when running an app with a database, cache, or multiple services on one host.

Inspect a running or exited container with docker logs, docker exec, and docker inspect. Check exit code, environment, and resource usage. Use this when a container fails to start, exits unexpectedly, or when you need to see what is running inside.

Write a Dockerfile with FROM, RUN, COPY, and CMD to build a container image. Use multi-stage builds to keep the final image small. Use this when creating a custom image for your application or when optimizing build time and image size.

Remove unused images, containers, volumes, and networks with docker prune. Free disk space and avoid accumulation of dangling images and stopped containers. Use this when the Docker disk usage is high or when you want to keep the host clean.

Install Docker Engine on Debian, Ubuntu, or RHEL using the official Docker repository. Add your user to the docker group so you can run containers without root. Use this when setting up a host for containers or when you need a specific Docker version.

Containers can use the default bridge, a user-defined bridge, or the host network. Use bridge networks so containers resolve each other by name; publish ports with -p to expose services to the host. Use this when connecting containers or when debugging connectivity between containers and host.

Use this checklist before running containers in production: image source and scan, non-root and read-only, resource limits, secrets handling, logging, and health checks. Ensures containers are built and run in a production-ready way.

Run a container with docker run: specify image, command, ports, volumes, and env. Use -d for detached, -p to publish ports, -v for volumes, -e for env vars. Use this when starting a single container or when testing an image before composing a stack.

Run containers as non-root when possible; use read-only root filesystem and drop capabilities; scan images for vulnerabilities; keep the host and Docker updated. Use this when hardening containerized workloads or when reviewing container security.

Persist container data with volumes (managed by Docker) or bind mounts (host path). Use named volumes for database data; use bind mounts for config or source code in dev. Use this when you need data to survive container removal or when mounting host files into a container.

Back up a volume with a temp container that mounts the volume and tars to backup location. Restore by mounting volume and extracting. Use when you need to preserve volume data.

Use ARG in Dockerfile to pass build-time variables; set with --build-arg. Use for version pins or build variants. Do not use ARG for runtime secrets. Use this when you need parameterized builds.

Docker caches layers; change one line and everything after rebuilds. Put rarely changed steps first and frequently changed steps last. Use this when optimizing build speed.

Compose creates a default network so services resolve by name. Define custom networks for isolation. Use when you need service discovery or isolation.

Scale a Compose service with docker compose up -d --scale app=3. Use for dev or load testing. For production use an orchestrator. Use when you need multiple replicas.

Add a .dockerignore file next to Dockerfile to exclude files from build context. Speeds build and avoids leaking secrets. Use when build context is large or you want to exclude git or local files.

Pass config with -e or env_file in compose; use Docker secrets or a secrets manager for sensitive data. Never bake secrets into images. Use this when configuring containers or handling secrets.

docker exec runs a new command in a running container. docker attach attaches to the main process stdin/stdout. Use exec for debugging or one-off commands; avoid attach for long-running or interactive processes. Use this when you need to run a command inside a container.

Add HEALTHCHECK to Dockerfile so Docker reports container health. Use a command that exits 0 when healthy. Use when orchestration or load balancers need health status.

Configure how container stdout/stderr are handled with --log-driver. Default is json-file. Use json-file with max-size and max-file to limit disk. Use this when managing container log growth or forwarding logs.

List and inspect Docker networks with docker network ls and docker network inspect. See which containers are on a network and their IPs. Use when debugging connectivity.

Limit container CPU and memory with --cpus and --memory. Prevents one container from starving others. Set in docker run or compose. Use when running multiple containers on one host.

Set container restart policy with --restart (no, on-failure, always, unless-stopped). Use always or unless-stopped for long-running services so they come back after reboot or crash. Use this when you want containers to restart automatically.

Use docker scan or a registry scanner to find known vulnerabilities in image layers. Fix by updating base image and dependencies. Use before deploying to production.

Tag images with meaningful versions: myapp:1.0.0 or myapp:latest. Use semantic versions for releases; avoid relying only on latest in production. Use this when publishing or deploying images.

When docker build fails check the failing step, cache, and context. Use --no-cache to rule out cache. Check Dockerfile syntax and paths. Use when a build fails or is slow.

Use Compose in production with limits, restarts, health checks, and secrets. Prefer orchestrators at scale. Use when running a small set of services on one or few hosts.

Use multiple FROM stages to build in one stage and copy artifacts into a smaller final image. Reduces size and keeps build tools out of production. Use when build needs compilers not needed at runtime.

Run a private Docker registry with the official registry image. Push and pull with docker tag and docker push. Use when you need to store images privately or in CI.