Link Search Menu Expand Document

Docker Cheat Sheet


Container vs image ids

Note in the following examples <container> is either a container id, or a container name (if such is given to a container with the –name option on start). Both can be obtained with docker ps -a. <image> is either an image id, or an image name. Those can be obtained with the docker image command. Do not confuse with container id/name!

Listing Containers

docker ps                           # List running containers
docker ps -a                        # List all containers
docker ps -s                        # List running containers including CPU/memory size

List machine readable:

docker ps -a --format "{{.ID}},{{.Names}},{{.Status}},{{.Image}},{{.Ports}}"

Inspecting containers

docker exec -it <container> bash    # Log into container bash environment
docker inspect <container>          # Instance details
docker top     <container>          # Instance processes
docker logs    <container>          # Instance console log
docker port    <container>          # Shows container's port mapping. The same can be seen with "docker ps" though (row - "PORTS")
docker diff    <container>          # Shows changes on container's filesystem. Will produce a list of files and folders prefixed by a
                                    # character. "A" is for "added", "C" is for changed.
docker stats   <container>          # Shows the consumed resources (memory, CPU, network bandwidth)
docker export --output="latest.tar" <container> #Export a container’s filesystem as a tar archive

Starting containers

Start a container with default entrypoint and in background

docker start -it ubuntu

Start a container with a command like /bin/bash

docker run -i -t ubuntu /bin/bash   # New instance from image. "-i" is for "interactive" and "t" is for terminal. Without "it" it
                                    # won't be interactive - you will get a shell/terminal, but will not be able to type anything onto 
                                    # it. Without "t" you will not get a terminal opened. The command will run and exit.
docker run -i -t --rm ubuntu /bin/bash # If you need a one-time container, then use the --rm option. Thus, once you exit the container,
                                    # it will be removed                                  

Start with port forwarding

docker run -p 8080:8080 myserver

Create a network and start container in this network

docker network create --subnet= elknet        # Create a network 'elknet'
docker run --net elknet --ip -it ubuntu bash   # Assign static IP from network    

Container and image lifecycle

docker start   <container>
docker restart <container>
docker stop    <container>
docker attach  <container>
docker rm [-f] <container>          # Removes / deletes a container (do not confuse with the "rmi" command - it removes an image!).
                                    # The container must be stopped in beforehand (unless -f is used).

docker cp '<id>':/data/file .       # Copy file out of container

docker images                       # List locally stored images
docker rmi <image>                  # Removes / deletes a locally stored image
docker save -o <tarball> <image>    # Saves a local image as a tarball, so you can archive/transfer or inspect its content
                                    # Example: docker save -o /tmp/myimage.tar busybox
docker history <image>              # Shows image creation history. Useful if you want to "recreate" the Dockerfile of an image -
                                    # in cases where you are interested how the image has been created.

Building Images

docker build .
docker build -f Dockerfile.test .                     # Use another Dockerfile file name
docker build --target <stage> .                       # Build specific target of a multi-stage Dockerfile
docker build --build-arg MYARG=myvalue .              # Pass variables with --build-arg
docker build --add-host <hostname>:<target> .         # Inject hostnames

Using BuildKit

BuildKit is Docker next-gen build derived from Moby BuildKit. In Docker v18 and v19 it needs to be explicitely enabled. There are two ways to use it.

1.) via environment


2.) via new “buildx” command (v19+ only)

docker buildx build <build args>

Note: here “buildx” just serves as a wrapper to provide compatible build commands.

Releasing Images

docker tag <source>[:<tag>] <target>:<tag>
docker push <target>:<tag>

To a private/remote registry

docker tag <source>[:<tag>] <remote registry>/<target>:<tag>
docker push <remote registry>/<target>:<tag>


docker network ls
docker network rm <network id>
docker network inspect <network id>

Docker Registry v2 API

/v2/_catalog                # List repositories
/v2/<repository>/tags/list  # List tags for a given repo

DockerHub Rate Limits + Solutions

Copying files out

Given a locally build image tag:

docker create --name <container name> <image tag>
docker cp <container name>:<source path> <target path>
docker rm -f <container name>

To copy directories ensure to use a trailing / on the <source path>

Debugging shell-less containers

This is possible by mapping one or more interesting namespaces (e.g. the PID namespace) of the container to be debugged to a new container with a shell:

docker run -it --rm --pid=container:<container id> --cap-add SYS_PTRACE ubuntu bash

So should you want to debug the network of the other container ensure to add --network container:<id> to the docker run command.



For build time (e.g. Dockerfile)

  • hadolint
  • checkov
  • trivy

For running containers and docker host:


Best Practices for Images

  • When using ext4: disable journaling