Link Search Menu Expand Document

Docker Cheat Sheet


Container vs image ids

Note in the following examples <container> is either a container id, or a container name (if such is given to a container with the –name option on start). Both can be obtained with docker ps -a. <image> is either an image id, or an image name. Those can be obtained with the docker image command. Do not confuse with container id/name!

Listing Containers

docker ps                           # List running containers
docker ps -a                        # List all containers
docker ps -s                        # List running containers including CPU/memory size

List machine readable:

docker ps -a --format "{{.ID}},{{.Names}},{{.Status}},{{.Image}},{{.Ports}}"

Inspecting containers

docker exec -it <container> bash    # Log into container bash environment
docker inspect <container>          # Instance details
docker top     <container>          # Instance processes
docker logs    <container>          # Instance console log
docker port    <container>          # Shows container's port mapping. The same can be seen with "docker ps" though (row - "PORTS")
docker diff    <container>          # Shows changes on container's filesystem. Will produce a list of files and folders prefixed by a
                                    # character. "A" is for "added", "C" is for changed.
docker stats   <container>          # Shows the consumed resources (memory, CPU, network bandwidth)
docker export --output="latest.tar" <container> #Export a container’s filesystem as a tar archive

Starting containers

Start a container with default entrypoint and in background

docker start -it ubuntu

Start a container with a command like /bin/bash

docker run -i -t ubuntu /bin/bash   # New instance from image. "-i" is for "interactive" and "t" is for terminal. Without "it" it
                                    # won't be interactive - you will get a shell/terminal, but will not be able to type anything onto 
                                    # it. Without "t" you will not get a terminal opened. The command will run and exit.
docker run -i -t --rm ubuntu /bin/bash # If you need a one-time container, then use the --rm option. Thus, once you exit the container,
                                    # it will be removed                                  

Start with port forwarding

docker run -p 8080:8080 myserver

Create a network and start container in this network

docker network create --subnet= elknet        # Create a network 'elknet'
docker run --net elknet --ip -it ubuntu bash   # Assign static IP from network    

Container and image lifecycle

docker start   <container>
docker restart <container>
docker stop    <container>
docker attach  <container>
docker rm      <container>          # Removes / deletes a container (do not confuse with the "rmi" command - it removes an image!).
                                    # The container must be stopped in beforehand.

docker cp '<id>':/data/file .       # Copy file out of container

docker images                       # List locally stored images
docker rmi <image>                  # Removes / deletes a locally stored image
docker save -o <tarball> <image>    # Saves a local image as a tarball, so you can archive/transfer or inspect its content
                                    # Example: docker save -o /tmp/myimage.tar busybox
docker history <image>              # Shows image creation history. Useful if you want to "recreate" the Dockerfile of an image -
                                    # in cases where you are interested how the image has been created.

Building Images

docker build .
docker build -f Dockerfile.test .                     # Use another Dockerfile file name
docker build --target <stage> .                       # Build specific target of a multi-stage Dockerfile
docker build --build-arg MYARG=myvalue .              # Pass variables with --build-arg
docker build --add-host <hostname>:<target> .         # Inject hostnames

Using BuildKit

BuildKit is Docker next-gen build derived from Moby BuildKit. In Docker v18 and v19 it needs to be explicitely enabled. There are two ways to use it.

1.) via environment


2.) via new “buildx” command (v19+ only)

docker buildx build <build args>

Note: here “buildx” just serves as a wrapper to provide compatible build commands.

Releasing Images

docker tag <source>[:<tag>] <target>:<tag>
docker push <target>:<tag>

To a private/remote registry

docker tag <source>[:<tag>] <remote registry>/<target>:<tag>
docker push <remote registry>/<target>:<tag>

Dockerfile Examples

Installing packages

FROM debian:wheezy

ENV DEBIAN_FRONTEND=noninteractive             # Always have this on Debian-based distros!

# Always combine update + install to avoid apt caching issues!
# Always disable recommends to get no extra packages!
RUN apt-get update \
 && apt-get install -y --no-install-recommends python git

Copy files

COPY sourcefile.txt /app
COPY sourcefile.txt config.ini /app/           # Note the trailing slash on target with multiple files 
COPY dir1 /app

Adding users

RUN useradd jsmith -u 1001 -s /bin/bash

Defining work directories and environment

WORKDIR /home/jsmith/
ENV HOME /home/jsmith


VOLUME ["/home"]

Opening ports


Start command

USER jsmith
WORKDIR /home/jsmith/

Setting timezone

ENV TZ=America/Los_Angeles
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone

Using variables

CMD java ${JAVA_OPTS} ...

Pass those variables using --build-arg JAR_DOWNLOAD=... --build-arg JAVA_OPTS="-D..."

For longer commands use CMD array syntax

CMD [ "java", "-XX:+UnlockExperimentalVMOptions", "-XX:+UseCGroupMemoryLimitForHeap", <...>]

Ensure pipe errors to break the build

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

Clear apt cache

RUN apt-get update \
  && apt-get install --no-install-recommends -y <packages> \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*

Working with private registries

In Dockerfile use syntax with /

FROM <server>/<image>:<tag>

Define a variable registry in FROM clause and pass the hostname with --build-arg


Multi-stage Dockerfiles

Starting with Docker 17.05 you can do multi-stage builds by having multiple FROM commands in one Dockerfile

FROM image1

FROM image2

Above syntax example will automatically trigger two builds. Stages also can be named:

FROM image1 as stage1

and explicitely called on the CLI

docker build --target stage1 ...

Docker Registry v2 API

/v2/_catalog                # List repositories
/v2/<repository>/tags/list  # List tags for a given repo

DockerHub Rate Limits + Solutions


Best Practices for Images

  • When using ext4: disable journaling