Links#
https://docs.docker.com/reference/cli/docker/
https://docs.docker.com/engine/containers/run/
https://docs.docker.com/build/building/best-practices/
https://docs.docker.com/engine/manage-resources/pruning/
https://docs.docker.com/docker-hub/repos/manage/hub-images/
1. Important Points#
Docker mental model:
image:
immutable application package
container:
process created from image
volume:
persistent data managed by Docker
network:
container DNS and connectivity boundary
registry:
image storage, for example Docker Hub / ECR / Harbor
runtime stack:
docker CLI / Docker API
-> dockerd
-> containerd
-> runc
-> Linux container
Kubernetes relation:
kubelet
-> CRI runtime
-> containerd
-> runc
rules:
build image once, deploy the same image to every environment
do not bake .env / password / token into image
pass runtime config by env / secret / mounted file
write logs to stdout/stderr
run as non-root when the image supports it
use explicit image tags for release and rollback
2. Pages#
| Page |
Use It For |
| Commands |
daily docker / docker compose commands, debug commands, cleanup commands |
| Operations |
local disk cleanup policy, registry retention policy, volume backup policy, incident runbook |
3. Core Workflow#
local dev:
docker build
docker run
docker logs
docker exec
team dev:
docker compose up
docker compose logs
docker compose down
release:
docker build --pull
docker tag
docker push
deploy by exact tag
operations:
docker ps
docker inspect
docker stats
docker system df
4. Runtime#
docker run -d \
--name order-api \
--restart unless-stopped \
-p 3000:3000 \
-e APP_ENV=prod \
-e LOG_LEVEL=info \
--memory 512m \
order-api:1.0.0
runtime notes:
publish only required ports
use named volume for stateful data
use --rm for one-off tools
use --restart unless-stopped for services that should survive daemon/host restart
set resource limit on shared hosts
prefer compose for multi-container local dependency
5. Build#
docker build \
--pull \
-t registry.example.com/order-api:1.0.0 \
-t registry.example.com/order-api:git-a1b2c3d \
.
Dockerfile rules:
keep build context small with .dockerignore
use multi-stage build for compiled apps
install dependencies before copying full source when cache helps
pin base image by runtime version
remove package manager cache in runtime image
never copy local credentials, .env, SSH keys, or registry tokens
6. Security#
security defaults:
use trusted base image
run as non-root
avoid privileged containers
avoid mounting /var/run/docker.sock into application containers
avoid --network host unless required
keep registry credentials in CI secret store
scan image in CI or registry when available
docker run --rm \
--user 10001:10001 \
--read-only \
--tmpfs /tmp \
order-api:1.0.0
7. Observability#
| Need |
Command |
| Container status |
docker ps --format 'table {{.Names}}\t{{.Status}}\t{{.Ports}}' |
| Logs |
docker logs -f <container> |
| Resource usage |
docker stats |
| Container details |
docker inspect <container> |
| Host Docker disk usage |
docker system df |
| Compose status |
docker compose ps |
watch:
restart count
unhealthy status
CPU / memory pressure
OOMKilled
/var/lib/docker disk usage
build cache growth
8. Hands-on#
docker run --rm hello-world
docker run -d \
--name nginx-dev \
-p 8080:80 \
nginx:1.27-alpine
curl -i http://localhost:8080/
docker logs nginx-dev
docker stop nginx-dev
docker rm nginx-dev
9. Readiness Criteria#
ready means:
image has explicit tag and rollback tag
runtime config is not inside image
logs go to stdout/stderr
app has health endpoint or healthcheck
local disk cleanup uses a clear default:
stopped containers > 7 days
unused images > 14 days
build cache > 7 days
protected volumes use keep=true label
registry retention uses a clear default:
immutable releases kept 180 days or last 30 releases
git sha tags kept 30-90 days
branch/PR tags kept 7-14 days
currently deployed and rollback tags are protected
named volumes have backup/restore commands before they store real data
Detailed policy templates are in Docker Operations.