Main Docker commands – grouped by category for easy day-to-day reference.
1. Image management
docker pull <image>– downloads an image from Docker Hub (or registry).docker images– lists local images.docker rmi <image>– removes an image.docker build -t <name>:<tag> .– creates an image from theDockerfilein the current directory.docker tag <image> <repo>:<tag>– renames/tags an image.docker push <repo>:<tag>– pushes an image to the registry.
2. Containers (execution)
docker run <image> – creates and runs a container. Main options:
| Flag | What it does |
|---|---|
-d |
Runs in background (detached) |
-p 8080:80 |
Maps port host:container |
--name myapp |
Sets the container name |
-v /host:/container |
Mounts a volume |
docker ps– lists running containers.docker ps -a– lists all containers (active and stopped).docker stop <id|name>– stops a container.docker start <id|name>– starts a stopped container.docker restart <id|name>– restarts a container.docker rm <id|name>– removes a container.
3. Logs, shell, and inspection
docker logs <id|name>– displays container logs.docker logs -f <id|name>– follows logs in real time (tail -f).docker exec -it <id|name> sh– opens interactive shell inside the container.docker inspect <id|name>– displays full details in JSON.docker stats– monitors CPU and memory usage in real time.
4. Volumes and data
docker volume ls– lists volumes.docker volume create <name>– creates a volume.docker volume rm <name>– removes a volume.docker system df– displays disk usage (images, containers, volumes).
5. Networks
docker network ls– lists networks.docker network create <name>– creates a network.docker network inspect <name>– displays network details.docker network connect <network> <container>– connects container to network.docker network disconnect <network> <container>– disconnects container from network.
6. Cleanup (housekeeping)
docker system prune– removes stopped containers, unused networks and images.docker system prune -a– same, including all unused images.docker volume prune– removes unused volumes.
docker system prune -a removes images not linked to any active container. Use carefully in shared environments.7. Docker Compose (multi-containers)
docker compose up -d– starts containers defined indocker-compose.yml.docker compose down– stops and removes the stack containers.docker compose logs -f– follows logs from all services.docker compose ps– lists project containers.docker compose exec <service> sh– opens shell inside a service.
8. Production best practices
Docker has become the standard for packaging and running applications. In production, however, misconfigured images and containers running as root can expand the attack surface and hinder audits.
Smaller, layered images
Use Alpine or distroless base images whenever possible and adopt multi-stage builds to compile in one stage and copy only the binary to the final stage. Fewer packages = fewer CVEs and smaller size. Pin the base image tag (e.g., node:20-alpine) to avoid surprises on rebuilds.
Run as non-root
Create a dedicated user in the Dockerfile and use the USER instruction before CMD. In Kubernetes or Docker Compose, avoid privileged mode and limit CPU and memory resources. Monitor with compliance tools like Trivy or Docker Scout to identify known vulnerabilities.
Secrets and configuration
Never put passwords or keys in plain-text environment variables in docker-compose.yml. Use Docker secrets, files mounted as read-only, or an orchestrator (Kubernetes Secrets, HashiCorp Vault). Rotate credentials regularly and keep base images updated.
