Docker Cheatsheet – Essential Commands & Concepts

Core Concepts

Term	What it is
Image	Read-only template. The blueprint.
Container	Running instance of an image.
Registry	Storage for images (Docker Hub, GHCR, ECR).
Volume	Persistent storage that survives container restarts.
Network	Virtual network connecting containers.

Images

# Pull an image from a registry
docker pull nginx:alpine

# List local images
docker images

# Build an image from a Dockerfile in current dir
docker build -t myapp:1.0 .

# Tag an existing image
docker tag myapp:1.0 myapp:latest

# Remove an image
docker rmi myapp:1.0

# Remove all dangling (untagged) images
docker image prune

Containers

# Run a container (foreground)
docker run nginx:alpine

# Run detached, name it, map port 8080→80
docker run -d --name web -p 8080:80 nginx:alpine

# Run interactively with a shell
docker run -it ubuntu:24.04 bash

# List running containers
docker ps

# List ALL containers (including stopped)
docker ps -a

# Stop / start / restart
docker stop web
docker start web
docker restart web

# Remove a stopped container
docker rm web

# Remove a running container (force)
docker rm -f web

# Stream logs
docker logs -f web

# Execute a command inside a running container
docker exec -it web sh

Volumes

# Create a named volume
docker volume create mydata

# Mount a named volume
docker run -v mydata:/app/data myapp:1.0

# Mount a host directory (bind mount)
docker run -v $(pwd)/data:/app/data myapp:1.0

# List volumes
docker volume ls

# Remove unused volumes
docker volume prune

Networking

# Create a custom bridge network
docker network create mynet

# Connect a container to a network
docker run --network mynet myapp:1.0

# Containers on the same network reach each other by name
# e.g. from 'api' container: curl http://db:5432

# List networks
docker network ls

Dockerfile Reference

# Start from a minimal base
FROM node:20-alpine

# Set working directory
WORKDIR /app

# Copy dependency manifests first (layer cache)
COPY package*.json ./
RUN npm ci --only=production

# Copy source
COPY . .

# Non-root user for security
RUN addgroup -S app && adduser -S app -G app
USER app

# Expose port (documentation only)
EXPOSE 3000

# Healthcheck
HEALTHCHECK --interval=30s --timeout=5s \
  CMD wget -qO- http://localhost:3000/health || exit 1

CMD ["node", "server.js"]

Dockerfile Best Practices

Order layers from least to most frequently changed (deps before source).
Use .dockerignore — exclude node_modules, .git, *.log.
Pin base image versions — node:20-alpine, not node:latest.
One process per container — don’t run nginx + app in one container.
Run as non-root — USER app after creating the user.
Multi-stage builds to keep production images small.

Docker Compose Quick Reference

# compose.yaml
services:
  web:
    build: .
    ports:
      - "8080:3000"
    environment:
      - DATABASE_URL=postgres://user:pass@db:5432/mydb
    depends_on:
      db:
        condition: service_healthy

  db:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: user
      POSTGRES_PASSWORD: pass
      POSTGRES_DB: mydb
    volumes:
      - pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U user"]
      interval: 5s
      retries: 5

volumes:
  pgdata:

docker compose up -d          # Start all services detached
docker compose logs -f web    # Follow web logs
docker compose down           # Stop and remove containers
docker compose down -v        # Also remove volumes

Cleanup

# Remove ALL stopped containers, unused networks, dangling images, build cache
docker system prune

# Nuclear option — removes everything including unused images and volumes
docker system prune -a --volumes

Quick Recipes

Copy a file from a container:

docker cp web:/app/logs/error.log ./error.log

Inspect container details (IP, mounts, env):

docker inspect web

Check resource usage:

docker stats

Save/load image as tar (air-gapped environments):

docker save myapp:1.0 | gzip > myapp.tar.gz
docker load < myapp.tar.gz