Home Cheat Sheets Docker Commands Cheat Sheet
📋 CHEAT SHEET

Docker Commands Cheat Sheet

Essential Docker commands reference — containers, images, volumes, networks, Docker Compose and debugging.

Container Lifecycle

CommandDescriptionExample
docker runCreate and start containerdocker run -d -p 8080:80 nginx
docker startStart stopped containerdocker start mycontainer
docker stopStop running container (graceful)docker stop mycontainer
docker killForce stop containerdocker kill mycontainer
docker restartStop then start containerdocker restart mycontainer
docker rmRemove stopped containerdocker rm mycontainer
docker rm -fForce remove running containerdocker rm -f mycontainer
docker pause / unpauseFreeze / unfreeze containerdocker pause mycontainer

Container Inspection

CommandDescriptionExample
docker psList running containersdocker ps
docker ps -aList all containersdocker ps -a
docker logsView container logsdocker logs -f mycontainer
docker execRun command in containerdocker exec -it mycontainer bash
docker inspectDetailed container info (JSON)docker inspect mycontainer
docker statsLive CPU/memory usagedocker stats
docker topRunning processes in containerdocker top mycontainer
docker cpCopy files to/from containerdocker cp file.txt mycontainer:/app/

Image Commands

CommandDescriptionExample
docker pullDownload imagedocker pull python:3.11
docker pushUpload image to registrydocker push myuser/myimage:tag
docker buildBuild image from Dockerfiledocker build -t myapp:1.0 .
docker imagesList local imagesdocker images
docker rmiRemove imagedocker rmi myimage:tag
docker tagTag an imagedocker tag myapp:1.0 myapp:latest
docker saveExport image to tardocker save myapp > myapp.tar
docker loadImport image from tardocker load < myapp.tar

Volumes & Networks

CommandDescriptionExample
docker volume createCreate named volumedocker volume create mydata
docker volume lsList volumesdocker volume ls
docker volume rmRemove volumedocker volume rm mydata
-v host:containerBind mountdocker run -v /data:/app/data nginx
docker network createCreate networkdocker network create mynet
docker network lsList networksdocker network ls
--network flagConnect to networkdocker run --network mynet nginx

Docker Compose

CommandDescription
docker compose up -dStart all services in background
docker compose downStop and remove containers
docker compose down -vStop and remove containers + volumes
docker compose logs -fFollow logs from all services
docker compose psList compose services
docker compose exec app bashShell into running service
docker compose buildRebuild images
docker compose pullPull latest images

Dockerfile Best Practices

PracticeWhyExample
Copy deps manifest before sourceCaches dependency layer — only re-runs on manifest changeCOPY package.json ./ → RUN npm ci → COPY . .
Use multi-stage buildsStrips build tools from final image — 90%+ size reductionFROM node:20 AS builder ... FROM node:20-alpine AS runtime
Use specific base image tagsPrevents silent breakage from upstream changesFROM python:3.12-slim not FROM python:latest
Combine RUN commands with &&Reduces layer count and image sizeRUN apt-get update && apt-get install -y curl && rm -rf /var/lib/apt/lists/*
Add .dockerignoreExcludes node_modules, .git, build dirs from context.dockerignore: node_modules, .git, *.log, dist
Set WORKDIR explicitlyAvoids accidental writes to / and clarifies contextWORKDIR /app
Run as non-root USERLimits blast radius if container is compromisedRUN adduser -S app && USER app
Use COPY not ADDADD has hidden behaviour (auto-extracts tar, fetches URLs)Prefer COPY unless you specifically need ADD features

Container Security

ControlCommand / ConfigWhat It Does
Run as non-rootdocker run --user 1000:1000Drop root privileges at runtime
Read-only filesystemdocker run --read-onlyPrevents writes to container FS (use volumes for writable paths)
Drop capabilitiesdocker run --cap-drop ALL --cap-add NET_BIND_SERVICEPrinciple of least privilege for Linux capabilities
No new privilegesdocker run --security-opt no-new-privilegesPrevents setuid/setgid escalation
Limit resourcesdocker run --memory 512m --cpus 1.0Prevents noisy-neighbour and DoS from runaway containers
Scan image for CVEstrivy image myapp:latestDetect known vulnerabilities before pushing
Lint Dockerfilehadolint DockerfileCatch security and best-practice violations in CI
Use secrets not ENVdocker run --secret id=token,src=./tokenSecrets never appear in docker inspect or history
More Cheat Sheets
Java Collections Cheat SheetJava Streams API Cheat SheetPython Built-in Functions Cheat SheetSQL Joins Cheat SheetJVM Memory Model DiagramHow HashMap Works InternallyMicroservices Cheat SheetPandas Cheat SheetData Structures & Algorithms Cheat Sheet