Docker Demystified: The Only Cheat Sheet You Need

#devops #docker #tutorial #beginners

Docker is one of those tools that's simple in concept and maddeningly complex in practice. You understand containers, you've pulled an image, and then suddenly you're debugging a networking issue between three services at 11pm and you can't remember if it's docker compose down -v or docker compose down --volumes. This cheat sheet is my antidote to that. Pin it, bookmark it, and stop wasting time on Docker documentation.

Container Lifecycle

# Create &amp; Start
docker run &lt;image&gt;                          # Pull + create + start
docker run -it &lt;image&gt; bash                 # Interactive with TTY
docker run -d &lt;image&gt;                       # Detached (background)
docker run --name myapp &lt;image&gt;             # Named container
docker run --rm &lt;image&gt;                     # Auto-remove on exit
docker run -p 8080:80 &lt;image&gt;              # Map host:container port
docker run -e ENV_VAR=value &lt;image&gt;        # Set environment variable
docker run --env-file .env &lt;image&gt;         # Load env from file
docker run -v /host/path:/container/path &lt;image&gt;  # Bind mount
docker run --memory="512m" --cpus="1.5" &lt;image&gt;   # Resource limits

# Start / Stop / Restart
docker start &lt;container&gt;                   # Start stopped container
docker stop &lt;container&gt;                    # Graceful stop (SIGTERM)
docker kill &lt;container&gt;                    # Force stop (SIGKILL)
docker restart &lt;container&gt;

# Remove
docker rm &lt;container&gt;                      # Remove stopped container
docker rm -f &lt;container&gt;                   # Force remove running container
docker container prune                     # Remove all stopped containers

Container Inspection & Monitoring

docker ps                                  # List running containers
docker ps -a                               # List ALL containers
docker logs &lt;container&gt;                    # View logs
docker logs -f &lt;container&gt;                 # Follow/tail logs
docker logs --tail 100 &lt;container&gt;         # Last 100 lines
docker inspect &lt;container&gt;                 # Full JSON metadata
docker stats                               # Live CPU/mem/net usage
docker top &lt;container&gt;                     # Running processes

Exec & Interaction

docker exec -it &lt;container&gt; bash           # Shell into running container
docker exec -it &lt;container&gt; sh             # Use sh if bash unavailable
docker exec &lt;container&gt; ls /app            # Run single command
docker cp &lt;container&gt;:/path/file ./local   # Copy FROM container
docker cp ./local &lt;container&gt;:/path/file   # Copy TO container

Image Management

docker images                              # List local images
docker pull nginx:1.25                     # Pull specific tag
docker build -t myapp:1.0 .               # Build from Dockerfile
docker build --no-cache -t myapp .        # Build without cache
docker build --build-arg KEY=value .      # Pass build arguments
docker tag myapp:1.0 myrepo/myapp:1.0    # Tag image
docker rmi &lt;image&gt;                         # Remove image
docker image prune -a                      # Remove ALL unused images

Dockerfile Reference

FROM node:20-alpine
WORKDIR /app
LABEL maintainer="you@example.com"
ARG NODE_ENV=production
ENV PORT=3000 NODE_ENV=production

# Copy package.json FIRST for cache efficiency
COPY package*.json ./
RUN npm ci --only=production
COPY . .

VOLUME ["/app/data"]
EXPOSE 3000

HEALTHCHECK --interval=30s --timeout=3s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1

USER node
CMD ["node", "server.js"]

CMD vs ENTRYPOINT

CMD -- Default command/args, overridable with docker run <image> <cmd>
ENTRYPOINT -- Fixed executable, only overridable with --entrypoint flag
Combined -- ENTRYPOINT receives CMD as default arguments

Multi-Stage Builds

# Stage 1: Builder
FROM node:20 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

# Stage 2: Production (only copies what's needed)
FROM node:20-alpine AS production
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER node
CMD ["node", "dist/server.js"]

Networking

docker network ls                          # List all networks
docker network create mynet               # Bridge network (default)
docker network connect mynet &lt;container&gt;   # Add container to network
docker run --network mynet &lt;image&gt;         # Start on specific network

Network Drivers

bridge -- Default, single host. Containers talk by name on custom bridge.
host -- Max performance, no isolation. Uses host network.
none -- Complete isolation.
overlay -- Multi-host (Swarm). Cross-host communication.

Gotcha: On the default bridge network, containers can't resolve each other by name. Create a custom bridge network to get automatic DNS resolution.

Volumes & Storage

docker volume create mydata               # Create named volume
docker volume ls                           # List volumes
docker run -v mydata:/app/data &lt;image&gt;    # Named volume
docker run -v /host/path:/app/data &lt;image&gt;# Bind mount

Volume Types

Named Volume (-v name:/path) -- Docker-managed, best for persistent app data
Bind Mount (-v /host:/container) -- Host OS managed, best for development
Anonymous (-v /path) -- Docker-managed, best for temporary data
tmpfs (--tmpfs /path) -- Memory-based, best for sensitive data

Docker Compose

# docker-compose.yml key sections:
# services, volumes, networks

docker compose up                          # Start all services
docker compose up -d                       # Detached mode
docker compose up --build                  # Rebuild images first
docker compose down                        # Stop &amp; remove containers
docker compose down -v                     # Also remove volumes
docker compose logs -f app                 # Follow specific service
docker compose exec app bash               # Shell into service
docker compose run app npm test            # Run one-off command

Cleanup & Maintenance

docker system prune                        # Remove all unused objects
docker system prune -a --volumes           # Nuclear option (data loss!)
docker system df                           # Show Docker disk usage

Security Best Practices

Use specific tags -- never just "latest" in production
Run as non-root user
Minimize image layers and attack surface
Use .dockerignore to avoid leaking secrets
Use COPY over ADD unless you need URL fetching or auto-extraction
Use npm ci not npm install in Dockerfiles

Common Gotchas

EXPOSE doesn't publish ports. It's documentation only. Use -p to actually publish.
docker stop sends SIGTERM, then SIGKILL after 10s. Make sure your app handles SIGTERM gracefully.
Volumes aren't removed with docker compose down. You need -v flag.
latest tag isn't always the latest. It's just a tag -- pin versions in production.
Build context is sent to Docker daemon. A large project directory = slow builds. Use .dockerignore.
Each RUN creates a new layer. Chain commands with && to reduce image size.