DEV Community

Cover image for Docker Containers: The Commands That Prove Isolation
Mark Yu
Mark Yu

Posted on • Edited on

Docker Containers: The Commands That Prove Isolation

The first time Docker made sense to me was not from a definition.

It was from running a container, checking the process list, deleting the container, and realizing my host system stayed clean.

Containers are not tiny virtual machines. They are isolated processes with packaged files, network settings, and resource boundaries.

Let’s prove that with commands.

Run a Container

docker run --name web-demo -d -p 8080:80 nginx
Enter fullscreen mode Exit fullscreen mode

Open:

http://localhost:8080
Enter fullscreen mode Exit fullscreen mode

Check it:

docker ps
Enter fullscreen mode Exit fullscreen mode

Stop and remove it:

docker stop web-demo
docker rm web-demo
Enter fullscreen mode Exit fullscreen mode

That is the basic lifecycle.

What Is Actually Running?

docker run --name shell-demo -it ubuntu bash
Enter fullscreen mode Exit fullscreen mode

Inside the container:

ps aux
cat /etc/os-release
Enter fullscreen mode Exit fullscreen mode

In another terminal on the host:

docker exec shell-demo ps aux
Enter fullscreen mode Exit fullscreen mode

You are not booting a full separate machine. You are running a process in an isolated environment.

Visual map:

Host kernel
   |
   +-- container process: nginx
   +-- container process: ubuntu bash
   +-- normal host processes
Enter fullscreen mode Exit fullscreen mode

That kernel sharing is why containers start fast.

Build a Small Image

Create Dockerfile:

FROM node:22-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --omit=dev
COPY . .
CMD ["node", "server.js"]
Enter fullscreen mode Exit fullscreen mode

Build it:

docker build -t my-api:1.0 .
Enter fullscreen mode Exit fullscreen mode

Run it:

docker run --rm -p 3000:3000 my-api:1.0
Enter fullscreen mode Exit fullscreen mode

The image is the template. The container is the running instance.

Check Logs

docker logs web-demo
docker logs -f web-demo
Enter fullscreen mode Exit fullscreen mode

When a container exits immediately, logs are usually the first place I look.

Then inspect:

docker inspect web-demo
Enter fullscreen mode Exit fullscreen mode

inspect is noisy, but useful for environment variables, network settings, mounts, and container state.

Volumes: Data That Survives the Container

Containers are disposable. Data sometimes is not.

docker volume create mysql-data

docker run --name mysql-demo \
  -e MYSQL_ROOT_PASSWORD=secret \
  -v mysql-data:/var/lib/mysql \
  -d mysql:8
Enter fullscreen mode Exit fullscreen mode

Remove the container:

docker rm -f mysql-demo
Enter fullscreen mode Exit fullscreen mode

The named volume can still exist:

docker volume ls
Enter fullscreen mode Exit fullscreen mode

That separation matters in production.

Networking: Host Port vs Container Port

This command:

docker run -p 8080:80 nginx
Enter fullscreen mode Exit fullscreen mode

means:

host port 8080 ---> container port 80
Enter fullscreen mode Exit fullscreen mode

The left side is your machine. The right side is inside the container.

I still see beginners flip those numbers and then wonder why the app is unreachable.

Containers vs Virtual Machines

Topic Container VM
Startup seconds slower
Kernel shares host kernel own guest OS
Isolation process-level machine-level
Image size usually smaller usually larger
Best fit app packaging strong OS isolation

I would not say containers are "better" than VMs. They solve different problems.

My Docker Debug Checklist

docker ps -a
docker logs <container>
docker inspect <container>
docker exec -it <container> sh
docker images
docker volume ls
docker network ls
Enter fullscreen mode Exit fullscreen mode

If you know those commands, you can debug most beginner Docker problems.

Final Thought

Docker becomes less mysterious when you stop treating it as magic packaging and start inspecting what it actually runs.

What Docker command helped containers finally click for you?

Top comments (0)