210 Essential Docker Q&A: Master Images, Containers, Networks, Volumes, and More

Fundamentals

What is Docker? Docker is an open‑source container engine that packages an application and its dependencies into a lightweight, portable image that runs on any Linux, Windows, or macOS host.

Core components – Docker daemon ( dockerd), Docker client ( docker), images, containers, and registries.

Image vs. container – An image is a read‑only template; a container is a running instance of that image with its own isolated process namespace, network namespace, and optional writable layer.

Architecture – Client‑server (C/S) model; the client talks to the daemon via a REST API (usually over a Unix socket).

Container orchestration – Automation of deployment, scaling, and networking (e.g., Kubernetes, Docker Swarm).

Namespaces & cgroups – Linux namespaces provide isolation (PID, NET, IPC, MNT, UTS, USER); cgroups enforce resource limits (CPU, memory, I/O).

UnionFS & copy‑on‑write – Docker builds a layered filesystem; each Dockerfile instruction creates a read‑only layer. A writable layer is added only when the container modifies the filesystem.

Portability – Containers run consistently on any Docker‑enabled host, ensuring environment reproducibility.

Image Management

Pull an image: docker pull ubuntu:20.04 List local images: docker images or docker image ls Remove an image: docker rmi IMAGE_NAME (add -f to force).

Inspect image metadata: docker image inspect IMAGE_NAME Search remote registry: docker search python Tag an image: docker tag SOURCE:TAG TARGET:TAG Push to a registry: docker push USER/REPO:TAG Login / logout to Docker Hub: docker login / docker logout Show image history (layers): docker history IMAGE_NAME Save / load an image as a tar archive:

docker save -o my-image.tar my-image:1.0
docker load -i my-image.tar

Prune dangling images: docker image prune; prune all unused images: docker image prune -a Show image size:

docker images --format "{{.Repository}}\t{{.Tag}}\t{{.Size}}"

Build an image: docker build -t my-image:1.0 . Use -f /path/to/Dockerfile to specify a Dockerfile, --no-cache to disable cache, and --build-arg KEY=VAL to pass build‑time variables.

Export a running container as a new image: docker commit CONTAINER_ID my-new-image:1.0 Delete all images:

docker rmi $(docker images -q)

Container Management

Create & start a container (detached): docker run -d --name my-container ubuntu:20.04 List running containers: docker ps; list all containers: docker ps -a Stop, start, restart, kill:

docker stop CONTAINER_ID
docker start CONTAINER_ID
docker restart CONTAINER_ID
docker kill CONTAINER_ID

Remove a container (add -f to force): docker rm CONTAINER_ID Execute a command inside a container: docker exec -it CONTAINER_ID bash View logs (follow with -f, tail with --tail N): docker logs CONTAINER_ID Inspect container details: docker inspect CONTAINER_ID Live resource usage: docker stats Pause / unpause a container: docker pause CONTAINER_ID / docker unpause CONTAINER_ID Copy files:

docker cp host_path CONTAINER_ID:/container_path
docker cp CONTAINER_ID:/container_path host_path

List processes inside a container: docker top CONTAINER_ID Publish ports: docker run -p 8080:80 nginx (multiple ports can be added).

Set environment variables: docker run -e VAR=value IMAGE Mount a volume: docker run -v /host/dir:/container/dir IMAGE (add :ro for read‑only).

Limit resources: docker run -m 512m --cpus=1.5 --pids-limit=100 IMAGE Define a restart policy: docker run --restart=always IMAGE Delete all stopped containers:

docker rm $(docker ps -a -q -f status=exited)

Network Management

List networks: docker network ls Create a network: docker network create my-network Remove a network: docker network rm my-network Inspect network details: docker network inspect my-network Default networks – bridge, host, none.

Connect / disconnect a container: docker network connect my-network CONTAINER_ID / docker network disconnect my-network CONTAINER_ID Run a container on a specific network: docker run --network my-network IMAGE Create a custom bridge network: docker network create --driver bridge my-bridge Create an overlay network (Swarm): docker network create --driver overlay my-overlay Show a container’s IP address:

docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' CONTAINER_ID

Prune unused networks: docker network prune Specify DNS for a container: docker run --dns 8.8.8.8 IMAGE Add a custom hosts entry: docker run --add-host myhost:192.168.1.100 IMAGE Expose all ports automatically: docker run -P nginx Bind a port to a specific host IP: docker run -p 127.0.0.1:8080:80 IMAGE Deprecated container linking – use user‑defined networks instead.

Show network driver information:

docker network ls --format "{{.Name}}\t{{.Driver}}"

Create a macvlan network for direct L2 access:

docker network create -d macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  -o parent=eth0 my-macvlan

Volume Management

List volumes: docker volume ls Create a volume: docker volume create my-volume Inspect a volume: docker volume inspect my-volume Remove a volume: docker volume rm my-volume Prune unused volumes: docker volume prune Bind mount – mount a host path into a container (e.g., -v /host/path:/container/path).

Docker managed volume – stored under /var/lib/docker/volumes/.

tmpfs mount – in‑memory temporary storage that disappears when the container stops: docker run --tmpfs /app IMAGE Show mount information of a container:

docker inspect -f '{{json .Mounts}}' CONTAINER_ID

Create a read‑only volume: docker run -v my-volume:/data:ro IMAGE Backup a volume using a temporary container:

docker run --rm -v my-volume:/data -v $(pwd):/backup ubuntu \
  tar cvf /backup/backup.tar /data

Restore a volume:

docker run --rm -v my-volume:/data -v $(pwd):/backup ubuntu \
  tar xvf /backup/backup.tar -C /

Share a volume between containers by mounting the same volume name in each docker run -v my-volume:/data command.

Data‑volume container (legacy pattern) – now replaced by named volumes.

Show volume driver:

docker volume ls --format "{{.Name}}\t{{.Driver}}"

Create a volume with a specific driver (e.g., local): docker volume create --driver local my-local-volume Show overall disk usage, including volumes: docker system df -v Delete all volumes:

docker volume rm $(docker volume ls -q)

Dockerfile

Dockerfile is a plain‑text file that defines how to build an image.

FROM – sets the base image; must be the first non‑ARG instruction.

RUN – executes a command during build and creates a new layer.

CMD – default command executed when a container starts; can be overridden at docker run time.

ENTRYPOINT – defines the executable that always runs; often combined with CMD for arguments.

Difference between CMD and ENTRYPOINT – CMD is mutable, ENTRYPOINT is fixed unless explicitly overridden.

COPY – copies files from the build context into the image. COPY src/ /app/ ADD – like COPY but also supports URLs and automatic tar extraction. ADD https://example.com/app.tar.gz /app/ WORKDIR – sets the working directory for subsequent instructions.

ENV – defines environment variables inside the image.

ARG – declares build‑time variables; available only during docker build.

EXPOSE – documents which ports the container will listen on (does not publish them).

VOLUME – creates a mount point for persistent data.

USER – sets the user that the container runs as.

LABEL – adds metadata to the image (e.g., LABEL maintainer="[email protected]").

HEALTHCHECK – defines a command Docker runs to test container health.

ONBUILD – registers a trigger instruction that runs when the image is used as a base for another build.

Optimizing layers – combine related RUN commands with &&, clean package caches, and use multi‑stage builds to keep final images small.

Example of a multi‑stage build:

FROM golang AS builder
WORKDIR /src
COPY . .
RUN go build -o app

FROM alpine
COPY --from=builder /src/app /app
CMD ["/app"]

Docker Compose

Compose defines multi‑container applications in a docker-compose.yml (or .yaml) file.

Start services (detached): docker-compose up -d Stop and remove services: docker-compose down View service status: docker-compose ps View logs (follow): docker-compose logs -f Rebuild images and restart services: docker-compose up -d --build Scale a service (e.g., 3 replicas of web): docker-compose up -d --scale web=3 Execute a command in a service container: docker-compose exec web bash Validate the final configuration: docker-compose config Pause / unpause all services: docker-compose pause / docker-compose unpause Restart services: docker-compose restart Supported file format versions – 2.x and 3.x (the latter is recommended for Swarm compatibility).

Use a custom compose file:

docker-compose -f custom-compose.yml up -d

Security

Run containers as a non‑root user: add USER appuser in the Dockerfile or docker run --user 1000.

Drop unnecessary Linux capabilities: docker run --cap-drop=ALL --cap-add=NET_ADMIN IMAGE.

Scan images for known vulnerabilities: docker scan IMAGE (or use third‑party scanners).

Enable Docker Content Trust for signed images: export DOCKER_CONTENT_TRUST=1.

Avoid privileged containers ( --privileged) unless absolutely required.

Restrict device access and enforce read‑only root filesystem:

docker run --device=/dev/sda:/dev/xvdc --read-only IMAGE

Limit the number of processes a container can spawn: docker run --pids-limit=100 IMAGE Configure TLS for the Docker daemon – generate CA, server, and client certificates and reference them in /etc/docker/daemon.json.

Docker Secrets (Swarm) – store passwords, API keys, etc., securely:

echo "mypassword" | docker secret create my_secret -

Restrict container network access using custom networks, firewall rules, or Docker network policies.

Audit Docker activity by enabling daemon logging and using system audit tools.

Security best practices: use official base images, keep images up‑to‑date, run as non‑root, apply least‑privilege capabilities, and regularly scan for vulnerabilities.

Performance Optimization

Reduce image size: use minimal base images (e.g., alpine), multi‑stage builds, clean package caches, and combine RUN statements.

Speed up Dockerfile builds: order instructions from least to most frequently changed, use a .dockerignore file, and enable BuildKit ( export DOCKER_BUILDKIT=1).

.dockerignore – list files/directories to exclude from the build context, reducing transfer time.

Show overall Docker resource usage: docker system df.

Clean up unused resources: docker system prune -a.

Limit container log size via daemon configuration:

{
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3"
  }
}

Optimize container start time: use lightweight images, avoid heavy entrypoint scripts, and pre‑install dependencies.

Docker BuildKit – a newer build engine that provides parallel builds and better caching.

Cache builds by placing rarely‑changed layers early in the Dockerfile.

Monitor container performance with docker stats (CPU, memory, network, I/O) and docker top (process list).

Network performance: use --network host when appropriate, fine‑tune DNS, and minimize hops.

Storage performance: store volumes on SSDs, avoid excessive layering, and use bind mounts for high‑throughput data.

Set resource limits at run time: docker run -m 512m --cpus=1.5 --pids-limit=100 IMAGE.

Image layer cache – Docker reuses unchanged layers from previous builds, dramatically speeding up subsequent builds.

Troubleshooting

Container fails to start – inspect logs ( docker logs) and container details ( docker inspect).

Exit code 137 – out‑of‑memory kill; increase memory limit or reduce container memory usage.

Exit code 1 – application error inside the container; check the command and its environment.

View a container’s exit code: docker inspect -f '{{.State.ExitCode}}' CONTAINER_ID Image pull failure – verify network connectivity, image name, and registry credentials.

Port not reachable – check host firewall, port mapping, container status, and network configuration.

Containers cannot communicate – ensure they share the same user‑defined network and no network policies block traffic.

View Docker daemon logs (systemd): journalctl -u docker.service Show Docker system information: docker info Verify Docker installation: docker run hello-world Container disk‑space shortage – use docker system df or docker inspect -f '{{.SizeRootFs}}' CONTAINER_ID to identify large layers.

Check Docker version: docker --version or docker version Fix container time drift – mount the host’s timezone file: docker run -v /etc/localtime:/etc/localtime:ro IMAGE Reset Docker (destructive) – remove all data and restart the daemon:

rm -rf /var/lib/docker
systemctl restart docker

Get help for any Docker command: docker --help or

docker COMMAND --help