Essential Docker Tips for Developers: Boost Efficiency and Security

At TES GLOBAL we fell in love with Docker and have been using it in production since version 0.8. Many developers attended DockerCon Europe training. Below are tips for those with basic Docker knowledge.

1. CLI

1.1 Beautify docker ps output

Pipe the output to less -S so table rows are not wrapped.

docker ps -a | less -S

1.2 Refresh logs

Docker logs are not streamed in real time unless you use the -F option.

docker logs <containerid> -F

1.3 Extract a single value from docker inspect

docker inspect

outputs a large JSON document. Use jq or Docker's built‑in Go template to retrieve a specific key.

Is the latest container running?

docker inspect --format '{{.State.Running}}' $(docker ps -lq)

1.4 Use docker exec instead of sshd or nsenter

docker exec

, added in version 1.3, lets you run a new process inside a container, eliminating the need for an SSH daemon or host‑side nsenter.

2. Dockerfiles

2.1 docker build supports Git repositories

You can point docker build directly at a Git URL; Docker will clone the repo and build the image.

2.2 No package list in base images

Official images like Ubuntu do not include an apt package list to keep the image size small, so you must run apt‑get update in any Dockerfile that installs packages.

2.3 Pay attention to package versions

Package installation commands are cached. Clearing the cache may change versions, and stale caches can miss security updates.

2.4 Small base images

The official scratch image is truly empty; for most cases start from busybox, which is only about 2.5 MB.

2.5 FROM defaults to the latest tag

If you omit a tag after FROM, Docker pulls the latest image. Explicitly specify a tag to ensure reproducibility.

2.6 Shell vs exec form

Commands in a Dockerfile can be written in shell form (wrapped in sh -c) or exec form (JSON array). Exec form avoids a shell and is recommended.

2.7 ADD vs COPY

Both copy files into the image, but ADD can also fetch remote URLs and automatically unpack archives. Use COPY unless you need those extra features.

2.8 WORKDIR and ENV

Each Dockerfile instruction runs in a new temporary container, so cd or export won’t persist. Use WORKDIR to set the working directory and ENV for environment variables across layers.

2.9 CMD and ENTRYPOINT

CMD

provides default arguments for the container. The default ENTRYPOINT is /bin/sh -c. You can override ENTRYPOINT in the Dockerfile to change how arguments are passed.

Dockerfile example

ENTRYPOINT /bin/ls
CMD ["-a"]

We override the command line but the entrypoint remains ls

docker run training/ls -l

2.10 Place ADD at the end

Adding files invalidates the build cache. Put frequently changing files (your source code) after less‑changing layers (dependencies). For Node.js, copy package.json first, run npm install, then add the rest of the code.

3. Docker networking

3.1 Find port mappings

Use docker run with explicit -p mappings or -P to map all ports. To query a specific mapping: docker port containerID portNumber Or inspect the container:

docker inspect --format '{{.NetworkSettings.Ports}}' containerID

3.2 Container IP addresses

Each container gets a private IP (default 172.17.0.0/16). The IP may change after a restart; retrieve it with:

docker inspect --format '{{.NetworkSettings.IPAddress}}' containerID

3.3 Host networking

docker run --net=host

shares the host network stack, but it is generally discouraged.

4. Volumes

4.1 Volume contents are not saved in docker commit

Data written to a volume after an image is built is not captured by docker commit.

4.2 Volumes are read‑write by default

Use the :ro flag to mount a volume as read‑only.

4.3 Volumes exist independently of containers

A volume persists as long as at least one container uses it. Share it between containers with --volumes-from.

4.4 Mount the Docker socket

Mounting /var/run/docker.sock gives a container access to the Docker API, allowing it to run Docker commands. However, running a Docker daemon inside a container is unnecessary.

5. Security

5.1 Running Docker as root

The Docker API grants root‑level access. Avoid exposing the API; if needed, protect it with TLS.

5.2 Using USER in Dockerfiles

By default containers run as root. You can specify a non‑root user with USER, but Docker lacks user namespaces, so the UID inside the container maps to the host UID.

5.3 Using TLS with the Docker API

Since Docker 1.3, the daemon supports TLS. Both client and server need a key pair. Boot2Docker enables TLS by default. You need OpenSSL 1.0.1+ and must start the daemon with --tls-verify, which listens on port 2376.