All cheatsheets
Docker · Cheatsheet
Docker Cheatsheet
Build, run, debug, prune. Multi-stage builds, BuildKit, compose, registry auth, and the production-only flags every engineer forgets.
Updated 2026-05-21 8 min
Images
| docker build -t app:1.0 . | Build with tag |
| docker build --target prod -t app:prod . | Build a specific multi-stage target |
| DOCKER_BUILDKIT=1 docker build . | Force BuildKit (faster, secrets support) |
| docker build --secret id=npmrc,src=$HOME/.npmrc . | Mount build-time secret (BuildKit) |
| docker images --filter dangling=true | List untagged layers |
| docker image prune -af --filter 'until=24h' | Delete images older than 24h |
| docker history app:1.0 | Inspect layers + sizes |
| docker save app:1.0 | gzip > app.tgz | Export image to tarball |
Containers
| docker run -d --name api -p 8080:8080 app:1.0 | Detached + named + port-map |
| docker run --rm -it alpine sh | Throwaway shell |
| docker run --read-only --tmpfs /tmp app | ReadOnly rootfs, writable /tmp |
| docker run --user 10001:10001 app | Non-root UID/GID |
| docker run --cap-drop=ALL --security-opt no-new-privileges app | Hardened defaults |
| docker exec -it api sh | Shell into a running container |
| docker logs -f --tail 100 api | Tail last 100 lines, follow |
| docker stats | Live CPU/mem of all containers |
Networking & volumes
| docker network create app-net | Create user-defined bridge |
| docker run --network app-net --name db postgres | Attach to network |
| docker volume create pgdata | Named volume |
| docker run -v pgdata:/var/lib/postgresql/data postgres | Mount volume |
| docker run -v $PWD:/app:ro alpine | Bind-mount read-only |
| docker port api | Show port mappings |
| docker inspect -f '{{.NetworkSettings.IPAddress}}' api | Get container IP |
Compose (v2)
| docker compose up -d | Start in background |
| docker compose logs -f api | Follow one service |
| docker compose exec api sh | Shell into a service |
| docker compose build --no-cache api | Rebuild without cache |
| docker compose down -v | Stop & remove volumes |
| docker compose --profile dev up | Activate a profile |
| docker compose config | Render the effective merged config |
Registry & auth
| docker login ghcr.io | Login to GHCR |
| aws ecr get-login-password | docker login --username AWS --password-stdin <acct>.dkr.ecr.<region>.amazonaws.com | ECR login |
| docker tag app:1.0 ghcr.io/org/app:1.0 | Re-tag for push |
| docker push ghcr.io/org/app:1.0 | Push to registry |
| docker manifest inspect alpine:latest | View image manifest + digests |
Dockerfile best practices
| FROM alpine:3.20 AS build | Pin minor version, name stages |
| RUN apk add --no-cache curl | alpine: skip cache |
| COPY --chown=10001:10001 . /app | Set owner during COPY |
| USER 10001:10001 | Never run as root |
| HEALTHCHECK --interval=30s CMD curl -f http://localhost:8080/health || exit 1 | Container-level health |
| ENTRYPOINT ["/app/api"] | Exec form — handles signals correctly |
| # .dockerignore: node_modules, .git, *.log | Smaller context = faster builds |
Cleanup & troubleshooting
| docker system df | Disk usage breakdown |
| docker system prune -af --volumes | Nuke everything unused (careful!) |
| docker inspect <id> | Full JSON config + state |
| docker events --since 10m | Live event stream |
| docker run --rm -it --pid=host --network=host nicolaka/netshoot | Network debug toolkit |
Want the full hands-on training behind this?
Cloudadhar batches walk you through every command in a real production setup — with labs, code reviews, and 1:1 doubt sessions.