Docker CLI Cheat Sheet: Complete Reference Guide

Container Lifecycle

Run a container from an image

docker run [OPTIONS] IMAGE [COMMAND]

Creates and starts a container from a specified IMAGE. This is the primary command for getting a container up and running, allowing you to execute an optional COMMAND inside it.

Run container in background

docker run -d IMAGE

Runs the container in detached mode, meaning it runs in the background. The command prints the container ID and exits the terminal, allowing you to continue using your shell.

Run with interactive terminal

docker run -it IMAGE

Runs the container with an interactive terminal (-i) and allocates a pseudo-TTY (-t). This is essential for interacting with the container, like running an interactive shell such as bash.

Run with custom name

docker run --name NAME IMAGE

Assigns a custom, human-readable NAME to the container instead of a randomly generated one. This makes it easier to reference the container in other Docker commands.

Run with auto-remove on exit

docker run --rm IMAGE

Automatically removes the container’s filesystem when it exits. This is useful for running temporary or short-lived jobs to keep your system clean.

Create container without starting

docker create IMAGE

Creates a container from an image but does not start it. This allows you to configure the container or volume mounts before starting it manually with docker start.

Start stopped container

docker start CONTAINER

Starts one or more existing, stopped containers. This is used to resume a container that was previously stopped without having to re-create it.

Stop running container

docker stop CONTAINER

Gracefully shuts down a running container by sending a SIGTERM signal. Docker waits for a default timeout (usually 10 seconds) for the container to exit before sending a SIGKILL.

Restart container

docker restart CONTAINER

Stops a running container and then starts it again. This is a convenient way to apply changes or simply recycle a container’s processes.

Pause container processes

docker pause CONTAINER

Suspends all processes inside one or more running containers. It achieves this by using the cgroups freezer to temporarily stop the container’s execution.

Unpause container

docker unpause CONTAINER

Resumes all processes inside a paused container. This reverses the effect of the docker pause command, allowing the container’s processes to continue execution.

Kill container immediately

docker kill CONTAINER

Immediately stops a container’s execution by sending a SIGKILL signal. This should be used when a container is unresponsive to the gentler docker stop command.

Remove stopped container

docker rm CONTAINER

Removes one or more stopped containers. It cannot remove a running container unless the -f (force) flag is used.

Force remove running container

docker rm -f CONTAINER

Forces the removal of a container, even if it is currently running. This is an abrupt removal that is equivalent to running docker kill followed by docker rm.

Wait for container to stop

docker wait CONTAINER

Blocks the current shell execution until one or more containers stop. It then prints the container’s exit codes, which is useful for scripting sequential operations.

Rename container

docker rename OLD NEW

Changes the custom name of an existing container from OLD to NEW. This is a simple utility command for maintaining better organization of your containers.

Update container resources

docker update [OPTIONS] CONTAINER

Allows for dynamic configuration updates to a running container’s resource constraints. You can use it to change limits like memory (-m) or CPU shares.

Container Information

List running containers

docker ps

Displays a list of all currently running containers. It provides essential information like Container ID, Image, Status, and Ports.

List all containers

docker ps -a

Displays a list of all containers, including those that are stopped or exited. This is the full inventory of containers present on your Docker host.

Show container logs

docker logs CONTAINER

Retrieves the standard output (stdout) and standard error (stderr) logs for a container. It shows the history of what the container’s main process has written.

Follow log output

docker logs -f CONTAINER

Streams the log output from a container in real-time. This is useful for monitoring the activity of a running service.

Show container processes

docker top CONTAINER

Displays the running processes within a container. It’s similar to the Linux top command but scoped to the container’s environment.

Show container stats

docker stats

Displays a live stream of resource usage statistics for all running containers. It includes CPU, memory usage, network I/O, and disk I/O.

Show detailed container info

docker inspect CONTAINER

Returns low-level, detailed JSON configuration information about a container. This is a powerful command used for debugging and viewing all configuration details.

Show container port mappings

docker port CONTAINER

Displays the public-facing port mapping for a container to its private ports. It quickly shows you which HOST ports are mapped to which CONTAINER ports.

Show filesystem changes

docker diff CONTAINER

Displays the changes made to the container’s filesystem since it was created. It indicates files that have been added (A), deleted (D), or modified (C).

Container Interaction

Execute command in container

docker exec CONTAINER COMMAND

Runs a new command inside an already running container. The original process of the container remains running.

Open interactive shell

docker exec -it CONTAINER sh

Executes an interactive shell (like sh or bash) inside the container. This is the primary way to get a command prompt and debug inside a running service.

Attach to running container

docker attach CONTAINER

Attaches your local standard input, output, and error streams to a running container’s main process. This is generally used to view the real-time output or interact with a process that started interactively.

Copy files from container

docker cp CONTAINER:SRC DEST

Copies files or folders from the container’s filesystem at SRC to the local machine at DEST. This is a simple way to pull data out of a container.

Copy files to container

docker cp SRC CONTAINER:DEST

Copies files or folders from the local machine at SRC into the container’s filesystem at DEST. This is a quick utility for adding necessary files to a running container.

Export container filesystem

docker export CONTAINER > file.tar

Exports the contents of a container’s filesystem as a tar archive. It does not include the metadata or base image layers, just a flattened filesystem.

Create image from container

docker commit CONTAINER IMAGE

Creates a new image by capturing the current state of a running or stopped container. This is typically a less-preferred method than using a Dockerfile but is useful for quick saves.

Image Management

List images

docker images

Displays a list of all locally stored Docker images. It provides the image repository, tag, ID, creation time, and size.

List all images including dangling

docker images -a

Shows all local images, including intermediate images used during builds and “dangling” images (untagged, unused layers). This helps in identifying and cleaning up all image data.

Pull image from registry

docker pull IMAGE[:TAG]

Downloads an image and its necessary layers from a registry, typically Docker Hub. If no TAG is specified, it defaults to the :latest tag.

Push image to registry

docker push IMAGE[:TAG]

Uploads a local image and its layers to a configured registry (e.g., Docker Hub). The image must be appropriately tagged with the registry path before pushing.

Remove image

docker rmi IMAGE

Removes one or more local images. An image cannot be removed if it is currently being used by any container.

Force remove image

docker rmi -f IMAGE

Forces the removal of an image, even if it is currently in use by a container. It achieves this by also removing any references to the image.

Tag image

docker tag SOURCE TARGET

Creates an alias for an image, giving it a new name and/or tag. This is most often used to prepare an image with a full registry path before pushing it.

Show image history

docker history IMAGE

Displays the history of an image, showing each layer and the command used to create it. This is useful for understanding how an image was built and its size progression.

Show detailed image info

docker inspect IMAGE

Returns low-level, detailed JSON configuration information about an image. It provides metadata, layer history, configuration, and image size details.

Search Docker Hub

docker search TERM

Searches the public Docker Hub registry for images matching a specific TERM. This helps discover publicly available images to use as base images.

Save image to tar

docker save IMAGE > file.tar

Saves one or more images into a tar archive. This is used for backing up an image or transferring it to a host that is offline (air-gapped).

Load image from tar

docker load < file.tar

Loads a tar archive from standard input as a Docker image. This is the command used to import an image that was previously saved using docker save.

Import filesystem as image

docker import file.tar IMAGE

Creates a new image from the contents of a tarball, using it as a flattened filesystem. Unlike docker load, this creates a single-layer, non-history image.

Remove unused images

docker image prune

Removes all dangling images (untagged and unreferenced by any container). This is a basic housekeeping command to free up disk space.

Remove all unused images

docker image prune -a

Removes all unused images, including both dangling and non-dangling ones not referenced by any container. Use this with caution as it removes any image not actively in use.

Image Building

Build image from Dockerfile

docker build -t NAME PATH

Builds a new Docker image using the Dockerfile located in the specified PATH (the build context). The -t flag tags the resulting image with a friendly NAME.

Build with tag

docker build -t NAME:TAG PATH

Builds and tags the image with a specific NAME and TAG. This is the best practice for versioning your images.

Build with custom Dockerfile

docker build -f Dockerfile -t NAME PATH

Specifies an alternative path and file name for the Dockerfile to use for the build. This is necessary when the Dockerfile is not named Dockerfile or is not in the root of the build context.

Build without cache

docker build --no-cache -t NAME PATH

Forces the builder to execute all steps without using any previously cached layers. This is useful when you suspect the cache is stale or you need a clean build.

Build with build args

docker build --build-arg KEY=VALUE -t NAME PATH

Passes a build-time variable to the Dockerfile, which can be referenced via the ARG instruction. This is used to inject dynamic values like versions or credentials during the build.

Build specific stage

docker build --target STAGE -t NAME PATH

Builds only up to the specified STAGE name in a multi-stage Dockerfile. This is essential for debugging intermediate stages or creating smaller “builder” images.

Build for platform

docker build --platform PLATFORM -t NAME PATH

Specifies the target operating system and architecture for the built image. This is crucial for cross-platform builds, such as building an ARM image on an x86 host.

Volume Management

Create volume

docker volume create NAME

Creates a new, managed Docker volume with a specific NAME. Volumes are the preferred way to persist data generated by and used by Docker containers.

List volumes

docker volume ls

Displays a list of all local Docker volumes. It shows the volume name and the driver being used.

Show volume details

docker volume inspect NAME

Returns low-level, detailed JSON configuration information about a volume. This includes the mount point on the host filesystem and the driver used.

Remove volume

docker volume rm NAME

Removes one or more specified volumes. A volume can only be removed if it is not currently in use by any container.

Remove unused volumes

docker volume prune

Removes all local volumes that are not currently referenced by any container. This is a safe cleanup command for removing orphaned volume data.

Mount named volume

docker run -v VOLUME:PATH IMAGE

Mounts the named Docker VOLUME to the specified PATH inside the container. This is the standard way to ensure data persistence for a container.

Mount bind volume

docker run -v HOST_PATH:CONTAINER_PATH IMAGE

Binds a directory from the host machine (HOST_PATH) to a path inside the container (CONTAINER_PATH). This is useful for development, allowing the container to access local source code.

Mount read-only volume

docker run -v VOLUME:PATH:ro IMAGE

Mounts a volume or bind mount to the container’s path and sets it as read-only (:ro). This prevents the container from writing to the mounted location, enhancing security and data integrity.

Create anonymous volume

docker run -v PATH IMAGE

Creates an anonymous volume when no volume name is specified, mounting it to the container’s PATH. The volume is managed by Docker but has a long, random ID.

Mount with volume driver

docker run --mount type=volume,source=VOL,target=PATH IMAGE

The newer and more explicit way to mount a volume, using the --mount flag. This syntax is often preferred as it is more verbose and clearer than the -v shorthand.

Network Management

List networks

docker network ls

Displays a list of all local Docker networks (e.g., bridge, host, none, and custom networks). It shows the network ID, name, and driver.

Create network

docker network create NAME

Creates a new, user-defined network with a specified NAME. Containers on the same user-defined network can resolve each other by name.

Create with driver

docker network create --driver DRIVER NAME

Creates a network using a specific type of network DRIVER (e.g., bridge, overlay). The overlay driver is used for multi-host networking in a Swarm cluster.

Create with subnet

docker network create --subnet CIDR NAME

Creates a network and specifies the IP address range for the network using CIDR notation. This allows for fine-tuning the IP addressing within the network.

Create with gateway

docker network create --gateway IP NAME

Specifies the default gateway IP address for the newly created network. This gives greater control over the networking configuration.

Show network details

docker network inspect NAME

Returns low-level, detailed JSON configuration information about a network. It includes the subnet, gateway, driver, and a list of all connected containers.

Remove network

docker network rm NAME

Removes one or more specified networks. A network can only be removed if there are no containers currently attached to it.

Remove unused networks

docker network prune

Removes all local, user-defined networks that are not currently in use by any container. This is a simple command for network-related cleanup.

Connect container to network

docker network connect NETWORK CONTAINER

Attaches a running container to an existing network. A container can be attached to multiple networks simultaneously.

Connect with IP

docker network connect --ip IP NETWORK CONTAINER

Connects a container to a network and assigns it a specific static IP address. This is useful for applications that require predictable IP addresses.

Connect with alias

docker network connect --alias ALIAS NETWORK CONTAINER

Assigns a network-scoped alias to a container on the specified network. Other containers on that network can then resolve the container by this ALIAS name.

Disconnect container

docker network disconnect NETWORK CONTAINER

Removes a container from a specified network. This can be done on a running container without stopping it.

Run on specific network

docker run --network NAME IMAGE

Runs a new container and connects it to a specified network immediately upon creation. If this is omitted, the container defaults to the bridge network.

Run with network alias

docker run --network-alias ALIAS IMAGE

Runs a container and sets a network alias that other containers on the same network can use for service discovery. This is a quick way to establish name resolution for the new container.

Registry & Authentication

Login to registry

docker login

Logs in to the default public registry (Docker Hub). It prompts you for your username and password.

Login to custom registry

docker login REGISTRY

Logs in to a private or custom registry specified by the REGISTRY URL. This is necessary for pulling and pushing images to non-Docker Hub locations.

Login with credentials

docker login -u USER -p PASS

Logs in using the provided username (-u) and password (-p). Using -p is discouraged for security reasons in interactive shells.

Logout from registry

docker logout

Logs out from the default or specified registry. This clears the local credentials stored for the registry.

Pull from custom registry

docker pull REGISTRY/IMAGE

Pulls an image from a non-Docker Hub registry by including the REGISTRY prefix in the image name. The local host must be logged in to this registry first.

Push to custom registry

docker push REGISTRY/IMAGE

Pushes an image to a non-Docker Hub registry. The image must be correctly tagged, and the local host must be logged in.

Tag for registry

docker tag IMAGE REGISTRY/IMAGE:TAG

Creates a new tag for a local image that includes the full registry path and a TAG. This is the required step before you can push the image to a private registry.

Docker Compose

Start services

docker-compose up

Reads the docker-compose.yml file, builds or pulls images, and creates and starts all defined services. It runs containers in the foreground and displays the aggregated logs.

Start in background

docker-compose up -d

Starts all services in the background (detached mode). This is the most common way to run a multi-container application in production or a long-running environment.

Stop services

docker-compose down

Stops running containers and removes the containers, networks, and default volumes created by up. This is the standard command for cleaning up a Compose deployment.

Stop and remove volumes

docker-compose down -v

Performs the standard down cleanup but also explicitly removes the named volumes defined in the Compose file. This permanently deletes persistent data, so use with caution.

Build services

docker-compose build

Builds or re-builds the images for all services that specify a build context in the Compose file. This only executes the build step and does not start the containers.

Build without cache

docker-compose build --no-cache

Forces the build process to ignore any existing build cache for the services. This ensures a fresh, clean build, often used for troubleshooting.

List services

docker-compose ps

Displays a list of all containers created by the Compose project. It provides status, command, and port information for all running and stopped services.

View logs

docker-compose logs

Displays the aggregated log output for all services in the project. This is the best way to monitor the startup and runtime output of your application.

Follow logs

docker-compose logs -f

Streams the log output from all services in real-time. This is similar to docker logs -f but aggregates across all services in the file.

Execute command

docker-compose exec SERVICE COMMAND

Runs a command inside a container for a running service (e.g., running a database migration). This command is analogous to docker exec.

Run one-off command

docker-compose run SERVICE COMMAND

Runs a one-off command in a new container for a service definition. This is ideal for administrative tasks or tasks that should run and exit (e.g., Django’s manage.py runserver).

Start services

docker-compose start

Starts existing stopped containers that were created by docker-compose up. This is useful for resuming a project without re-creating all resources.

Stop services

docker-compose stop

Stops running containers but does not remove them or their networks/volumes. The containers remain on the system and can be restarted later.

Restart services

docker-compose restart

Stops and then restarts existing containers for the specified services. This is a convenient way to apply configuration changes that only require a restart.

Pause services

docker-compose pause

Suspends all processes in the running service containers. The containers remain in memory but their processes are frozen.

Unpause services

docker-compose unpause

Resumes the processes in paused service containers. This reverses the effect of the pause command.

Remove stopped containers

docker-compose rm

Removes all stopped containers for the project. It is an alternative to down if you only want to clear containers and keep networks/volumes.

Pull service images

docker-compose pull

Pulls the latest versions of the images referenced in the Compose file from the registry. This updates your local images without starting the containers.

Push service images

docker-compose push

Pushes the local images for all services to the configured registry. Requires the images to be tagged with the registry prefix.

Validate compose file

docker-compose config

Validates the Compose file syntax and displays the final, normalized configuration. This is useful for debugging and ensuring your file is correctly interpreted.

Scale services

docker-compose up --scale SERVICE=NUM

Scales a service up or down to the specified number of running instances. This is a quick way to horizontally scale an application on a single host.

Show running processes

docker-compose top

Displays the running processes within the service containers. This is an aggregated version of the docker top command for the entire project.

System Management

Show Docker info

docker info

Displays detailed information about the Docker installation and environment. It includes details on storage driver, kernel version, number of images/containers, and available memory.

Show Docker version

docker version

Shows the version information for the Docker Client and the Docker Engine (Daemon). This is essential for checking compatibility and troubleshooting version issues.

Show disk usage

docker system df

Displays the disk space usage consumed by Docker images, containers, local volumes, and build cache. It gives a clear overview of how much disk space Docker is utilizing.

Remove unused data

docker system prune

Removes unused containers, networks, dangling images, and build cache. This is the main command for general Docker system cleanup and reclaiming disk space.

Remove all unused data

docker system prune -a

Removes all of the above, plus all non-dangling images that are not referenced by any running container. This performs a much more aggressive cleanup.

Remove with volumes

docker system prune --volumes

Adds unused local volumes to the list of items to be removed during the prune. This can free up a significant amount of space but permanently removes persistent data.

Show real-time events

docker events

Streams real-time events from the Docker daemon to your terminal. This is used for monitoring container, image, volume, and network activity as it happens.

Filter events

docker events --filter event=TYPE

Filters the streamed events to only display events of a specific TYPE (e.g., container, image, die). This helps in focusing the monitoring on relevant activities.

Events since time

docker events --since TIME

Shows all events that have occurred since a specified TIME. This is useful for reviewing a history of events that occurred during a specific period.

Swarm Management

Initialize swarm

docker swarm init

Initializes a new Docker Swarm on the current machine, making it a Swarm manager. This starts the orchestration capabilities of Docker.

Initialize with advertise address

docker swarm init --advertise-addr IP

Initializes the Swarm and specifies the IP address the manager node advertises to other nodes. This is crucial in multi-homed or cloud environments for proper cluster communication.

Join as worker

docker swarm join --token TOKEN IP:PORT

Connects the current machine to an existing Swarm as a worker node. Worker nodes receive and execute tasks but do not participate in cluster management decisions.

Join as manager

docker swarm join --token TOKEN IP:PORT

Connects the current machine to an existing Swarm as an additional manager node. Multiple managers provide high availability for the control plane.

Leave swarm

docker swarm leave

Removes the current machine from the Swarm cluster. If run on a manager, it loses its manager privileges.

Force leave swarm

docker swarm leave -f

Forces a manager node to leave the Swarm, even if it is the only remaining manager. This is used when a node needs to be decommissioned without consensus.

Show join token

docker swarm join-token worker

Displays the join command and token that a new machine needs to run to join the Swarm as a worker. This token is used for secure authentication.

Show manager token

docker swarm join-token manager

Displays the join command and token that a new machine needs to run to join the Swarm as a manager. This token should be kept secure.

Update swarm

docker swarm update

Updates the configuration of the Swarm cluster. This can be used to set parameters like the task history limit or the auto-lock setting.

Unlock swarm

docker swarm unlock

Unlocks the Swarm cluster after it has been explicitly locked by docker swarm update --autolock. This requires the unlock key and is part of a security measure.

Show unlock key

docker swarm unlock-key

Displays the unlock key that is required to manually unlock a locked Swarm. This key should be securely backed up immediately after enabling auto-lock.

Stack Management

Deploy stack

docker stack deploy -c FILE STACK

Deploys a multi-service application (a Stack) to the Swarm using a Compose file. This command converts the Compose file into Swarm Services.

List stacks

docker stack ls

Lists all of the currently deployed Stacks on the Swarm. It shows the stack name and the number of services running in each stack.

List stack services

docker stack services STACK

Lists the individual Swarm services that make up a specified stack. It provides details like the service ID, name, and desired replicas.

List stack tasks

docker stack ps STACK

Lists the tasks (running containers) associated with a stack’s services. This is used to monitor the state and location of the running application containers.

Remove stack

docker stack rm STACK

Removes an entire stack from the Swarm. This gracefully stops and removes all the services and tasks defined in the stack.

Service Management

Create service

docker service create IMAGE

Creates a new Swarm service from an image. A service is the definition of a desired state for one or more tasks (containers).

List services

docker service ls

Displays a list of all currently running Swarm services. It shows the service name, mode (replicated/global), and replica status.

Show service details

docker service inspect SERVICE

Returns low-level, detailed JSON configuration information about a service. This includes the service’s update policy, replicas, and network configuration.

Show service logs

docker service logs SERVICE

Aggregates and streams the logs from all the tasks (containers) belonging to a service. This is the primary way to monitor a deployed service in a Swarm.

List service tasks

docker service ps SERVICE

Lists the individual tasks (containers) that belong to a service. It shows where each task is running and its current state.

Scale service

docker service scale SERVICE=NUM

Changes the number of running replicas for a service. Docker Swarm will automatically scale the service up or down to match the new desired NUM.

Update service

docker service update SERVICE

Updates the configuration of a service (e.g., resource limits, network settings). Docker Swarm will roll out the changes gracefully to the running tasks.

Update image

docker service update --image IMAGE SERVICE

Updates a service to use a new image version. Swarm initiates a rolling update, replacing old tasks with new ones without downtime.

Remove service

docker service rm SERVICE

Removes a running service from the Swarm. This stops and removes all associated tasks and their containers.

Rollback service

docker service rollback SERVICE

Reverts a service to its previous configuration. This is used when a new update is causing issues and you need a quick way to restore stability.

Node Management

List nodes

docker node ls

Lists all the nodes (machines) participating in the Swarm cluster. It displays the node ID, hostname, status, and role (manager/worker).

Show node details

docker node inspect NODE

Returns detailed JSON information about a specific node. This includes the node’s labels, status, availability, and resource specifications.

Update node

docker node update NODE

Updates the configuration of a node, often used to add or update labels. Labels are used by the Swarm scheduler to constrain service placement.

Promote to manager

docker node promote NODE

Changes a worker node’s role to a manager node. This is used to add more managers for high availability.

Demote to worker

docker node demote NODE

Changes a manager node’s role back to a worker node. This is used when you need to reduce the number of managers in the cluster.

Remove node

docker node rm NODE

Removes a node from the Swarm cluster. The node must first be drained or explicitly forced to leave.

List node tasks

docker node ps NODE

Lists all the tasks (containers) that are currently running on a specific node. This is useful for debugging and checking the workload distribution.

Set node availability

docker node update --availability active|pause|drain NODE

Sets the scheduling status of a node, allowing or preventing the Swarm from deploying new tasks to it. drain is used to gracefully move all existing tasks off a node.

Secret Management

Create secret from file

docker secret create NAME FILE

Creates a new Swarm Secret from the contents of a local FILE. Secrets are securely distributed to only the services that need them.

Create secret from stdin

echo "data" | docker secret create NAME -

Creates a new Swarm Secret from data piped in via standard input (-). This is useful for creating secrets non-interactively in scripts.

List secrets

docker secret ls

Lists all the secrets stored securely in the Swarm cluster. It provides the secret ID, name, and creation time.

Show secret details

docker secret inspect NAME

Returns detailed JSON information about a secret (metadata only, not the secret content). This is a utility command for inspecting configuration.

Remove secret

docker secret rm NAME

Removes a secret from the Swarm cluster. Any service currently using the secret will lose access to it, potentially causing errors.

Config Management

Create config from file

docker config create NAME FILE

Creates a new Swarm Config from the contents of a local FILE. Configs are securely distributed configuration files that are read-only for services.

Create config from stdin

echo "data" | docker config create NAME -

Creates a new Swarm Config from data piped in via standard input (-). This is useful for creating small config fragments or for use in scripts.

List configs

docker config ls

Lists all the configs stored in the Swarm cluster. It provides the config ID, name, and creation time.

Show config details

docker config inspect NAME

Returns detailed JSON information about a config (metadata only, not the config content). This is used to check the config’s ID, date, and size.

Remove config

docker config rm NAME

Removes a config from the Swarm cluster. Services that were using the config will stop and fail to restart correctly if they still require it.

Plugin Management (Continued)

Upgrade plugin

docker plugin upgrade PLUGIN

Upgrades an installed plugin to a newer version. This automatically handles the necessary stop/start cycle.

Push plugin

docker plugin push PLUGIN

Pushes a locally created plugin to a registry. This is used by plugin developers to distribute their extensions.

Create plugin

docker plugin create PLUGIN PATH

Creates a new plugin from a root filesystem and configuration located in PATH. This is a developer-focused command for packaging a new plugin.

Configure plugin

docker plugin set PLUGIN KEY=VALUE

Sets configuration values for a specific plugin. This is used to fine-tune the plugin’s behavior after installation.

Context Management

List contexts

docker context ls

Lists all the stored Docker contexts. A context defines the endpoint (local daemon, remote server, or cloud provider) that Docker commands run against.

Create context

docker context create NAME

Creates a new Docker context, typically pointing to a remote daemon. This allows you to easily switch between different Docker hosts.

Use context

docker context use NAME

Switches the current shell’s Docker environment to use the specified context. All subsequent docker commands will execute against the target defined by NAME.

Show context details

docker context inspect NAME

Returns detailed JSON information about a specific context. This shows the endpoint and connection details for the target.

Update context

docker context update NAME

Modifies the connection details or metadata for an existing context. This allows changing the target endpoint without creating a new context.

Remove context

docker context rm NAME

Removes a specified context. This only removes the local configuration; it does not affect the remote daemon.

Export context

docker context export NAME

Saves a context’s configuration to a file. This allows for easy sharing or backup of a context configuration.

Import context

docker context import NAME FILE

Imports a context configuration from a specified file. This allows the use of contexts that have been shared or backed up.

Builder Management

List builders

docker builder ls

Lists all the available build instances. These instances manage build concurrency and cache.

Prune build cache

docker builder prune

Removes the cached data used by the builder instances. This is useful for freeing up disk space consumed by intermediate build layers.

Show builder disk usage

docker builder du

Displays a breakdown of the disk space consumed by the build cache. This helps in identifying large or unused cache segments.

Trust & Content Trust

Sign and push image

docker trust sign IMAGE:TAG

Uses a private key to digitally sign an image and then pushes it to the registry. This confirms the image’s origin and integrity.

Show trust data

docker trust inspect IMAGE

Displays the signers and trust information for an image in the registry. This confirms whether an image has been signed and by whom.

Revoke trust

docker trust revoke IMAGE:TAG

Removes the digital signature for a specified image from the registry. This is used to invalidate a signed image.

Generate trust key

docker trust key generate NAME

Generates a new cryptographic key pair (private and public) for signing images. The private key is used for signing, and the public key is used for verification.

Load trust key

docker trust key load FILE

Adds a private key from a file to the local user’s trust repository. This allows the user to sign images using the imported key.

Add signer

docker trust signer add --key FILE SIGNER REPO

Adds a signer (user/key) to a repository, allowing that key to sign images for that repository. The FILE points to the public key of the new signer.

Remove signer

docker trust signer remove SIGNER REPO

Removes a signer’s public key from a repository. The removed signer can no longer sign images for that repository.

Checkpoint Management

Create checkpoint

docker checkpoint create CONTAINER NAME

Creates a checkpoint (a snapshot of the running container’s state) using CRIU. This allows the container to be restored to that exact state later.

List checkpoints

docker checkpoint ls CONTAINER

Lists all the checkpoints created for a specific container. This shows the available restoration points.

Remove checkpoint

docker checkpoint rm CONTAINER NAME

Deletes a specific checkpoint for a container. This removes the snapshot data from the host filesystem.

Manifest Management

Inspect manifest

docker manifest inspect IMAGE

Displays the manifest list or manifest for a multi-architecture image. This shows which architectures and operating systems the image supports.

Create manifest

docker manifest create LIST IMAGE...

Creates a manifest list that references multiple architecture-specific images. This is used to create a single, multi-platform image name.

Push manifest

docker manifest push LIST

Pushes the newly created manifest list to the registry. This makes the multi-architecture image available for platforms to automatically pull the correct image.

Annotate manifest

docker manifest annotate LIST IMAGE --os OS --arch ARCH

Adds or updates metadata (like OS or architecture) for an image within a manifest list. This ensures proper platform selection when pulling the multi-arch image.

Container Cleanup

Remove all stopped containers

docker container prune

Removes all exited or stopped containers. This is a quick way to clean up resources from terminated container runs.

Remove containers older than

docker container prune --filter "until=24h"

Removes stopped containers that have been inactive for longer than the specified time (e.g., 24 hours). This allows for a targeted cleanup of old resources.

Remove with label filter

docker container prune --filter "label=KEY"

Removes stopped containers based on whether they have a specific label assigned to them. This enables filtering by custom metadata.

Image Cleanup

Remove dangling images

docker image prune

Removes only the dangling images (those that are not tagged and not referenced by any container). This is the safest cleanup of unneeded image layers.

Remove all unused images

docker image prune -a

Removes all unused images, including intermediate and non-dangling images not referenced by a container. This is a powerful command that frees up significant disk space.

Remove images older than

docker image prune -a --filter "until=24h"

Removes all unused images that were created or last modified longer than the specified time (e.g., 24 hours) ago. This provides an age-based policy for image cleanup.

Volume Cleanup

Remove all unused volumes

docker volume prune

Removes all local volumes that are not currently referenced by any container. This is the standard, single command for safely removing orphaned volume data.

Remove with filter

docker volume prune --filter "label=KEY"

Removes unused volumes that have a specific label assigned to them. This allows for targeted removal of volumes based on custom metadata.

Network Cleanup

Remove all unused networks

docker network prune

Removes all local, user-defined networks that are not currently in use by any container. This is a quick way to clean up orphaned network configurations.

Remove with filter

docker network prune --filter "until=24h"

Removes unused networks that were created longer than the specified time (e.g., 24 hours) ago. This helps maintain a clean network environment based on age.

Common Run Options

Run with port mapping

docker run -p HOST:CONTAINER IMAGE

Maps a port from the container (CONTAINER) to a port on the host machine (HOST). This allows external access to the service running inside the container.

Run with environment variable

docker run -e KEY=VALUE IMAGE

Sets an environment variable inside the container. This is a primary method for configuring applications at runtime.

Run with multiple env vars

docker run -e KEY1=VAL1 -e KEY2=VAL2 IMAGE

Sets multiple environment variables for the container’s environment. The -e flag must be repeated for each variable.

Run with env file

docker run --env-file FILE IMAGE

Sets environment variables using key-value pairs listed in a FILE. This is a cleaner way to pass a large number of variables.

Run with working directory

docker run -w PATH IMAGE

Sets the working directory inside the container where the primary command will be executed. This is useful for commands that expect to run from a specific location.

Run as specific user

docker run -u USER IMAGE

Runs the container’s primary process with a specified USER or UID/GID. This is an important security feature to avoid running as the root user.

Run with hostname

docker run -h HOSTNAME IMAGE

Sets the hostname for the container. This value is often used by the application for identification or logging purposes.

Run with CPU limit

docker run --cpus NUM IMAGE

Limits the container’s access to the host’s CPU resources to a specific number of cores. This is a crucial command for resource governance and preventing a container from hogging the CPU.

Run with memory limit

docker run -m SIZE IMAGE

Limits the container’s access to the host’s memory to a specific SIZE (e.g., 512m, 1g). This prevents a memory leak in one container from crashing the entire host.

Run with privileged mode

docker run --privileged IMAGE

Gives the container full access to the host’s devices and kernel capabilities. This should be used with extreme caution as it breaks container isolation.

Run with cap add

docker run --cap-add CAPABILITY IMAGE

Adds a specific Linux CAPABILITY to the container’s set of privileges. This grants fine-grained access to kernel features without using the full --privileged flag.

Run with cap drop

docker run --cap-drop CAPABILITY IMAGE

Removes a specific Linux CAPABILITY from the container’s set of privileges. This is used to further reduce the security attack surface.

Run with device

docker run --device PATH IMAGE

Adds a host device (e.g., a GPU, or a serial port) to the container. This is necessary for containers that need to interact directly with hardware.

Run with restart policy

docker run --restart=always IMAGE

Sets the restart policy for the container (e.g., always, on-failure). always ensures the container restarts automatically whenever it exits.

Run with label

docker run -l KEY=VALUE IMAGE

Adds metadata (a label) to the container. Labels are often used for organization, monitoring, or automating cleanup scripts.

Run with link

docker run --link CONTAINER IMAGE

DEPRECATED: Links a container to another via the legacy network mechanism. Modern practice uses user-defined networks for DNS resolution instead.

Run with DNS

docker run --dns IP IMAGE

Configures a custom DNS server IP for the container to use for name resolution. This overrides the host’s default DNS settings.

Run with add-host

docker run --add-host HOST:IP IMAGE

Adds an entry to the container’s /etc/hosts file. This is useful for custom host-to-IP mappings inside the container’s environment.

Run with pid mode

docker run --pid host IMAGE

Allows the container to share the PID namespace with the host system. This lets the container see all processes running on the host, which is a significant security risk but necessary for some monitoring tools.

Run with IPC mode

docker run --ipc host IMAGE

Allows the container to share the IPC namespace with the host system. This enables inter-process communication between the container and processes on the host.

Additional Tips

Tip: Use docker COMMAND --help for detailed options and examples for any Docker command.

And after hours of focus, trial, and error, I finally completed the sheet. I couldn’t help but shed a few tears — a mix of relief, pride, and sheer satisfaction.