Administration
Context
docker context lsShow created contexts (list of Docker sockets).
docker context use myRemoteContextSwitch to a Docker context.
docker context create myRemoteContext --docker "host=ssh://my.remote.docker.ip"Create a remote context (connect via ssh to execute Docker commands).
Monitoring
docker psShow running containers.
docker ps -aShow all containers.
docker statsStats about running containers.
docker volume lsShow volumes.
System
docker system dfShow used host disk space (images, containers, volumes and build cache).
docker system pruneRemove stopped containers and unused volumes.
docker system prune -aRemove stopped containers, unused volumes and images.
Images
Basis
docker imagesShow images locally available.
docker pull registryImagePull image from an image registry.
docker pull registryImage:imageTagPull specific tag of an image an image registry.
docker rmi myImageRemove the local image.
Create
docker build path/to/Dockerfile -t myUser/myImageName:myVersionCreate an image from a Dockerfile.
docker diff myContainerShow differences between an image and a container created from this image.
docker commit myContainer myNewImageSave the current state of a container into a new image.
docker save myImage > /path/myImage.tarExport an image (archive).
docker load -i /path/myImage.tarImport an image (form archive).
Inspect
docker image history myImageShow image layers.
docker image history myImage --no-trunc --format json | tac | jq -r '.CreatedBy'Show image layers commands.
Containers
Flags
--name myContainerGive a name to the container.
-dDetached Mode (run in background).
-itKeep stdin open (to use it like a shell).
--rmRemove the container when it is stopped.
-p 1212:1212Map ports (host:container).
-v /myHostFolder:/myContainerFolderMap a folder between the host and the container.
--read-onlyMakes the container's root file system read-only.
--security-opt=no-new-privilegesPrevents processes inside the container from gaining new privileges during execution (security measure against privilege escalation).
--cap-drop=ALLStart the container without capabilities.
--cap-add=SYS_NICECapability for scheduling (required for GPU scheduling?).
--cpus=2Set CPU limit.
--gpu allSet GPU limits (syntax allows for more detailed control than CPU).
--memory=4gSet RAM limit.
--memory-swap=4gSet Swap limit.
Create
docker create myImageCreate a new container.
docker run myImage myCommandRun a command in new container.
Manage
docker rename myContainer myContainerNewNameRename container.
docker start myContainerStart the container.
docker pause myContainerPause the container.
docker stop myContainerStop the container.
docker rm myContainerRemove the container.
Interact
docker exec myCommand myContainerRun the command in a running container.
docker exec -it /bin/bash myContainerRun Bash in interactive mode in a running container.
docker cp myFile.txt myContainer:/path/to/destinationCopy a file from host to the container.
docker cp myContainer:/path/to/source myFile.txtCopy a file form the container to the host.
Inspect
docker inspect myContainer | jq .[].StateGet container state.
docker inspect myContainer | jq .[].ConfigGet container config (
Entreypoint,WorkingDir,Env, ...).docker inspect myContainer | jq .[].MountsGet container mounts.
docker inspect myContainer | jq .[].NetworkSettingsGet container networks (
NetworksandPorts).
Tips
Exec in Containers Without Shell
CONTAINER_PID=$(docker inspect -f '{{.State.Pid}}' myContainer)Get container's PID.
nsenter --target $CONTAINER_PID --user --pid --network --ipc /bin/shRun a command entering user, pid, network and ipc namespaces.
Access Container File System
CONTAINER_PID=$(docker inspect -f '{{.State.Pid}}' myContainer)Get container's PID.
nsenter --target $CONTAINER_PID --mount ls /Run ls in the container's file system.
MERGED_LAYER_PATH=$(docker inspect -f '{{.GraphDriver.Data.MergedDir}}' myContainer)Get Merge Layer path (unified filesystem of the containers).
ls $MERGED_LAYER_PATHRun ls in the container's file system.