Docker
- first version in 2013
- last version 28.5 as of octobre 2025
- extemds Linux containers
- purpose : isolating services on a shared host
Note
Containerization differs from virtualization as it shares physical aspects of host machine.
cf
- https://fr.wikipedia.org/wiki/LXC
- https://fr.wikipedia.org/wiki/Cgroups
- https://en.wikipedia.org/wiki/Linux_namespaces
- https://medium.com/@BeNitinAgarwal/understanding-the-docker-internals-7ccb052ce9fe#.atopwz2fj
- images : immutable template to build a container, based on a layered filesystem
- containers : executable instances of an image
- networks : handle communication between containers and / or with outside
- volumes : used for data persistence once container is deleted
Registries can store versioned images
-
dockerdis the daemon (persistent process) that manages containers : it listens for API Docker requests and manages Docker objects -
containerdis a light daemon extracted from Docker, to manage container lifecycle -
runcCLI tool implementing OCI container specification : used by containerd to interact with Linux kernel (namespaces, cgroups) -
dockeris the client
- Open Container Initiative started in 2015 and defined shared specifications
- runtime-spec
- image-spec
- distribution-spec
cf
- install dependencies
ca-certificates-
curlcommand line tool for various protocols (HTTP, FTP...) (alternative to wget for downloading) -
gnupg(GNU privacy guard) to verify software signatures, encrypt or decrypt data (alternative to pgp) -
lsb-releaseto display Linux Standard Base versioning info. Otherwise we can read/etc/*relasefiles manually
- create directory for apt keys and setting its permissions.
$ sudo install -m 0755 -d /etc/apt/keyrings/
- store the repository gpg keys
sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc- adding the Docker repository to the list of trusted ones
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update- download Docker packages
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
- create
- run a container with a volume
docker run -d --name container -v <machine directory>:<docker volume> <image>| Command | Usage | Example | Caveats |
|---|---|---|---|
| FROM | Sets the base image for the build. | FROM alpine:3.18 | Always use a specific version tag (e.g., 3.18) to avoid unexpected behavior |
| RUN | Executes commands during the build process. | RUN apt-get update && apt-get install -y curl | Each RUN creates a new layer. Combine commands with && to reduce layers. |
| ADD | Copies files/directories from the host to the container. Can also extract tar files ! | ADD app.tar.gz /app/ | Avoid using ADD for simple file copies (use COPY instead). |
| COPY | Copies files/directories from the host to the container. | COPY index.html /var/www/html/ | Does not extract archives. Prefer COPY over ADD for clarity. |
| ENV | Sets environment variables. | ENV NODE_ENV=production | requires docker run -e. |
| USER | Sets the user (or UID) for subsequent commands. | USER node | Ensure the user exists in the image. Avoid running as root for security. |
| WORKDIR | Sets the working directory for subsequent commands. | WORKDIR /app | If the directory doesn’t exist, it will be created. |
| EXPOSE | Informs Docker that the container listens on specific network ports. | EXPOSE 80 | . Use -p in docker run to publish. |
| VOLUME | Creates a mount point for external volumes or host directories. | VOLUME /data | |
| CMD | Provides default arguments for docker run. Can be overridden. | CMD ["nginx", "-g", "daemon off;"] | Only one CMD is allowed. If multiple are specified, only the last one takes effect. |
| ENTRYPOINT | Configures the container to run as an executable. Arguments are appended. | ENTRYPOINT ["python", "app.py"] | . Arguments in docker run are appended to ENTRYPOINT. |
| ARG | Defines build-time variables. | ARG APP_VERSION=1.0 | . Use ENV for runtime variables. |
| LABEL | Adds metadata to the image. | LABEL maintainer="yo@example.com" | Labels are not visible in docker ps. Use docker inspect to view. |
| HEALTHCHECK | Configures a health check for the container. | `HEALTHCHECK --interval=5m --timeout=3s CMD curl -f http://localhost | |
| SHELL | Overrides the default shell for RUN, CMD, and ENTRYPOINT. | SHELL ["/bin/bash", "-c"] | Rarely needed. Use only if you need a specific shell behavior. |
| ONBUILD | Adds a trigger instruction to be executed when the image is used as a base for another build. | ONBUILD RUN echo "Building from this image!" | . Use sparingly. |
| STOPSIGNAL | Sets the system call signal to stop the container. | STOPSIGNAL SIGKILL | Default is SIGTERM. Use only if your application requires a specific signal. |
Important
containers should be immutable (or idempotent) and ephemeral
Tip
Docker creates a layer with each RUN instruction -> strive to minimize the number of RUN
Tip
everything runs as root inside Docker builds -> it is a good practice to create a lesser privileged user who will run the container with USER
Tip
Improving build performance
use a .dockerignore avoid unnecessary packages (remove debugging tools such as bash, vim, ... once in prod)
Tip
Improving readability
Sort multiline arguments alphabetically
- https://docs.docker.com/reference/dockerfile/
- https://docs.docker.com/build/building/variables/
- https://medium.com/@BeNitinAgarwal/best-practices-for-working-with-dockerfiles-fb2d22b78186
| Category | Command | Description |
|---|---|---|
| Container Management | docker run [options] | Create and start a container from an image. |
| docker start | Start a stopped container. | |
| docker stop | Stop a running container. | |
| docker restart | Restart a container. | |
| docker pause | Pause a running container. | |
| docker unpause | Unpause a paused container. | |
| docker rm | Remove a stopped container. | |
| docker exec -it | Run a command inside a running container. ℹ useful for debugging | |
| docker logs | View logs of a container. | |
| Image Management | docker build -t | Build an image from a Dockerfile. |
| docker pull | Download an image from a registry. | |
| docker push | Upload an image to a registry. | |
| docker images | List all locally stored images. | |
| docker rmi | Remove an image. | |
| Networking | docker network ls | List all networks. |
| docker network create | Create a new network. | |
| docker network inspect | Inspect a network. | |
| docker network connect | Connect a container to a network. | |
| Volumes | docker volume ls | List all volumes. |
| docker volume create | Create a new volume. | |
| docker volume inspect | Inspect a volume. | |
| docker volume rm | Remove a volume. | |
| System Info | docker ps | List running containers. |
| docker ps -a | List all containers (including stopped). | |
| docker info | Display system-wide information. | |
| docker stats | Show live resource usage of containers. | |
| Cleanup | docker system prune | Remove unused containers, networks, images, and volumes. |
| docker system prune -a | Remove all unused images (not just dangling ones). | |
| Registry | docker login | Log in to a Docker registry. |
| docker logout | Log out from a Docker registry. |
Tip
Clean cached images with docker rmi $(docker images -q --filter "dangling=true")
- tool to define and run multi-container Docker applications through
docker compose build - definition through a
docker.compose.ymlfile - first version in 2012, v1 in 2014
(didn't read all)
- https://fr.wikipedia.org/wiki/Docker_(logiciel)
- https://en.wikipedia.org/wiki/Docker_(software)
- https://merrigrove.blogspot.com/2015/10/visualizing-docker-containers-and-images.html
- https://www.digitalocean.com/community/tutorial-series/the-docker-ecosystem
- https://blog.stephane-robert.info/docs/conteneurisation/