Docker Management

Build, run, and manage Docker containers for application deployment and development.

When to Use This Skill

Use this skill when:

Creating and optimizing Dockerfiles
Building and tagging Docker images
Running and managing containers
Debugging container issues
Configuring Docker networking and volumes
Implementing container security best practices

Prerequisites

Docker Engine installed (20.10+)
Basic command line knowledge
Understanding of application deployment

Dockerfile Best Practices

Multi-Stage Build

# Build stage
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

# Production stage
FROM node:20-alpine AS production
WORKDIR /app
RUN addgroup -g 1001 -S nodejs && \
    adduser -S nodejs -u 1001
COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist
COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules
USER nodejs
EXPOSE 3000
CMD ["node", "dist/index.js"]

Layer Optimization

FROM python:3.12-slim

# Install dependencies first (cached unless requirements change)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy application code (changes frequently)
COPY . .

CMD ["python", "app.py"]

Security Hardening

FROM node:20-alpine

# Create non-root user
RUN addgroup -g 1001 appgroup && \
    adduser -u 1001 -G appgroup -D appuser

WORKDIR /app

# Copy with proper ownership
COPY --chown=appuser:appgroup . .

# Drop privileges
USER appuser

# Use exec form for proper signal handling
CMD ["node", "server.js"]

Building Images

Basic Build

# Build with tag
docker build -t myapp:1.0 .

# Build with build args
docker build --build-arg NODE_ENV=production -t myapp:prod .

# Build for specific platform
docker build --platform linux/amd64 -t myapp:amd64 .

# Build with no cache
docker build --no-cache -t myapp:fresh .

Multi-Platform Builds

# Create builder
docker buildx create --name multiplatform --use

# Build for multiple architectures
docker buildx build \
  --platform linux/amd64,linux/arm64 \
  -t myregistry/myapp:latest \
  --push .

Running Containers

Basic Operations

# Run container
docker run -d --name myapp -p 8080:3000 myapp:latest

# Run with environment variables
docker run -d \
  -e DATABASE_URL=postgres://localhost/db \
  -e NODE_ENV=production \
  myapp:latest

# Run with resource limits
docker run -d \
  --memory="512m" \
  --cpus="1.0" \
  myapp:latest

# Run with restart policy
docker run -d --restart=unless-stopped myapp:latest

Volume Management

# Named volume
docker volume create mydata
docker run -v mydata:/app/data myapp:latest

# Bind mount
docker run -v $(pwd)/config:/app/config:ro myapp:latest

# tmpfs mount (memory)
docker run --tmpfs /tmp:rw,noexec,nosuid myapp:latest

Networking

# Create network
docker network create mynetwork

# Run on network
docker run -d --network mynetwork --name api myapp:latest

# Connect existing container
docker network connect mynetwork existing-container

# Expose specific ports
docker run -d -p 127.0.0.1:8080:3000 myapp:latest

Container Lifecycle

Management Commands

# List containers
docker ps -a

# Stop container
docker stop myapp

# Remove container
docker rm myapp

# Force remove running container
docker rm -f myapp

# Prune stopped containers
docker container prune -f

Logs and Monitoring

# View logs
docker logs myapp

# Follow logs
docker logs -f --tail 100 myapp

# View resource usage
docker stats myapp

# Inspect container
docker inspect myapp

Debugging Containers

Interactive Access

# Execute command in running container
docker exec -it myapp /bin/sh

# Run container with shell
docker run -it --rm myapp:latest /bin/sh

# Debug failed container
docker run -it --entrypoint /bin/sh myapp:latest

Troubleshooting

# Check container logs for errors
docker logs myapp 2>&1 | grep -i error

# Inspect container state
docker inspect --format='{{.State.Status}}' myapp

# Check container processes
docker top myapp

# View container filesystem changes
docker diff myapp

# Export container filesystem
docker export myapp > myapp-fs.tar

Health Checks

HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1

# Check health status
docker inspect --format='{{.State.Health.Status}}' myapp

Image Management

Tagging and Pushing

# Tag image
docker tag myapp:latest myregistry.com/myapp:v1.0

# Push to registry
docker push myregistry.com/myapp:v1.0

# Pull image
docker pull myregistry.com/myapp:v1.0

Cleanup

# Remove unused images
docker image prune -a

# Remove all unused resources
docker system prune -a --volumes

# Remove specific image
docker rmi myapp:old

# List image sizes
docker images --format "table {{.Repository}}\t{{.Tag}}\t{{.Size}}"

Image Analysis

# View image history
docker history myapp:latest

# Inspect image layers
docker inspect myapp:latest

# Check image vulnerabilities (with Docker Scout)
docker scout cves myapp:latest

Docker Compose Integration

# docker-compose.yml
version: '3.8'

services:
  app:
    build:
      context: .
      dockerfile: Dockerfile
    ports:
      - "3000:3000"
    environment:
      - NODE_ENV=production
    volumes:
      - app-data:/app/data
    depends_on:
      - db
    restart: unless-stopped

  db:
    image: postgres:15-alpine
    environment:
      POSTGRES_PASSWORD: secret
    volumes:
      - db-data:/var/lib/postgresql/data

volumes:
  app-data:
  db-data:

Security Best Practices

Image Security

# Use specific version tags
FROM node:20.10-alpine3.18

# Don't run as root
USER nobody

# Remove unnecessary packages
RUN apk del --purge build-dependencies

# Use COPY instead of ADD
COPY . .

Runtime Security

# Run with security options
docker run -d \
  --security-opt=no-new-privileges \
  --cap-drop=ALL \
  --cap-add=NET_BIND_SERVICE \
  --read-only \
  myapp:latest

# Use user namespace remapping
# Add to /etc/docker/daemon.json: {"userns-remap": "default"}

Common Issues

Issue: Container Exits Immediately

Problem: Container starts and stops instantly Solution: Check if CMD/ENTRYPOINT runs foreground process, use docker logs to see errors

Issue: Cannot Connect to Container

Problem: Port not accessible Solution: Verify port mapping (-p), check container is running, verify firewall rules

Issue: Out of Disk Space

Problem: Docker using too much disk Solution: Run docker system prune -a --volumes, check for large unused images

Issue: Build Cache Not Working

Problem: Every build downloads dependencies Solution: Order Dockerfile instructions from least to most frequently changing

Best Practices

Use multi-stage builds to minimize image size
Never store secrets in images - use runtime injection
Pin base image versions for reproducibility
Implement health checks for production containers
Use .dockerignore to exclude unnecessary files
Run containers as non-root users
Scan images for vulnerabilities regularly
Use Docker BuildKit for faster builds

Related Skills

docker-compose - Multi-container applications
container-scanning - Security scanning
container-hardening - Security hardening

docker-management