Docker Management

Build, run, and manage Docker containers for application deployment and development.

When to Use This Skill

Use this skill when:

• Creating and optimizing Dockerfiles
• Building and tagging Docker images
• Running and managing containers
• Debugging container issues
• Configuring Docker networking and volumes
• Implementing container security best practices

Prerequisites

• Docker Engine installed (20.10+)
• Basic command line knowledge
• Understanding of application deployment

Dockerfile Best Practices

Multi-Stage Build

# Build stage
FROM node:20-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

# Production stage
FROM node:20-alpine AS production
WORKDIR /app
RUN addgroup -g 1001 -S nodejs && \
    adduser -S nodejs -u 1001
COPY --from=builder --chown=nodejs:nodejs /app/dist ./dist
COPY --from=builder --chown=nodejs:nodejs /app/node_modules ./node_modules
USER nodejs
EXPOSE 3000
CMD ["node", "dist/index.js"]

Layer Optimization

FROM python:3.12-slim

# Install dependencies first (cached unless requirements change)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy application code (changes frequently)
COPY . .

CMD ["python", "app.py"]

Security Hardening

FROM node:20-alpine

# Create non-root user
RUN addgroup -g 1001 appgroup && \
    adduser -u 1001 -G appgroup -D appuser

WORKDIR /app

# Copy with proper ownership
COPY --chown=appuser:appgroup . .

# Drop privileges
USER appuser

# Use exec form for proper signal handling
CMD ["node", "server.js"]

Building Images

Basic Build

# Build with tag
docker build -t myapp:1.0 .

# Build with build args
docker build --build-arg NODE_ENV=production -t myapp:prod .

# Build for specific platform
docker build --platform linux/amd64 -t myapp:amd64 .

# Build with no cache
docker build --no-cache -t myapp:fresh .

Multi-Platform Builds

# Create builder
docker buildx create --name multiplatform --use

# Build for multiple architectures
docker buildx build \
  --platform linux/amd64,linux/arm64 \
  -t myregistry/myapp:latest \
  --push .

Running Containers

Basic Operations

# Run container
docker run -d --name myapp -p 8080:3000 myapp:latest

# Run with environment variables
docker run -d \
  -e DATABASE_URL=postgres://localhost/db \
  -e NODE_ENV=production \
  myapp:latest

# Run with resource limits
docker run -d \
  --memory="512m" \
  --cpus="1.0" \
  myapp:latest

# Run with restart policy
docker run -d --restart=unless-stopped myapp:latest

Volume Management

# Named volume
docker volume create mydata
docker run -v mydata:/app/data myapp:latest

# Bind mount
docker run -v $(pwd)/config:/app/config:ro myapp:latest

# tmpfs mount (memory)
docker run --tmpfs /tmp:rw,noexec,nosuid myapp:latest

Networking

# Create network
docker network create mynetwork

# Run on network
docker run -d --network mynetwork --name api myapp:latest

# Connect existing container
docker network connect mynetwork existing-container

# Expose specific ports
docker run -d -p 127.0.0.1:8080:3000 myapp:latest

Container Lifecycle

Management Commands

# List containers
docker ps -a

# Stop container
docker stop myapp

# Remove container
docker rm myapp

# Force remove running container
docker rm -f myapp

# Prune stopped containers
docker container prune -f

Logs and Monitoring

# View logs
docker logs myapp

# Follow logs
docker logs -f --tail 100 myapp

# View resource usage
docker stats myapp

# Inspect container
docker inspect myapp

Debugging Containers

Interactive Access

# Execute command in running container
docker exec -it myapp /bin/sh

# Run container with shell
docker run -it --rm myapp:latest /bin/sh

# Debug failed container
docker run -it --entrypoint /bin/sh myapp:latest

Troubleshooting

# Check container logs for errors
docker logs myapp 2>&1 | grep -i error

# Inspect container state
docker inspect --format='{{.State.Status}}' myapp

# Check container processes
docker top myapp

# View container filesystem changes
docker diff myapp

# Export container filesystem
docker export myapp > myapp-fs.tar

Health Checks

HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1

# Check health status
docker inspect --format='{{.State.Health.Status}}' myapp

Image Management

Tagging and Pushing

# Tag image
docker tag myapp:latest myregistry.com/myapp:v1.0

# Push to registry
docker push myregistry.com/myapp:v1.0

# Pull image
docker pull myregistry.com/myapp:v1.0

Cleanup

# Remove unused images
docker image prune -a

# Remove all unused resources
docker system prune -a --volumes

# Remove specific image
docker rmi myapp:old

# List image sizes
docker images --format "table {{.Repository}}\t{{.Tag}}\t{{.Size}}"

Image Analysis

# View image history
docker history myapp:latest

# Inspect image layers
docker inspect myapp:latest

# Check image vulnerabilities (with Docker Scout)
docker scout cves myapp:latest

Docker Compose Integration

# docker-compose.yml
version: '3.8'

services:
  app:
    build:
      context: .
      dockerfile: Dockerfile
    ports:
      - "3000:3000"
    environment:
      - NODE_ENV=production
    volumes:
      - app-data:/app/data
    depends_on:
      - db
    restart: unless-stopped

  db:
    image: postgres:15-alpine
    environment:
      POSTGRES_PASSWORD: secret
    volumes:
      - db-data:/var/lib/postgresql/data

volumes:
  app-data:
  db-data:

Security Best Practices

Image Security

# Use specific version tags
FROM node:20.10-alpine3.18

# Don't run as root
USER nobody

# Remove unnecessary packages
RUN apk del --purge build-dependencies

# Use COPY instead of ADD
COPY . .

Runtime Security

# Run with security options
docker run -d \
  --security-opt=no-new-privileges \
  --cap-drop=ALL \
  --cap-add=NET_BIND_SERVICE \
  --read-only \
  myapp:latest

# Use user namespace remapping
# Add to /etc/docker/daemon.json: {"userns-remap": "default"}

Common Issues

Issue: Container Exits Immediately

Problem: Container starts and stops instantly
Solution: Check if CMD/ENTRYPOINT runs foreground process, use docker logs to see errors

Issue: Cannot Connect to Container

Problem: Port not accessible
Solution: Verify port mapping (-p), check container is running, verify firewall rules

Issue: Out of Disk Space

Problem: Docker using too much disk
Solution: Run docker system prune -a --volumes, check for large unused images

Issue: Build Cache Not Working

Problem: Every build downloads dependencies
Solution: Order Dockerfile instructions from least to most frequently changing

Best Practices

• Use multi-stage builds to minimize image size
• Never store secrets in images - use runtime injection
• Pin base image versions for reproducibility
• Implement health checks for production containers
• Use .dockerignore to exclude unnecessary files
• Run containers as non-root users
• Scan images for vulnerabilities regularly
• Use Docker BuildKit for faster builds

Related Skills

• docker-compose - Multi-container applications
• container-scanning - Security scanning
• container-hardening - Security hardening