Overview
This card covers the Docker commands you reach for every day: building images, running containers, inspecting state, managing networks and volumes, and cleaning up. For orchestration at scale, see kubernetes-commands. All examples assume Docker Engine 25+.
Build
Build before run; tag before push.
| Command | What it does |
|---|---|
docker build -t myapp:latest . | Build from Dockerfile in current directory; tag as myapp:latest. |
docker build -f docker/prod.Dockerfile -t myapp:prod . | Use a non-default Dockerfile. |
docker build --no-cache -t myapp:latest . | Ignore layer cache; force full rebuild. |
docker build --target builder -t myapp:builder . | Stop at a named multi-stage stage. |
docker build --build-arg NODE_ENV=production . | Pass a build-time variable. |
docker buildx build --platform linux/amd64,linux/arm64 -t myapp:latest --push . | Multi-platform build and push in one step. |
docker image ls | List local images with size and tag. |
docker image prune -f | Remove all dangling (untagged) images. |
docker image rm myapp:old | Delete a specific image. |
Use --target in multi-stage builds to produce a dev image with tools and a prod image without them from one Dockerfile.
Run
Set restart policy, resource limits, and environment at run time; those are harder to change after the container starts.
| Command | What it does |
|---|---|
docker run -d --name api -p 8080:8080 myapp:latest | Run detached, name the container, map port. |
docker run --rm -it myapp:latest bash | Disposable interactive shell; container removed on exit. |
docker run -e DATABASE_URL=postgres://... myapp:latest | Pass an environment variable. |
docker run --env-file .env myapp:latest | Pass a file of environment variables. |
docker run -v $(pwd)/data:/app/data myapp:latest | Bind-mount a host directory. |
docker run -v pgdata:/var/lib/postgresql/data postgres:16 | Mount a named volume. |
docker run --network mynet myapp:latest | Attach to a user-defined network. |
docker run --memory 512m --cpus 1.0 myapp:latest | Cap memory and CPU. |
docker run --restart unless-stopped myapp:latest | Restart unless explicitly stopped. |
Prefer --env-file over -e for secrets; keep .env out of version control.
Inspect running containers
Read state before changing it.
| Command | What it does |
|---|---|
docker ps | Running containers. |
docker ps -a | All containers, including stopped. |
docker logs api | Tail log output. |
docker logs -f --tail 100 api | Follow last 100 lines. |
docker exec -it api bash | Open an interactive shell in a running container. |
docker exec api env | Print environment variables. |
docker inspect api | Full JSON metadata: mounts, network, config. |
docker inspect api --format '{{.State.Status}}' | Extract a single field with Go template. |
docker stats | Live CPU/memory/network/IO for all running containers. |
docker top api | Processes inside the container. |
docker inspect --format beats piping to jq when the field path is known.
Networks and volumes
Isolate services with user-defined networks; never put unrelated containers on bridge.
| Command | What it does |
|---|---|
docker network create mynet | Create a user-defined bridge network. |
docker network ls | List networks. |
docker network inspect mynet | Show connected containers and subnet. |
docker network connect mynet api | Attach a running container to a network. |
docker volume create pgdata | Create a named volume. |
docker volume ls | List volumes. |
docker volume inspect pgdata | Show mountpoint and driver. |
docker volume rm pgdata | Remove a volume (data is gone). |
docker system prune -a --volumes | Remove all stopped containers, unused images, networks, and volumes. |
Named volumes survive docker system prune unless you add --volumes.
Multi-stage Dockerfile pattern
Keep images small by discarding build tooling in the final stage.
# Stage 1: build
FROM node:22-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
# Stage 2: runtime
FROM node:22-alpine AS runtime
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
EXPOSE 8080
CMD ["node", "dist/server.js"]Use --target builder during CI to run tests in the build stage without publishing a test image.
Common gotchas
docker runwithout--rmleaves stopped containers behind. Rundocker ps -aperiodically; usedocker container pruneto clean them up.- Bind mounts on macOS are slow for large directories. Use named volumes for database data and rely on the Dockerfile
COPYfor source code. docker execon a container running a non-shell PID 1 (like a Go binary) will fail unless the image includesbashorsh. Use--entrypoint shatruntime instead.COPY . .copies.envunless.dockerignoreexcludes it. Always add.envandnode_modulesto.dockerignore.- Port mapping
-p host:containerbinds to0.0.0.0by default, exposing the port to all interfaces. Use-p 127.0.0.1:8080:8080in development. docker system prune -a --volumesis irreversible. Rundocker system dffirst to see what would be removed.