└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | # Docker Cheat Sheet
  2 | 
  3 | * [Helpful Tools](#helpful-tools)
  4 | * [Installation](#installation)
  5 | * [Containers](#containers)
  6 | * [Images](#images)
  7 | * [Registry and Repository](#registry--repository)
  8 | * [Dockerfile](#dockerfile)
  9 | * [Layers](#layers)
 10 | * [Links](#links)
 11 | * [Volumes](#volumes)
 12 | * [Exposing Ports](#exposing-ports)
 13 | * [Best Practices](#best-practices)
 14 | * [Security](#security)
 15 | * [Tips](#tips)
 16 | 
 17 | 
 18 | ## Helpful Tools
 19 | 
 20 | I use [PyCharm Docker plugin](https://plugins.jetbrains.com/plugin/7724) for scripts Docker builds. It's my thing. Use whatever IDE you like.
 21 | 
 22 | ### Linux
 23 | 
 24 | The 3.10.x kernel is [the minimum requirement](https://docs.docker.com/installation/binaries/#check-kernel-dependencies) for Docker.
 25 | 
 26 | ### MacOS
 27 | 
 28 |  10.8 “Mountain Lion” or newer is required.
 29 | 
 30 | ## Installation
 31 | 
 32 | ### Linux
 33 | 
 34 | Quick and easy install script provided by Docker:
 35 | 
 36 | ```
 37 | curl -sSL https://get.docker.com/ | sh
 38 | ```
 39 | 
 40 | If you're not willing to run a random shell script, please see the [installation](https://docs.docker.com/installation/) instructions for your distribution.  
 41 | 
 42 | If you are a complete Docker newbie, you should follow the [series of tutorials](https://docs.docker.com/linux/started/) now.
 43 | 
 44 | ### Mac OS X
 45 | 
 46 | Download and install [Docker Toolbox](https://www.docker.com/toolbox).  If that doesn't work, see the [installation instructions](https://docs.docker.com/installation/mac/).
 47 | 
 48 | Once you've installed Docker Toolbox, install a VM with Docker Machine using the VirtualBox provider:
 49 | 
 50 | ```
 51 | docker-machine create --driver=virtualbox default
 52 | docker-machine ls
 53 | eval "$(docker-machine env default)"
 54 | ```
 55 | 
 56 | Then start up a container:
 57 | 
 58 | ```
 59 | docker run hello-world
 60 | ```
 61 | 
 62 | That's it, you have a running Docker container. 
 63 | 
 64 | If you are a complete Docker newbie, you should probably follow the [series of tutorials](https://docs.docker.com/mac/started/) now.
 65 | 
 66 | ## Containers
 67 | 
 68 | [Your basic isolated Docker process](http://etherealmind.com/basics-docker-containers-hypervisors-coreos/).  Containers are to Virtual Machines as threads are to processes.  Or you can think of them as chroots on steroids.
 69 | 
 70 | ### Lifecycle
 71 | 
 72 | * [`docker create`](https://docs.docker.com/reference/commandline/create) creates a container but does not start it.
 73 | * [`docker run`](https://docs.docker.com/reference/commandline/run) creates and starts a container in one operation.
 74 | * [`docker stop`](https://docs.docker.com/reference/commandline/stop) stops it.
 75 | * [`docker start`](https://docs.docker.com/reference/commandline/start) will start it again.
 76 | * [`docker restart`](https://docs.docker.com/reference/commandline/restart) restarts a container.
 77 | * [`docker rm`](https://docs.docker.com/reference/commandline/rm) deletes a container.
 78 | * [`docker kill`](https://docs.docker.com/reference/commandline/kill) sends a SIGKILL to a container.
 79 | * [`docker attach`](https://docs.docker.com/reference/commandline/attach) will connect to a running container.
 80 | * [`docker wait`](https://docs.docker.com/reference/commandline/wait) blocks until container stops.
 81 | 
 82 | If you want to run and then interact with a container, `docker start`, then spawn a shell as described in [Executing Commands](https://github.com/wsargent/docker-cheat-sheet/#executing-commands).
 83 | 
 84 | If you want a transient container, `docker run --rm` will remove the container after it stops.
 85 | 
 86 | If you want to remove also the volumes associated with the container, the deletion of the container must include the -v switch like in `docker rm -v`.
 87 | 
 88 | If you want to poke around in an image, `docker run -t -i <myimage> <myshell>` to open a tty.
 89 | 
 90 | If you want to poke around in a running container, `docker exec -t -i <mycontainer> <myshell>` to open a tty.
 91 | 
 92 | If you want to map a directory on the host to a docker container, `docker run -v $HOSTDIR:$DOCKERDIR`.  Also see [Volumes](https://github.com/wsargent/docker-cheat-sheet/#volumes).
 93 | 
 94 | If you want to integrate a container with a [host process manager](https://docs.docker.com/articles/host_integration/), start the daemon with `-r=false` then use `docker start -a`.
 95 | 
 96 | If you want to expose container ports through the host, see the [exposing ports](#exposing-ports) section.
 97 | 
 98 | Restart policies on crashed docker instances are [covered here](http://container42.com/2014/09/30/docker-restart-policies/).
 99 | 
100 | ### Info
101 | 
102 | * [`docker ps`](https://docs.docker.com/reference/commandline/ps) shows running containers.
103 | * [`docker logs`](https://docs.docker.com/reference/commandline/logs) gets logs from container.
104 | * [`docker inspect`](https://docs.docker.com/reference/commandline/inspect) looks at all the info on a container (including IP address).
105 | * [`docker events`](https://docs.docker.com/reference/commandline/events) gets events from container.
106 | * [`docker port`](https://docs.docker.com/reference/commandline/port) shows public facing port of container.
107 | * [`docker top`](https://docs.docker.com/reference/commandline/top) shows running processes in container.
108 | * [`docker stats`](https://docs.docker.com/reference/commandline/stats) shows containers' resource usage statistics.
109 | * [`docker diff`](https://docs.docker.com/reference/commandline/diff) shows changed files in the container's FS.
110 | 
111 | `docker ps -a` shows running and stopped containers.
112 | 
113 | ### Import / Export
114 | 
115 | * [`docker cp`](https://docs.docker.com/reference/commandline/cp) copies files or folders between a container and the local filesystem..
116 | * [`docker export`](https://docs.docker.com/reference/commandline/export) turns container filesystem into tarball archive stream to STDOUT.
117 | 
118 | ### Executing Commands
119 | 
120 | * [`docker exec`](https://docs.docker.com/reference/commandline/exec) to execute a command in container.
121 | 
122 | To enter a running container, attach a new shell process to a running container called foo, use: `docker exec -it foo /bin/bash`.
123 | 
124 | ## Images
125 | 
126 | Images are just [templates for docker containers](https://docs.docker.com/introduction/understanding-docker/#how-does-a-docker-image-work).
127 | 
128 | ### Lifecycle
129 | 
130 | * [`docker images`](https://docs.docker.com/reference/commandline/images) shows all images.
131 | * [`docker import`](https://docs.docker.com/reference/commandline/import) creates an image from a tarball.
132 | * [`docker build`](https://docs.docker.com/reference/commandline/build) creates image from Dockerfile.
133 | * [`docker commit`](https://docs.docker.com/reference/commandline/commit) creates image from a container.
134 | * [`docker rmi`](https://docs.docker.com/reference/commandline/rmi) removes an image.
135 | * [`docker load`](https://docs.docker.com/reference/commandline/load) loads an image from a tar archive as STDIN, including images and tags (as of 0.7).
136 | * [`docker save`](https://docs.docker.com/reference/commandline/save) saves an image to a tar archive stream to STDOUT with all parent layers, tags & versions (as of 0.7).
137 | 
138 | ### Info
139 | 
140 | * [`docker history`](https://docs.docker.com/reference/commandline/history) shows history of image.
141 | * [`docker tag`](https://docs.docker.com/reference/commandline/tag) tags an image to a name (local or registry).
142 | 
143 | ## Registry & Repository
144 | 
145 | A repository is a *hosted* collection of tagged images that together create the file system for a container.
146 | 
147 | A registry is a *host* -- a server that stores repositories and provides an HTTP API for [managing the uploading and downloading of repositories](https://docs.docker.com/userguide/dockerrepos/).
148 | 
149 | Docker.com hosts its own [index](https://registry.hub.docker.com/) to a central registry which contains a large number of repositories.  Having said that, the central docker registry [does not do a good job of verifying images](https://titanous.com/posts/docker-insecurity) and should be avoided if you're worried about security.
150 | 
151 | * [`docker login`](https://docs.docker.com/reference/commandline/login) to login to a registry.
152 | * [`docker search`](https://docs.docker.com/reference/commandline/search) searches registry for image.
153 | * [`docker pull`](https://docs.docker.com/reference/commandline/pull) pulls an image from registry to local machine.
154 | * [`docker push`](https://docs.docker.com/reference/commandline/push) pushes an image to the registry from local machine.
155 | 
156 | ### Run local registry
157 | 
158 | [Registry implementation](https://github.com/docker/docker-registry) has an official image for basic setup that can be launched with
159 | [`docker run -p 5000:5000 registry`](https://github.com/docker/docker-registry#quick-start)
160 | Note that this installation does not have any authorization controls. You may use option `-P -p 127.0.0.1:5000:5000` to limit connections to localhost only.
161 | In order to push to this repository tag image with `repositoryHostName:5000/imageName` then push this tag.
162 | 
163 | ## Dockerfile
164 | 
165 | [The configuration file](https://docs.docker.com/reference/builder/). Sets up a Docker container when you run `docker build` on it.  Vastly preferable to `docker commit`. Check out the [tools section](#tools) for addtional editors.
166 | 
167 | ### Instructions
168 | 
169 | * [.dockerignore](https://docs.docker.com/reference/builder/#the-dockerignore-file)
170 | * [FROM](https://docs.docker.com/reference/builder/#from)
171 | * [MAINTAINER](https://docs.docker.com/reference/builder/#maintainer)
172 | * [RUN](https://docs.docker.com/reference/builder/#run)
173 | * [CMD](https://docs.docker.com/reference/builder/#cmd)
174 | * [EXPOSE](https://docs.docker.com/reference/builder/#expose)
175 | * [ENV](https://docs.docker.com/reference/builder/#env)
176 | * [ADD](https://docs.docker.com/reference/builder/#add)
177 | * [COPY](https://docs.docker.com/reference/builder/#copy)
178 | * [ENTRYPOINT](https://docs.docker.com/reference/builder/#entrypoint)
179 | * [VOLUME](https://docs.docker.com/reference/builder/#volume)
180 | * [USER](https://docs.docker.com/reference/builder/#user)
181 | * [WORKDIR](https://docs.docker.com/reference/builder/#workdir)
182 | * [ONBUILD](https://docs.docker.com/reference/builder/#onbuild)
183 | 
184 | ### Tutorial
185 | 
186 | * [Flux7's Dockerfile Tutorial](http://flux7.com/blogs/docker/docker-tutorial-series-part-3-automation-is-the-word-using-dockerfile/)
187 | 
188 | ## Layers
189 | 
190 | The versioned filesystem in Docker is based on layers.  They're like [git commits or changesets for filesystems](https://docs.docker.com/terms/layer/).
191 | 
192 | Note that if you're using [aufs](https://en.wikipedia.org/wiki/Aufs) as your filesystem, Docker does not always remove data volumes containers layers when you delete a container!  See [PR 8484](https://github.com/docker/docker/pull/8484) for more details.
193 | 
194 | ## Links
195 | 
196 | Links are how Docker containers talk to each other [through TCP/IP ports](https://docs.docker.com/userguide/dockerlinks/).  [Linking into Redis](https://docs.docker.com/examples/running_redis_service/) and [Atlassian](https://blogs.atlassian.com/2013/11/docker-all-the-things-at-atlassian-automation-and-wiring/) show worked examples.  You can also (in 0.11) resolve [links by hostname](https://docs.docker.com/userguide/dockerlinks/#updating-the-etchosts-file).
197 | 
198 | NOTE: If you want containers to ONLY communicate with each other through links, start the docker daemon with `-icc=false` to disable inter process communication.
199 | 
200 | If you have a container with the name CONTAINER (specified by `docker run --name CONTAINER`) and in the Dockerfile, it has an exposed port:
201 | 
202 | ```
203 | EXPOSE 1337
204 | ```
205 | 
206 | Then if we create another container called LINKED like so:
207 | 
208 | ```
209 | docker run -d --link CONTAINER:ALIAS --name LINKED user/wordpress
210 | ```
211 | 
212 | Then the exposed ports and aliases of CONTAINER will show up in LINKED with the following environment variables:
213 | 
214 | ```
215 | $ALIAS_PORT_1337_TCP_PORT
216 | $ALIAS_PORT_1337_TCP_ADDR
217 | ```
218 | 
219 | And you can connect to it that way.
220 | 
221 | To delete links, use `docker rm --link `.
222 | 
223 | If you want to link across docker hosts then you should look at [Swarm](https://docs.docker.com/swarm/). This [link on stackoverflow](https://stackoverflow.com/questions/21283517/how-to-link-docker-services-across-hosts) provides some good information on different patterns for linking containers across docker hosts.
224 | 
225 | ## Volumes
226 | 
227 | Docker volumes are [free-floating filesystems](https://docs.docker.com/userguide/dockervolumes/).  They don't have to be connected to a particular container.  You should use volumes mounted from [data-only containers](https://medium.com/@ramangupta/why-docker-data-containers-are-good-589b3c6c749e) for portability.
228 | 
229 | Volumes are useful in situations where you can't use links (which are TCP/IP only).  For instance, if you need to have two docker instances communicate by leaving stuff on the filesystem.
230 | 
231 | You can mount them in several docker containers at once, using `docker run --volumes-from`.
232 | 
233 | Because volumes are isolated filesystems, they are often used to store state from computations between transient containers.  That is, you can have a stateless and transient container run from a recipe, blow it away, and then have a second instance of the transient container pick up from where the last one left off.
234 | 
235 | See [advanced volumes](http://crosbymichael.com/advanced-docker-volumes.html) for more details.  Container42 is [also helpful](http://container42.com/2014/11/03/docker-indepth-volumes/).
236 | 
237 | For an easy way to clean abandoned volumes, see [docker-cleanup-volumes](https://github.com/chadoe/docker-cleanup-volumes)
238 | 
239 | As of 1.3, you can [map MacOS host directories as docker volumes](https://docs.docker.com/userguide/dockervolumes/#mount-a-host-directory-as-a-data-volume) through boot2docker:
240 | 
241 | ```
242 | docker run -v /Users/wsargent/myapp/src:/src
243 | ```
244 | 
245 | You can also use remote NFS volumes if you're [feeling brave](http://www.tech-d.net/2014/03/29/docker-quicktip-4-remote-volumes/).
246 | 
247 | You may also consider running data-only containers as described [here](http://container42.com/2013/12/16/persistent-volumes-with-docker-container-as-volume-pattern/) to provide some data portability.
248 | 
249 | ## Exposing ports
250 | 
251 | Exposing incoming ports through the host container is [fiddly but doable](https://docs.docker.com/reference/run/#expose-incoming-ports).
252 | 
253 | 
254 | The fastest way is to map the container port to the host port (only using localhost interface) using `-p`:
255 | 
256 | ```
257 | docker run -p 127.0.0.1:$HOSTPORT:$CONTAINERPORT --name CONTAINER -t someimage
258 | ```
259 | 
260 | If you don't want to use the `-p` option on the command line, you can persist port forwarding by using [EXPOSE](https://docs.docker.com/reference/builder/#expose):
261 | 
262 | ```
263 | EXPOSE <CONTAINERPORT>
264 | ```
265 | 
266 | If you're running Docker in Virtualbox, you then need to forward the port there as well, using [forwarded_port](https://docs.vagrantup.com/v2/networking/forwarded_ports.html).  It can be useful to define something in Vagrantfile to expose a range of ports so that you can dynamically map them:
267 | 
268 | ```
269 | Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
270 |   ...
271 | 
272 |   (49000..49900).each do |port|
273 |     config.vm.network :forwarded_port, :host => port, :guest => port
274 |   end
275 | 
276 |   ...
277 | end
278 | ```
279 | 
280 | If you forget what you mapped the port to on the host container, use `docker port` to show it:
281 | 
282 | ```
283 | docker port CONTAINER $CONTAINERPORT
284 | ```
285 | 
286 | ### Examples
287 | 
288 | * [Examples](https://docs.docker.com/reference/builder/#dockerfile-examples)
289 | * [Best practices for writing Dockerfiles](https://docs.docker.com/articles/dockerfile_best-practices/)
290 | * [Michael Crosby](http://crosbymichael.com/) has some more [Dockerfiles best practices](http://crosbymichael.com/dockerfile-best-practices.html) / [take 2](http://crosbymichael.com/dockerfile-best-practices-take-2.html).
291 | 
292 | ## Best Practices
293 | 
294 | This is where general Docker best practices and war stories go:
295 | 
296 | * [The Rabbit Hole of Using Docker in Automated Tests](http://gregoryszorc.com/blog/2014/10/16/the-rabbit-hole-of-using-docker-in-automated-tests/)
297 | * [Bridget Kromhout](https://twitter.com/bridgetkromhout) has a useful blog post on [running Docker in production](http://sysadvent.blogspot.co.uk/2014/12/day-1-docker-in-production-reality-not.html) at Dramafever.  
298 | * There's also a best practices [blog post](http://developers.lyst.com/devops/2014/12/08/docker/) from Lyst.
299 | * [A Docker Dev Environment in 24 Hours!](http://blog.relateiq.com/a-docker-dev-environment-in-24-hours-part-2-of-2/)
300 | * [Building a Development Environment With Docker](http://tersesystems.com/2013/11/20/building-a-development-environment-with-docker/)
301 | * [Discourse in a Docker Container](http://samsaffron.com/archive/2013/11/07/discourse-in-a-docker-container)
302 | 
303 | ## Security
304 | 
305 | This is where security tips about Docker go.
306 | 
307 | If you are in the `docker` group, you effectively [have root access](http://reventlov.com/advisories/using-the-docker-command-to-root-the-host).
308 | 
309 | Likewise, if you expose the docker unix socket to a container, you are giving the container [root access to the host](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html).
310 | 
311 | Docker image ids are [sensitive information](https://medium.com/@quayio/your-docker-image-ids-are-secrets-and-its-time-you-treated-them-that-way-f55e9f14c1a4) and should not be exposed to the outside world.  Treat them like passwords.
312 | 
313 | See the [Docker Security Cheat Sheet](https://github.com/konstruktoid/Docker/blob/master/Security/CheatSheet.md) by [Thomas Sjögren](https://github.com/konstruktoid).
314 | 
315 | From the [Docker Security Cheat Sheet](http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf) (it's in PDF which makes it hard to use, so copying below) by [Container Solutions](http://container-solutions.com/is-docker-safe-for-production/):
316 | 
317 | Turn off interprocess communication with:
318 | 
319 | ```
320 | docker -d --icc=false --iptables
321 | ```
322 | 
323 | Set the container to be read-only:
324 | 
325 | ```
326 | docker run --read-only
327 | ```
328 | 
329 | Verify images with a hashsum:
330 | 
331 | ```
332 | docker pull debian@sha256:a25306f3850e1bd44541976aa7b5fd0a29be
333 | ```
334 | 
335 | Set volumes to be read only:
336 | 
337 | ```
338 | docker run -v $(pwd)/secrets:/secrets:ro debian 
339 | ```
340 | 
341 | Set memory and CPU sharing:
342 | 
343 | ```
344 | docker -c 512 -mem 512m
345 | ```
346 | 
347 | Define and run a user in your Dockerfile so you don't run as root inside the container:
348 | 
349 | ```
350 | RUN groupadd -r user && useradd -r -g user user
351 | USER user
352 | ```
353 | 
354 | 
355 | ## Tips
356 | 
357 | Sources:
358 | 
359 | * [15 Docker Tips in 5 minutes](http://sssslide.com/speakerdeck.com/bmorearty/15-docker-tips-in-5-minutes)
360 | 
361 | ### Last Ids
362 | 
363 | ```
364 | alias dl='docker ps -l -q'
365 | docker run ubuntu echo hello world
366 | docker commit `dl` helloworld
367 | ```
368 | 
369 | ### Commit with command (needs Dockerfile)
370 | 
371 | ```
372 | docker commit -run='{"Cmd":["postgres", "-too -many -opts"]}' `dl` postgres
373 | ```
374 | 
375 | ### Get IP address
376 | 
377 | ```
378 | docker inspect `dl` | grep IPAddress | cut -d '"' -f 4
379 | ```
380 | 
381 | or
382 | 
383 | ```
384 | wget http://stedolan.github.io/jq/download/source/jq-1.3.tar.gz
385 | tar xzvf jq-1.3.tar.gz
386 | cd jq-1.3
387 | ./configure && make && sudo make install
388 | docker inspect `dl` | jq -r '.[0].NetworkSettings.IPAddress'
389 | ```
390 | 
391 | or using a [go template](https://docs.docker.com/reference/commandline/inspect)
392 | 
393 | ```
394 | docker inspect -f '{{ .NetworkSettings.IPAddress }}' <container_name>
395 | ```
396 | 
397 | ### Get port mapping
398 | 
399 | ```
400 | docker inspect -f '{{range $p, $conf := .NetworkSettings.Ports}} {{$p}} -> {{(index $conf 0).HostPort}} {{end}}' <containername>
401 | ```
402 | 
403 | ### Find containers by regular expression
404 | 
405 | ```
406 | for i in $(docker ps -a | grep "REGEXP_PATTERN" | cut -f1 -d" "); do echo $i; done`
407 | ```
408 | 
409 | ### Get Environment Settings
410 | 
411 | ```
412 | docker run --rm ubuntu env
413 | ```
414 | 
415 | ### Kill running containers
416 | 
417 | ```
418 | docker kill $(docker ps -q)
419 | ```
420 | 
421 | ### Delete old containers
422 | 
423 | ```
424 | docker ps -a | grep 'weeks ago' | awk '{print $1}' | xargs docker rm
425 | ```
426 | 
427 | ### Delete stopped containers
428 | 
429 | ```
430 | docker rm -v `docker ps -a -q -f status=exited`
431 | ```
432 | 
433 | ### Delete dangling images
434 | 
435 | ```
436 | docker rmi $(docker images -q -f dangling=true)
437 | ```
438 | 
439 | ### Delete all images
440 | 
441 | ```
442 | docker rmi $(docker images -q)
443 | ```
444 | 
445 | ### Show image dependencies
446 | 
447 | ```
448 | docker images -viz | dot -Tpng -o docker.png
449 | ```
450 | 
451 | ### Slimming down Docker containers  [Intercity Blog](http://bit.ly/1Wwo61N)
452 | 
453 | - Cleaning APT
454 | ```
455 | RUN apt-get clean
456 | RUN rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
457 | ```
458 | - Flatten an image
459 | ```
460 | ID=$(docker run -d image-name /bin/bash)
461 | docker export $ID | docker import – flat-image-name
462 | ```
463 | 
464 | - For backup
465 | ```
466 | ID=$(docker run -d image-name /bin/bash)
467 | (docker export $ID | gzip -c > image.tgz)
468 | gzip -dc image.tgz | docker import - flat-image-name
469 | ```
470 | 
471 | ### Monitor system resource utilization for running containers
472 | 
473 | To check the CPU, memory and network i/o usage, you can use:
474 | 
475 | ```
476 | docker stats <container>
477 | ``` 
478 | 
479 | for a single container or 
480 | 
481 | ```
482 | docker stats $(docker ps -q)
483 | ```
484 | 
485 | to monitor all containers on the docker host.
486 | 


--------------------------------------------------------------------------------