Basic Docker Commands¶
docker version¶
Docker follows a Client-Server architecture.
- Client: The CLI tool you're typing into.
- Server (Engine/Daemon): The background process that actually manages containers.
The command displays the version information for both the Client and the Server (Daemon).
Use this to verify that the Docker Engine is running and to check for API compatibility.
"Cannot connect to the Docker daemon,"
If you see an error saying "Cannot connect to the Docker daemon," the Client is working, but the Server is off.
docker pull <image>:<tag> & The Output Anatomy¶
Downloads an image from a registry (default: Docker Hub).
- Layers: Images are downloaded in chunks (layers). This allows for caching and faster downloads.
- Immutability: Each layer is read-only and identified by a SHA256 hash.
>> docker pull nginx:latest
latest: Pulling from library/nginx
f4badedbec24: Pull complete
e14d31524fc8: Pull complete
0a43e039475a: Pull complete
5716fd893132: Pull complete
0d9786b44f2a: Pull complete
b1a5e9a47bf9: Pull complete
881ff00f5a79: Pull complete
068f82ab28b2: Download complete
6be5707a6ba5: Download complete
Digest: sha256:7150b3a39203cb5bee612ff4a9d18774f8c7caf6399d6e8985e97e28eb751c18
- (The Hashes): These represent individual layers.
- Pull complete vs Already exists: If you pulled a layer earlier for another image and the current shares the same base OS layer, Docker won't download it again. It just "links" to the existing one on your disk. This is Content-Addressable Storage.
- The Digest is a mathematical fingerprint of the content. If the content changes, the Digest changes.
Layering¶
Docker images use a Union File System (UnionFS).
| Feature | Description |
|---|---|
| Layer Sharing | If two images use the same base OS, they share those layers on disk. |
| Copy-on-Write | When a container starts, it adds a thin "Writable Layer" on top of the read-only image layers. |
| Digest | The sha256 fingerprint ensures the image hasn't been tampered with. |
docker images (or docker image ls)¶
Lists all images currently stored on your local host.
- Repository: The name of the image (e.g.,
nginx). - Tag: The version (e.g.,
latest,1.21). - Image ID: A unique identifier for the specific build of the image.
docker images¶
- Image: The
<image>:<tag>tells you what the software is and which version you have. - ID: It’s the first 12 characters of the SHA-256 hash. Can rename an image, but the ID stays the same until the content changes.
- Content Size (Compressed): The "Transport Size." This is what hits your network bandwidth when you run
docker pull. - Disk Usage (Virtual Size): The "Runtime Size." The total size of all layers once they are uncompressed by the storage driver.
docker image inspect¶
It reveals the low-level metadata of an image—everything from how it was built to what it expects when it starts.
- Id: The full SHA-256 fingerprint. This is the "true" ID of the image.
- Architecture: "arm64": This is a critical detail for your OCI practice. Since you are likely using an OCI "Always Free" Arm instance, this image is compatible. An amd64 image would fail to run on an Arm processor.
- Os: "linux": The kernel the image expects.
- Config : This section tells Docker how to behave when you run docker run.
- Env: A list of environment variables baked into the image. Notice NGINX_VERSION. These are available to the application inside.
- ExposedPorts: This is metadata only. It’s a hint to the user that the app listens on port 80. It does not actually open the port on your host (you still need -p).
- Entrypoint: The main executable (in this case, the Nginx startup script).
- Cmd: The default arguments passed to the entrypoint.
- GraphDriver: "overlayfs": This is the storage engine. Overlay2 is the modern standard that manages how layers are "stacked" on top of each other.
- RootFS.Layers: This is the actual physical stack. You see 7 hashes here, which means the Dockerfile that built this had roughly 7 instructions (like RUN, COPY, ADD) that modified the filesystem.
Title of the callout
docker image inspect returns a JSON array. To find specific values without scrolling, use the --format flag (Go templates).
```
# Get only the Architecture
docker image inspect <ID> --format=' { {.Architecture}}'
# Get the default Command/Args
docker image inspect <ID> --format='{ {.Config.Cmd}}'
# List all Environment Variables
docker image inspect <ID> --format='{ {range .Config.Env}}{ {println .}}{ {end}}'
```
docker run¶
run: creates and starts the container in one go.--name test: assigns a human-readable name to the container.-d: runs the container in the background.-p <host>:<container>: maps HOST_PORT:CONTAINER_PORT.<image>:<tag>: The image and tag to use for the container.
When you run a container in Detached Mode (-d), Docker's way of saying "Mission accomplished" is to hand you the unique, 64-character SHA-256 hash that identifies that specific running instance.
After running a container in detached mode, use these to see what's happening:
| Command | Purpose |
|---|---|
docker ps | See all running containers. |
docker ps -a | See all containers (including those that crashed/stopped). |
docker logs test | See the output/errors from the background process. |
docker stop test | Gracefully shut down the container. |
💡 Note
If you don't have the image locally, docker run will automatically perform a docker pull before starting. It checks your local storage first, then hits the Registry.
docker exec¶
Runs a process in an EXISTING container. Docker uses the Linux PID Namespace to "inject" your process into the same isolated environment where container is running. Both processes share the same network and filesystem, but they are separate processes.
Common usecase¶
- Debugging: Check if configuration files are correctly loaded.
- Environment Check: Run env to see if your variables passed through correctly.
- Logs/DBs: Manually trigger a script or check a local database inside the container.
docker ps¶
This command is your Container Inventory. While docker ps only shows you what is currently "alive" and running, adding the -a (or --all) flag reveals the "ghosts" of containers past—those that have finished their job or been stopped.
CONTAINER ID: the 12-character "Short ID".IMAGE: the blueprint this container was born from.COMMAND: the script that Nginx runs to start up.CREATED: the wall-clock time since you ran docker run.STATUS: the container statusPORTS: ports being listened to.NAMES: custom name assigned.
docker stop¶
To stop the running container. It follows a two-step process:
-
The Polite Request (SIGTERM): Docker sends a "Signal 15" (Termination) to the main process (PID 1) inside the container. It’s saying, "Hey, wrap up your work, save your files, and close your connections."
-
The Grace Period: Docker waits (default is 10 seconds) for the process to exit on its own.
-
The Forceful End (SIGKILL): If the container is still running after 10 seconds, Docker sends a "Signal 9" (Kill). This is the digital equivalent of pulling the power cord.
Customizing the Shutdown
Sometimes 10 seconds isn't enough (e.g., a heavy database saving a large state). You can override the timer:
```bash
# Give the container 30 seconds to shut down gracefully
docker stop -t 30 <container_id>
```
When a container stops, the process (PID 1) dies, but the Writable Layer (where you might have saved files during an exec session) remains on your hard drive. To truly get rid of it, you must Remove it (docker rm).
docker build -t <image_name>:<tag> .¶
Builds image using BuildKit, Docker’s modern build engine. It’s highly parallel and much faster than the old builder.
build: The command to transform a Dockerfile into an Image.-t test:latest: Tag the image. If you don't provide this, your image will be "nameless" (dangling) and hard to find..(The Dot): This is the Build Context. Everything in the context path is sent to the Docker Daemon.
.dockerignore
Use a .dockerignore file to prevent sending large, unnecessary files (like node_modules or .git) to the daemon. This makes builds faster and images smaller.