Add Docker cheatsheet with security focus
This commit is contained in:
80
docker-cheatsheet.md
Normal file
80
docker-cheatsheet.md
Normal file
@@ -0,0 +1,80 @@
|
||||
# Docker Cheatsheet
|
||||
|
||||
## Security First Notes
|
||||
- Always run containers with least privilege: Use --user for non-root.
|
||||
- Scan images for vulnerabilities: Use tools like Trivy or Docker Scout.
|
||||
- Avoid hardcoded secrets: Use Docker secrets or environment variables securely.
|
||||
- Enable Docker Content Trust: `export DOCKER_CONTENT_TRUST=1`
|
||||
- Assume hostile environment: Validate all inputs and use secure defaults.
|
||||
|
||||
## Installation (Debian)
|
||||
```bash
|
||||
sudo apt update
|
||||
sudo apt install docker.io
|
||||
sudo usermod -aG docker $USER
|
||||
newgrp docker
|
||||
```
|
||||
|
||||
## Basic Commands
|
||||
- Version: `docker --version`
|
||||
- Info: `docker info`
|
||||
- Login: `docker login`
|
||||
|
||||
## Images
|
||||
- List images: `docker images` or `docker image ls`
|
||||
- Pull image: `docker pull <image>`
|
||||
- Build image: `docker build -t <tag> .`
|
||||
- Remove image: `docker rmi <image>`
|
||||
- Tag image: `docker tag <source> <target>`
|
||||
- Save image: `docker save -o <file.tar> <image>`
|
||||
- Load image: `docker load -i <file.tar>`
|
||||
|
||||
## Containers
|
||||
- Run container: `docker run -d --name <name> <image>`
|
||||
- Interactive run: `docker run -it <image> /bin/bash`
|
||||
- List running: `docker ps`
|
||||
- List all: `docker ps -a`
|
||||
- Stop: `docker stop <container>`
|
||||
- Start: `docker start <container>`
|
||||
- Restart: `docker restart <container>`
|
||||
- Remove: `docker rm <container>`
|
||||
- Logs: `docker logs <container>`
|
||||
- Exec into: `docker exec -it <container> bash`
|
||||
- Stats: `docker stats`
|
||||
|
||||
## Volumes
|
||||
- Create volume: `docker volume create <name>`
|
||||
- List volumes: `docker volume ls`
|
||||
- Inspect: `docker volume inspect <name>`
|
||||
- Remove: `docker volume rm <name>`
|
||||
|
||||
## Networks
|
||||
- List networks: `docker network ls`
|
||||
- Create network: `docker network create <name>`
|
||||
- Connect: `docker network connect <network> <container>`
|
||||
- Disconnect: `docker network disconnect <network> <container>`
|
||||
- Inspect: `docker network inspect <network>`
|
||||
|
||||
## Docker Compose
|
||||
- Up: `docker-compose up -d`
|
||||
- Down: `docker-compose down`
|
||||
- Build: `docker-compose build`
|
||||
- Logs: `docker-compose logs`
|
||||
- PS: `docker-compose ps`
|
||||
|
||||
## Cleanup
|
||||
- Prune containers: `docker container prune`
|
||||
- Prune images: `docker image prune`
|
||||
- Prune volumes: `docker volume prune`
|
||||
- Prune networks: `docker network prune`
|
||||
- Prune system: `docker system prune -a -f`
|
||||
|
||||
## Advanced/Security
|
||||
- Run as non-root: `docker run -u $(id -u):$(id -g) <image>`
|
||||
- Security options: `docker run --security-opt no-new-privileges <image>`
|
||||
- Limit resources: `docker run --cpus=1 --memory=512m <image>`
|
||||
- Scan for vulnerabilities: Install trivy and run `trivy image <image>`
|
||||
- Content trust: `docker trust sign <image>`
|
||||
- Use minimal base images: Prefer alpine or distroless for smaller attack surface.
|
||||
|
||||
This cheatsheet prioritizes security and efficiency. For critical systems, perform additional penetration testing and use tools like Docker Bench for Security.
|
||||
Reference in New Issue
Block a user