# Docker Cheatsheet

## Security First Notes
- Always run containers with least privilege: Use --user for non-root.
- Scan images for vulnerabilities: Use tools like Trivy or Docker Scout.
- Avoid hardcoded secrets: Use Docker secrets or environment variables securely.
- Enable Docker Content Trust: `export DOCKER_CONTENT_TRUST=1`
- Assume hostile environment: Validate all inputs and use secure defaults.

## Installation (Debian)
```bash
sudo apt update
sudo apt install docker.io
sudo usermod -aG docker $USER
newgrp docker
```

## Basic Commands
- Version: `docker --version`
- Info: `docker info`
- Login: `docker login`

## Images
- List images: `docker images` or `docker image ls`
- Pull image: `docker pull <image>`
- Build image: `docker build -t <tag> .`
- Remove image: `docker rmi <image>`
- Tag image: `docker tag <source> <target>`
- Save image: `docker save -o <file.tar> <image>`
- Load image: `docker load -i <file.tar>`

## Containers
- Run container: `docker run -d --name <name> <image>`
- Interactive run: `docker run -it <image> /bin/bash`
- List running: `docker ps`
- List all: `docker ps -a`
- Stop: `docker stop <container>`
- Start: `docker start <container>`
- Restart: `docker restart <container>`
- Remove: `docker rm <container>`
- Logs: `docker logs <container>`
- Exec into: `docker exec -it <container> bash`
- Stats: `docker stats`

## Volumes
- Create volume: `docker volume create <name>`
- List volumes: `docker volume ls`
- Inspect: `docker volume inspect <name>`
- Remove: `docker volume rm <name>`

## Networks
- List networks: `docker network ls`
- Create network: `docker network create <name>`
- Connect: `docker network connect <network> <container>`
- Disconnect: `docker network disconnect <network> <container>`
- Inspect: `docker network inspect <network>`

## Docker Compose
- Up: `docker-compose up -d`
- Down: `docker-compose down`
- Build: `docker-compose build`
- Logs: `docker-compose logs`
- PS: `docker-compose ps`

## Cleanup
- Prune containers: `docker container prune`
- Prune images: `docker image prune`
- Prune volumes: `docker volume prune`
- Prune networks: `docker network prune`
- Prune system: `docker system prune -a -f`

## Advanced/Security
- Run as non-root: `docker run -u $(id -u):$(id -g) <image>`
- Security options: `docker run --security-opt no-new-privileges <image>`
- Limit resources: `docker run --cpus=1 --memory=512m <image>`
- Scan for vulnerabilities: Install trivy and run `trivy image <image>`
- Content trust: `docker trust sign <image>`
- Use minimal base images: Prefer alpine or distroless for smaller attack surface.

## Docker Swarm
- Initialize swarm: `docker swarm init`
- Join worker: `docker swarm join --token <token> <manager-ip>:2377`
- List nodes: `docker node ls`
- Deploy stack: `docker stack deploy -c docker-compose.yml <stack>`
- Leave swarm: `docker swarm leave --force`

This cheatsheet prioritizes security and efficiency. For critical systems, perform additional penetration testing and use tools like Docker Bench for Security.

Sources: Based on https://www.docker.com/blog/docker-cheat-sheet/ and official docs."