3.1 KiB
3.1 KiB
Docker Cheatsheet
Security First Notes
- Always run containers with least privilege: Use --user for non-root.
- Scan images for vulnerabilities: Use tools like Trivy or Docker Scout.
- Avoid hardcoded secrets: Use Docker secrets or environment variables securely.
- Enable Docker Content Trust:
export DOCKER_CONTENT_TRUST=1 - Assume hostile environment: Validate all inputs and use secure defaults.
Installation (Debian)
sudo apt update
sudo apt install docker.io
sudo usermod -aG docker $USER
newgrp docker
Basic Commands
- Version:
docker --version - Info:
docker info - Login:
docker login
Images
- List images:
docker imagesordocker image ls - Pull image:
docker pull <image> - Build image:
docker build -t <tag> . - Remove image:
docker rmi <image> - Tag image:
docker tag <source> <target> - Save image:
docker save -o <file.tar> <image> - Load image:
docker load -i <file.tar>
Containers
- Run container:
docker run -d --name <name> <image> - Interactive run:
docker run -it <image> /bin/bash - List running:
docker ps - List all:
docker ps -a - Stop:
docker stop <container> - Start:
docker start <container> - Restart:
docker restart <container> - Remove:
docker rm <container> - Logs:
docker logs <container> - Exec into:
docker exec -it <container> bash - Stats:
docker stats
Volumes
- Create volume:
docker volume create <name> - List volumes:
docker volume ls - Inspect:
docker volume inspect <name> - Remove:
docker volume rm <name>
Networks
- List networks:
docker network ls - Create network:
docker network create <name> - Connect:
docker network connect <network> <container> - Disconnect:
docker network disconnect <network> <container> - Inspect:
docker network inspect <network>
Docker Compose
- Up:
docker-compose up -d - Down:
docker-compose down - Build:
docker-compose build - Logs:
docker-compose logs - PS:
docker-compose ps
Cleanup
- Prune containers:
docker container prune - Prune images:
docker image prune - Prune volumes:
docker volume prune - Prune networks:
docker network prune - Prune system:
docker system prune -a -f
Advanced/Security
- Run as non-root:
docker run -u $(id -u):$(id -g) <image> - Security options:
docker run --security-opt no-new-privileges <image> - Limit resources:
docker run --cpus=1 --memory=512m <image> - Scan for vulnerabilities: Install trivy and run
trivy image <image> - Content trust:
docker trust sign <image> - Use minimal base images: Prefer alpine or distroless for smaller attack surface.
Docker Swarm
- Initialize swarm:
docker swarm init - Join worker:
docker swarm join --token <token> <manager-ip>:2377 - List nodes:
docker node ls - Deploy stack:
docker stack deploy -c docker-compose.yml <stack> - Leave swarm:
docker swarm leave --force
This cheatsheet prioritizes security and efficiency. For critical systems, perform additional penetration testing and use tools like Docker Bench for Security.
Sources: Based on https://www.docker.com/blog/docker-cheat-sheet/ and official docs."