90 lines
3.1 KiB
Markdown
90 lines
3.1 KiB
Markdown
# Docker Cheatsheet
|
|
|
|
## Security First Notes
|
|
- Always run containers with least privilege: Use --user for non-root.
|
|
- Scan images for vulnerabilities: Use tools like Trivy or Docker Scout.
|
|
- Avoid hardcoded secrets: Use Docker secrets or environment variables securely.
|
|
- Enable Docker Content Trust: `export DOCKER_CONTENT_TRUST=1`
|
|
- Assume hostile environment: Validate all inputs and use secure defaults.
|
|
|
|
## Installation (Debian)
|
|
```bash
|
|
sudo apt update
|
|
sudo apt install docker.io
|
|
sudo usermod -aG docker $USER
|
|
newgrp docker
|
|
```
|
|
|
|
## Basic Commands
|
|
- Version: `docker --version`
|
|
- Info: `docker info`
|
|
- Login: `docker login`
|
|
|
|
## Images
|
|
- List images: `docker images` or `docker image ls`
|
|
- Pull image: `docker pull <image>`
|
|
- Build image: `docker build -t <tag> .`
|
|
- Remove image: `docker rmi <image>`
|
|
- Tag image: `docker tag <source> <target>`
|
|
- Save image: `docker save -o <file.tar> <image>`
|
|
- Load image: `docker load -i <file.tar>`
|
|
|
|
## Containers
|
|
- Run container: `docker run -d --name <name> <image>`
|
|
- Interactive run: `docker run -it <image> /bin/bash`
|
|
- List running: `docker ps`
|
|
- List all: `docker ps -a`
|
|
- Stop: `docker stop <container>`
|
|
- Start: `docker start <container>`
|
|
- Restart: `docker restart <container>`
|
|
- Remove: `docker rm <container>`
|
|
- Logs: `docker logs <container>`
|
|
- Exec into: `docker exec -it <container> bash`
|
|
- Stats: `docker stats`
|
|
|
|
## Volumes
|
|
- Create volume: `docker volume create <name>`
|
|
- List volumes: `docker volume ls`
|
|
- Inspect: `docker volume inspect <name>`
|
|
- Remove: `docker volume rm <name>`
|
|
|
|
## Networks
|
|
- List networks: `docker network ls`
|
|
- Create network: `docker network create <name>`
|
|
- Connect: `docker network connect <network> <container>`
|
|
- Disconnect: `docker network disconnect <network> <container>`
|
|
- Inspect: `docker network inspect <network>`
|
|
|
|
## Docker Compose
|
|
- Up: `docker-compose up -d`
|
|
- Down: `docker-compose down`
|
|
- Build: `docker-compose build`
|
|
- Logs: `docker-compose logs`
|
|
- PS: `docker-compose ps`
|
|
|
|
## Cleanup
|
|
- Prune containers: `docker container prune`
|
|
- Prune images: `docker image prune`
|
|
- Prune volumes: `docker volume prune`
|
|
- Prune networks: `docker network prune`
|
|
- Prune system: `docker system prune -a -f`
|
|
|
|
## Advanced/Security
|
|
- Run as non-root: `docker run -u $(id -u):$(id -g) <image>`
|
|
- Security options: `docker run --security-opt no-new-privileges <image>`
|
|
- Limit resources: `docker run --cpus=1 --memory=512m <image>`
|
|
- Scan for vulnerabilities: Install trivy and run `trivy image <image>`
|
|
- Content trust: `docker trust sign <image>`
|
|
- Use minimal base images: Prefer alpine or distroless for smaller attack surface.
|
|
|
|
## Docker Swarm
|
|
- Initialize swarm: `docker swarm init`
|
|
- Join worker: `docker swarm join --token <token> <manager-ip>:2377`
|
|
- List nodes: `docker node ls`
|
|
- Deploy stack: `docker stack deploy -c docker-compose.yml <stack>`
|
|
- Leave swarm: `docker swarm leave --force`
|
|
|
|
This cheatsheet prioritizes security and efficiency. For critical systems, perform additional penetration testing and use tools like Docker Bench for Security.
|
|
|
|
Sources: Based on https://www.docker.com/blog/docker-cheat-sheet/ and official docs."
|