Docker Handbook

A Pocket Guide for DevOps & DevSecOps

Author: Sainath Shivaji Mitalakar Edition: 2025

1 Preface
Docker has become one of the most essential tools in the DevOps toolkit. It simplifies
software delivery by packaging applications into portable containers, ensuring consistency
across development, testing, and production environments.
This handbook is designed to be a pocket reference for DevOps engineers, devel-
opers, and system architects. It includes fundamentals, commands, real-world scenarios,
and advanced tips to prepare you for both practical work and interviews.

1.1 What’s Inside

• Introduction to Containers and Docker

• Core Concepts: Images, Containers, Volumes, and Networks

• Docker CLI Commands with one-line explanations

• Best Practices for security, performance, and scalability

• Integration: CI/CD with Jenkins, GitLab, and Kubernetes

• Interview Q&A and real-time troubleshooting cases

• Cheat Sheet for quick daily reference

Tip: If you are new to containers, start small—run your first Docker container and
gradually move towards orchestration with Kubernetes.

2 Docker Basics

2.1 What is Docker?

Docker is an open platform for developing, shipping, and running applications.
It enables applications to run in containers, which are lightweight, portable, and con-
sistent across environments.

1
2.2 Why Use Docker?
• Portability: Run anywhere (local, cloud, on-prem).

• Isolation: Each container runs independently.

• Scalability: Spin up multiple containers instantly.

• Efficiency: Uses less resources compared to VMs.

• DevOps Friendly: Simplifies CI/CD pipelines.

2.3 Containers vs Virtual Machines

• Containers: Share the host OS kernel, lightweight, start in seconds.

• VMs: Run on a hypervisor, include full OS, heavy and slower to start.

Check Docker Version:

$ docker --version

Output:

Docker version 25.0.3, build abc1234

Docker containers are not VMs — think of them as processes with superpowers.

3 Docker Architecture
Docker follows a Client-Server model, with components working together:

• Docker Client: CLI tool (docker run, docker build).

• Docker Daemon (dockerd): Runs in background, manages images/containers.

• Docker Images: Templates used to create containers.

• Docker Containers: Running instances of images.

• Docker Registry: Stores Docker images (e.g., Docker Hub).

2
3.1 Docker Architecture Diagram
+------------------+
| Docker Client |
| (CLI / API) |
+--------+---------+
|
v
+------------------+
| Docker Daemon |
| (dockerd) |
+--------+---------+
|
+--------------+--------------+
| |
v v
+--------+ +-------------+
| Images | | Containers |
+--------+ +-------------+

Docker Registry <----> Docker Daemon (push/pull images)

3.2 Verify Docker Setup

Run Hello World container:

$ docker run hello-world

Output:

Hello from Docker!

This message shows that your installation appears to be working correctly.

4 Installing Docker on Linux

3
4.1 Ubuntu/Debian

Install Docker Engine:

$ sudo apt-get update

$ sudo apt-get install -y \
ca-certificates curl gnupg lsb-release

$ sudo mkdir -p /etc/apt/keyrings

$ curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

$ echo \
"deb [arch=$(dpkg --print-architecture) \
signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

$ sudo apt-get update

$ sudo apt-get install -y docker-ce docker-ce-cli containerd.io

After installation, add your user to the docker group to run commands without sudo:

$ sudo usermod -aG docker $USER

$ newgrp docker

5 Installing Docker on macOS

5.1 Using Homebrew

$ brew install --cask docker

5.2 Start Docker Desktop

• Open Applications → Docker.

• Verify Docker icon in menu bar.

• Run the hello-world container to test.

4
 $ docker run hello-world

6 Installing Docker on Windows

6.1 Using Docker Desktop

• Download Docker Desktop from docker.com.

• Enable WSL 2 backend (recommended).

• Install and restart your system.

Verify Installation:

$ docker --version
$ docker run hello-world

6.2 Optional: Using WSL (Ubuntu on Windows)

$ wsl --install -d Ubuntu

$ sudo apt-get update && sudo apt-get install -y docker.io

7 Initial Docker Commands

Check Docker Info:

$ docker info

List Docker Images:

$ docker images

List Running Containers:

$ docker ps

Run a Test Container:

$ docker run -it ubuntu bash

5
 Docker Desktop works on both Windows and macOS. On Linux, Docker Engine is
installed directly without Docker Desktop.

Docker Images & Containers

Docker revolves around two core concepts: Images and Containers.

• Image – A read-only template that contains instructions for creating a container.

• Container – A running instance of an image. Containers are lightweight and

isolated.

Working with Images

Pulling an Image

docker pull ubuntu

Listing Images

docker images

Building an Image (from Dockerfile)

docker build -t myapp:1.0 .

Removing an Image

docker rmi image_id

Docker Containers Basics

Run a Container (interactive)

docker run -it ubuntu /bin/bash

Run in Detached Mode (background)

docker run -d nginx

List Running Containers

docker ps

List All Containers (including stopped)

docker ps -a

6
Managing Containers
Start a Stopped Container

docker start container_id

Stop a Running Container

docker stop container_id

Restart a Container

docker restart container_id

Remove a Container

docker rm container_id

Inspecting Containers
Get Container Logs

docker logs container_id

Inspect Container Details

docker inspect container_id

Access Running Container Shell

docker exec -it container_id /bin/bash

7
Ports & Networking
Run a Container with Port Mapping

docker run -d -p 8080:80 nginx

Check Port Bindings

docker port container_id

List Networks

docker network ls

Inspect Network

docker network inspect bridge

Volumes and Persistence (Basics)

Run a Container with Volume Mount

docker run -v /host/path:/container/path -it ubuntu

List Volumes

docker volume ls

Inspect a Volume

docker volume inspect volume_name

8 Dockerfile Deep Dive

A Dockerfile is a text file containing instructions to build a Docker image. It automates
image creation and ensures consistency across environments.

8.1 Basic Structure of a Dockerfile

Example: Simple Node.js App Dockerfile

FROM node:18-alpine
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
EXPOSE 3000
CMD ["node", "server.js"]

8
8.2 Key Dockerfile Instructions
• FROM – Sets the base image.

• WORKDIR – Defines working directory in the container.

• COPY – Copies files from host to container.

• ADD – Similar to COPY but supports remote URLs archives.

• RUN – Executes commands during image build.

• CMD – Default command for container execution.

• ENTRYPOINT – Configures container as executable.

• EXPOSE – Documents the port the app listens on.

• ENV – Defines environment variables.

• ARG – Defines build-time variables.

• VOLUME – Creates mount points for persistence.

• LABEL – Adds metadata (e.g., maintainer, version).

8.3 Building an Image (from Dockerfile)

$ docker build -t myapp:1.0 .

8.4 Best Practices for Dockerfiles

• Use official base images (e.g., alpine, ubuntu).

• Keep images small – prefer slim variants.

• Minimize layers – combine commands using .

• Leverage .dockerignore – exclude unnecessary files.

• Use multi-stage builds – separate build and runtime stages.

• Pin versions for reproducibility.

• Avoid root user – use USER instruction.

• Document metadata using LABEL.

9
8.5 Multi-Stage Build Example

# Build Stage
FROM golang:1.19 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp .

# Final Stage
FROM alpine:latest
WORKDIR /root/
COPY --from=builder /app/myapp .
CMD ["./myapp"]

8.6 ENTRYPOINT vs CMD

• CMD – Default command, can be overridden at runtime.

• ENTRYPOINT – Main executable, arguments can be appended.

CMD Example:

FROM ubuntu
CMD ["echo", "Hello World"]

ENTRYPOINT Example:

FROM ubuntu
ENTRYPOINT ["echo"]
CMD ["Hello from Docker"]

Run Command Example:

$ docker run myimage Hi

# Output: echo Hi

8.7 Dockerfile Debugging Tips

• Use docker build . -t testimage --progress=plain for verbose output.

• Insert temporary RUN echo "checkpoint" to debug build process.

• Test smaller parts of Dockerfile incrementally.

10
9 Docker Volumes & Persistent Storage
Containers are ephemeral by nature, meaning data inside the container is lost when it
stops. Volumes allow persistent data storage that exists independently of container
lifecycle.

9.1 Types of Docker Storage

• Volumes – Managed by Docker, stored on host filesystem, best practice for persis-
tent data.

• Bind Mounts – Maps host directories into containers, more flexible but less
portable.

• Tmpfs – In-memory storage, data disappears on restart.

9.2 Creating and Using Volumes

Create a Volume:

$ docker volume create mydata

List Volumes:

$ docker volume ls

Inspect Volume Details:

$ docker volume inspect mydata

9.3 Mounting Volumes in Containers

Run a Container with Volume:

$ docker run -d -v mydata:/app/data myimage

Mount Multiple Volumes:

$ docker run -d -v vol1:/data1 -v vol2:/data2 myimage

11
9.4 Using Bind Mounts

Run Container with Bind Mount:

$ docker run -d -v /host/path:/container/path myimage

9.5 Removing Volumes

Remove a Volume:

$ docker volume rm mydata

9.6 Best Practices for Persistent Storage

• Always use named volumes instead of anonymous volumes for easier management.

• Avoid storing important data inside the container filesystem.

• Use separate volumes for database and application logs for maintainability.

• Back up volumes regularly using docker run --rm -v mydata:/data busybox

tar cvf /backup/data.tar /data.

• Clean up unused volumes with docker volume prune.

9.7 Example: Persistent Database Container

Run MySQL Container with Volume:

$ docker volume create mysql-data

$ docker run -d \
--name mysql-server \
-e MYSQL_ROOT_PASSWORD=root123 \
-v mysql-data:/var/lib/mysql \
mysql:8

9.8 Verifying Data Persistence

Check Database Files on Host:

$ docker volume inspect mysql-data

# Mountpoint shows path on host

12
 Tip: Named volumes are portable across containers and simplify CI/CD pipelines
for stateful applications.

10 Docker Networking & Linking Containers

Docker containers communicate with each other and the outside world using networks.
Understanding Docker networking is crucial for multi-container applications.

10.1 Types of Docker Networks

• Bridge Network – Default network, connects containers on the same host.

• Host Network – Container shares host’s network stack.

• Overlay Network – Connects containers across multiple Docker hosts (used in

Swarm).

• Macvlan Network – Containers appear as physical devices on the network.

10.2 Listing and Inspecting Networks

List Docker Networks:

$ docker network ls

Inspect a Network:

$ docker network inspect bridge

10.3 Creating Custom Networks

Create a Bridge Network:

$ docker network create my-bridge-network

10.4 Running Containers on a Specific Network

Run Container on Custom Network:

$ docker run -d --name web --network my-bridge-network nginx

13
10.5 Linking Containers (Legacy Method)

Link a Database Container to Web Container:

$ docker run -d --name db mysql:8

$ docker run -d --name web --link db:database nginx

10.6 Modern Communication via Network

• Use container names as hostnames instead of legacy ‘–link‘.

• Example: ‘ping db‘ from web container works if both are on the same network.

10.7 Connecting Existing Containers to a Network

Connect a Container to Network:

$ docker network connect my-bridge-network container_name

Disconnect a Container from Network:

$ docker network disconnect my-bridge-network container_name

10.8 Best Practices for Docker Networking

• Always use user-defined bridge networks for better DNS resolution.

• Avoid exposing unnecessary ports to the host for security.

• Use overlay networks for swarm or multi-host setups.

• Use descriptive network names for maintainability.

Tip: Containers on the same user-defined bridge network can communicate using
container names, simplifying service discovery in CI/CD pipelines.

11 Docker Compose & Multi-Container Applications

11.1 What is Docker Compose?

Docker Compose is a tool for defining and running multi-container Docker applications
using a single YAML file (‘docker-compose.yml‘). It simplifies orchestration, networking,
and environment configuration.

14
11.2 Installing Docker Compose

Check Docker Compose Version:

$ docker-compose --version

11.3 Creating a Docker Compose File

Example: Multi-container application with web and database services.

docker-compose.yml Example:

version: ’3’
services:
db:
image: mysql:8
environment:
MYSQL_ROOT_PASSWORD: rootpass
MYSQL_DATABASE: mydb
ports:
- "3306:3306"
web:
image: nginx:latest
ports:
- "80:80"
depends_on:
- db

11.4 Starting Multi-Container Applications

Start Application:

$ docker-compose up -d

Stop Application:

$ docker-compose down

15
11.5 Managing Services

View Running Services:

$ docker-compose ps

View Logs:

$ docker-compose logs -f

Rebuild Services:

$ docker-compose up -d --build

11.6 Scaling Services

Scale Web Service to 3 Containers:

$ docker-compose up -d --scale web=3

11.7 Networking in Compose

• Docker Compose automatically creates a dedicated network for services.

• Services can communicate using service names as hostnames.

• External networks can also be defined for multi-project communication.

11.8 Best Practices

• Keep environment variables in ‘.env‘ files for security and maintainability.

• Version control your ‘docker-compose.yml‘ for reproducibility.

• Use named volumes for persistent storage of databases or critical data.

• Limit container resources for production deployments to prevent host overload.

Tip: Docker Compose simplifies local development and CI/CD pipeline testing, en-
abling multi-container apps to run with a single command.

16
12 Docker Swarm & Orchestration

12.1 What is Docker Swarm?

Docker Swarm is Docker’s native clustering and orchestration tool. It allows you to
manage a cluster of Docker engines as a single virtual system, providing scaling, load
balancing, and fault tolerance.

12.2 Initializing a Swarm Cluster

Initialize Swarm on Manager Node:

$ docker swarm init --advertise-addr <MANAGER-IP>

Output:

Swarm initialized: current node (xxxxxx) is now a manager.

To add a worker to this swarm, run the following command:
docker swarm join --token <WORKER-TOKEN> <MANAGER-IP>:2377

12.3 Adding Nodes to Swarm

Join Worker Node:

$ docker swarm join --token <WORKER-TOKEN> <MANAGER-IP>:2377

12.4 Deploying Services in Swarm

Deploy a Service:

$ docker service create --name web --replicas 3 -p 80:80 nginx:latest

List Services:

$ docker service ls

Inspect Service:

$ docker service ps web

17
12.5 Scaling Services

Scale a Service:

$ docker service scale web=5

12.6 Updating Services

Update Image for a Service:

$ docker service update --image nginx:1.21 web

12.7 Removing Services

Remove a Service:

$ docker service rm web

12.8 Swarm Networking

• Swarm creates an overlay network to allow secure communication between services
across multiple nodes.

• Each service can be addressed by its name within the overlay network.

12.9 Best Practices

• Always have at least 3 manager nodes for high availability.

• Use secrets and configs for sensitive information.

• Monitor cluster health and node status regularly.

• Limit the number of replicas per node to avoid resource contention.

Tip: Docker Swarm is suitable for smaller production deployments and local orches-
tration experiments. For enterprise-grade scaling, consider Kubernetes.

13 Docker Security & Best Practices

13.1 Image Scanning

• Always scan Docker images for vulnerabilities before deployment.

18
 • Use tools like Docker Scan or third-party scanners (Trivy, Anchore).

Scan an Image:

$ docker scan myapp:1.0

13.2 Using Trusted Images

• Always pull images from trusted repositories.

• Prefer official images from Docker Hub or private registries with verified content.

Pull Trusted Image:

$ docker pull nginx:latest

13.3 User Permissions and Running Containers Securely

• Avoid running containers as root unless necessary.

• Use the USER directive in Dockerfile to specify a non-root user.

Run Container as Non-Root User:

$ docker run -u 1001:1001 myapp:1.0

13.4 Secrets Management

• Never store sensitive data (passwords, keys) directly in Dockerfiles or images.

• Use Docker secrets or environment variables securely.

Create a Secret:

$ echo "my_password" | docker secret create db_password -

Use Secret in a Service:

$ docker service create --name db --secret db_password postgres:latest

19
13.5 Network Security
• Use bridge and overlay networks with proper segmentation.

• Restrict container-to-container communication when not required.

• Avoid publishing unnecessary ports to the host.

Create a Custom Network:

$ docker network create --driver overlay my_overlay

13.6 Image Hardening Best Practices

• Use minimal base images (Alpine, Slim variants).

• Remove unnecessary packages and files to reduce image size and attack surface.

• Regularly update base images to patch vulnerabilities.

13.7 Docker Daemon Security

• Run Docker daemon with TLS if exposed remotely.

• Limit access to the Docker socket (/var/run/docker.sock).

• Enable logging and monitoring for Docker events.

Tip: Always combine image scanning, secrets management, and network policies for
production-grade Docker security.

14 Docker Logging, Monitoring & Troubleshooting

14.1 Container Logs

• Use docker logs to inspect container stdout/stderr.

• For long-running containers, consider centralized logging solutions.

View Container Logs:

$ docker logs my_container

Follow Logs in Real-Time:

$ docker logs -f my_container

20
14.2 Resource Monitoring
• Monitor CPU, memory, network, and I/O usage of containers.

• Use docker stats for live metrics.

Monitor Resource Usage:

$ docker stats

14.3 Inspecting Containers

• Use docker inspect to get detailed metadata about a container or image.

Inspect Container Details:

$ docker inspect my_container

14.4 Debugging Techniques

• Access a running container interactively for troubleshooting.

• Check mounted volumes and environment variables for misconfigurations.

Access Running Container:

$ docker exec -it my_container /bin/bash

14.5 Checking Container Status

• Use docker ps to see running containers.

• Use docker ps -a to see all containers including stopped ones.

List Running Containers:

$ docker ps

List All Containers:

$ docker ps -a

21
14.6 Logs Aggregation and Monitoring Tools
• Use ELK stack, Grafana, Prometheus, or Loki for production-grade container mon-
itoring.

• Aggregate logs from multiple containers for better observability.

14.7 Common Troubleshooting Commands

Restart a Container:

$ docker restart my_container

Remove a Stopped Container:

$ docker rm my_container

Remove an Image:

$ docker rmi my_image:tag

Tip: Combine logging, monitoring, and debugging practices to quickly diagnose and
resolve container issues in production.

15 Docker Compose Advanced & Multi-Host Setup

15.1 Advanced Docker-Compose Configurations

• Use docker-compose.yml to define multi-container applications with dependencies.

• Define networks, volumes, environment variables, and service constraints.

Start Multi-Container Application:

$ docker-compose up -d

Stop Services:

$ docker-compose down

View Service Logs:

$ docker-compose logs -f

22
15.2 Scaling Services
• Scale services up or down to handle varying workloads.

• Useful in development and testing multi-container setups.

Scale a Service:

$ docker-compose up -d --scale web=3

15.3 Multi-Host Networking

• Use overlay networks to connect containers across multiple Docker hosts.

• Integrate with Docker Swarm or Kubernetes for production multi-host deployments.

Create Overlay Network:

$ docker network create -d overlay my_overlay

15.4 Environment Variable Management

• Use .env files to define environment variables for services.

• Ensures portability and easier configuration across environments.

Reference Environment File:

$ docker-compose --env-file .env up -d

15.5 Orchestration Best Practices

• Separate production, staging, and development configurations.

• Use volumes for persistent storage and backups.

• Monitor container health with healthcheck and logging.

Tip: Combine Docker Compose with Swarm or Kubernetes for advanced orchestra-
tion, multi-host deployments, and automated scaling.

23
16 Docker Security & Compliance

16.1 Image Scanning and Vulnerability Management

• Always scan Docker images for vulnerabilities before deploying to production.

• Helps to avoid known security exploits, malware, and outdated libraries.

• Tools: Docker Scan, Trivy, Anchore, Clair.

Scan an Image with Docker Scan:

$ docker scan myapp:1.0

Scan with Trivy:

$ trivy image myapp:1.0

16.2 Role-Based Access Control (RBAC)

• Use RBAC to define who can deploy, modify, or remove containers.

• Limits damage from accidental or malicious actions.

• Integrates with Docker Enterprise or Kubernetes for production.

Create a Docker User with Limited Access:

$ docker login --username devuser

$ docker logout

16.3 Secrets Management

• Avoid storing passwords or API keys in Dockerfiles.

• Use Docker secrets or external vaults (HashiCorp Vault, AWS Secrets Manager).

• Ensures sensitive data is encrypted and only available to authorized containers.

Create and Use a Secret:

$ echo "my_password" | docker secret create db_password -

$ docker service create --name db --secret db_password postgres:latest

24
16.4 Container Runtime Security
• Use minimal base images to reduce attack surface.

• Drop unnecessary Linux capabilities and run containers as non-root.

• Monitor container runtime for abnormal behavior with Falco, Aqua, or Sysdig.

Run Container as Non-Root:

$ docker run -u 1001:1001 myapp:1.0

16.5 Production Security Best Practices

• Use signed images and enable content trust (DOCKERC ON T EN TT RU ST = 1).
• Regularly patch Docker Engine, images, and host OS.

• Limit network exposure, use private registries, and enable firewall rules.

• Monitor containers continuously and enforce compliance policies.

Enable Docker Content Trust:

$ export DOCKER_CONTENT_TRUST=1
$ docker pull myapp:1.0

Tip: Security is not just about tools, but about processes. Implement CI/CD
pipelines that include image scanning, secret management, and automated compli-
ance checks for all builds.

17 Docker Logging, Monitoring & Troubleshooting

17.1 Understanding Docker Logs

• Docker captures stdout and stderr of each container automatically.

• Logs are crucial for debugging, auditing, and understanding application behavior.

• Use docker logs to view container logs in real time.

View Logs of a Container:

$ docker logs mycontainer

25
 Follow Logs in Real-Time:

$ docker logs -f mycontainer

17.2 Monitoring Container Resource Usage

• Monitor CPU, memory, network, and disk usage to prevent resource exhaustion.

• Use built-in Docker commands or tools like cAdvisor, Prometheus, Grafana for
continuous monitoring.

Check Container Resource Usage:

$ docker stats mycontainer

17.3 Health Checks and Status Monitoring

• Define health checks in Dockerfile to ensure containers are running correctly.

• Health status helps orchestrators (like Docker Swarm or Kubernetes) decide when
to restart or replace containers.

Add Health Check in Dockerfile:

HEALTHCHECK --interval=30s --timeout=5s \

CMD curl -f http://localhost:8080/ || exit 1

17.4 Troubleshooting Common Container Issues

• Containers not starting: check logs, inspect container exit code.

• Network issues: inspect Docker networks and container connectivity.

• Volume/mount errors: verify paths, permissions, and host directories.

Inspect Container Details:

$ docker inspect mycontainer

Check Network Connections:

$ docker network inspect mynetwork

Restart a Failed Container:

$ docker restart mycontainer

26
17.5 Centralized Logging and Monitoring
• For production environments, aggregate logs using ELK stack (Elasticsearch, Logstash,
Kibana) or Loki/Grafana.

• Helps analyze logs across multiple containers and hosts.

• Set up alerts for critical events and resource thresholds.

Tip: Always integrate logging and monitoring into CI/CD pipelines. Automate alerts
and dashboards for proactive troubleshooting. Collect both container and application
logs to get complete visibility.

18 Docker Compose Advanced & Multi-Host Setup

18.1 Advanced Docker Compose Features

• Define multiple services, networks, and volumes in a single docker-compose.yml
file.

• Use environment variables to make deployments flexible and environment-specific.

• Scale services with docker-compose up --scale to handle load efficiently.

Start Multiple Services:

$ docker-compose up -d

Scale a Service:

$ docker-compose up -d --scale web=3

18.2 Multi-Host Networking with Compose

• Connect services across multiple Docker hosts using overlay networks.

• Enables service-to-service communication in a Swarm or multi-host environment.

• Avoids hardcoding host IPs; uses service discovery within the network.

Create Overlay Network:

$ docker network create -d overlay my_overlay_network

27
 Attach Service to Network in Compose:

services:
web:
image: myapp:latest
networks:
- my_overlay_network

18.3 Docker Compose Best Practices

• Always use explicit versioning in images to avoid unexpected updates.

• Use named volumes for persistent data and shared storage across hosts.

• Split large Compose files into multiple files using -f for environment-specific over-
rides.

• Enable logging options in Compose for centralized log collection.

Override Compose File for Production:

$ docker-compose -f docker-compose.yml \
-f docker-compose.prod.yml up -d

18.4 Multi-Host Deployment Tips

• Use Docker Swarm mode to deploy Compose stacks across multiple nodes.

• Ensure all hosts share the same Docker version and compatible network setup.

• Monitor inter-host traffic and resource utilization.

• Consider security: TLS for Docker daemon and encrypted overlay networks.

Deploy a Compose Stack in Swarm:

$ docker stack deploy -c docker-compose.yml mystack

18.5 Troubleshooting Multi-Host Setups

• Check container logs for network errors: docker logs <container>.

• Inspect overlay networks: docker network inspect <network>.

28
 • Verify service replicas across nodes: docker service ls and docker service ps
<service>.

Tip: For production multi-host setups, integrate monitoring (Prometheus/Grafana)

and logging (ELK/Loki) early. Ensure automated health checks, resource limits, and
secrets management are in place to avoid failures.

19 Docker Security & Compliance

19.1 Image Security

• Always pull images from trusted sources or official repositories.

• Scan images for vulnerabilities using tools like Trivy, Clair, or Anchore.

• Minimize image layers to reduce attack surface.

• Use signed images for verification.

Scan Docker Image with Trivy:

$ trivy image myapp:latest

19.2 User Permission Management

• Avoid running containers as root; create non-root users in Dockerfile.

• Use USER instruction in Dockerfile for security.

• Apply least privilege principle for volumes and mounted paths.

Add Non-Root User in Dockerfile:

FROM ubuntu:22.04
RUN useradd -ms /bin/bash appuser
USER appuser

19.3 Secrets Management

• Never hardcode secrets or credentials in Dockerfiles or Compose files.

• Use Docker secrets for sensitive data in Swarm mode.

• Integrate with external secret managers (HashiCorp Vault, AWS Secrets Manager).

29
 Create a Docker Secret:

$ echo "mypassword" | docker secret create db_password -

Use Secret in Service:

services:
db:
image: mysql:8
secrets:
- db_password

19.4 Network Security

• Use user-defined bridge or overlay networks instead of default bridge.

• Enable encrypted overlay networks in multi-host setups.

• Limit container communication using network policies and firewalls.

Create Encrypted Overlay Network:

$ docker network create -d overlay \

--opt encrypted my_secure_network

19.5 Runtime Security Monitoring

• Use docker stats to monitor container resource usage.

• Implement health checks in Dockerfiles or Compose for auto-restart of failing con-

tainers.

• Consider tools like Falco for real-time runtime security monitoring.

Add Healthcheck in Dockerfile:

HEALTHCHECK --interval=30s --timeout=5s \

CMD curl -f http://localhost:8080/ || exit 1

19.6 Compliance Best Practices

• Follow CIS Docker Benchmark guidelines for production hardening.

• Limit container capabilities using --cap-drop and avoid unnecessary privileges.

30
 • Keep Docker Engine and images updated with security patches.

• Enable logging and auditing for compliance and incident analysis.

Tip: Automate image scanning, secrets management, and runtime checks in CI/CD
pipelines to enforce continuous security and compliance. Always combine security
tools with monitoring dashboards for proactive threat detection.

20 Docker Logging, Monitoring & Troubleshooting

20.1 Container Logs

• Use docker logs to inspect stdout/stderr from containers.

• Implement structured logging in your applications (JSON format recommended).

• Use centralized logging solutions (ELK, Loki, Graylog) for multi-container environ-
ments.

View Logs of a Container:

$ docker logs my_container

Follow Logs in Real-Time:

$ docker logs -f my_container

20.2 Monitoring Container Resource Usage

• Use docker stats to monitor CPU, memory, network, and I/O in real time.

• Monitor container metrics via Prometheus + cAdvisor for production setups.

• Set alerts on CPU/memory thresholds to prevent container crashes.

Monitor Container Resource Usage:

$ docker stats

20.3 Health Checks & Auto-Restart

• Use HEALTHCHECK in Dockerfiles for automatic container status monitoring.

31
 • Combine HEALTHCHECK with --restart policies to auto-restart failed contain-
ers.

• Helps maintain high availability and resilience in production.

Set Restart Policy:

$ docker run --restart=always myapp:latest

Add Healthcheck in Dockerfile:

HEALTHCHECK --interval=30s --timeout=5s \

CMD curl -f http://localhost:8080/ || exit 1

20.4 Troubleshooting Common Issues

• Container Won’t Start: Check logs, inspect entrypoint and CMD.

• Port Conflicts: Ensure host ports are free and mapped correctly.

• Network Connectivity Issues: Inspect networks using docker network inspect.

• Resource Exhaustion: Monitor CPU/memory and increase limits if required.

Inspect a Container for Troubleshooting:

$ docker inspect my_container

Check Docker Networks:

$ docker network ls
$ docker network inspect my_network

20.5 Tips for Production Environments

• Centralize logs to ELK/Loki for easier analysis.

• Automate monitoring with Prometheus/Grafana dashboards.

• Use alerting tools (Prometheus Alertmanager, Slack/email notifications) for proac-

tive issue resolution.

• Document troubleshooting steps and patterns for team knowledge sharing.

Tip: Combine logging, monitoring, and health checks to create a self-healing con-
tainer ecosystem. This ensures reliability and quick problem diagnosis in production
environments.

32
21 Docker Compose Advanced & Multi-Host Setup

21.1 Advanced Docker Compose Concepts

• Use depends on to define service startup order.

• Define environment variables using env file or environment in docker-compose.yml.

• Use volumes and networks for shared storage and custom network topology.

• Scaling services using docker-compose up --scale <service>=N.

Start Services with Scaling:

$ docker-compose up -d --scale web=3

Check Running Services:

$ docker-compose ps

21.2 Multi-Host Setup with Docker Compose

• Deploy services across multiple Docker hosts using a shared overlay network.

• Use Docker Swarm or Kubernetes for orchestrating multi-host deployments.

• Ensure consistent environment variables, volumes, and secrets across hosts.

Create an Overlay Network:

$ docker network create --driver overlay my_overlay

21.3 Managing Secrets and Configs

• Store sensitive information using Docker secrets.

• Use configs for non-sensitive configuration files.

• Helps maintain security and environment consistency across multi-host deploy-

ments.

Create a Docker Secret:

$ echo "my_password" | docker secret create db_password -

33
21.4 Tips for Production Deployments
• Use restart: always for critical services to ensure uptime.

• Enable health checks for all services.

• Monitor multi-host services using centralized tools (Prometheus, Grafana, ELK/Loki).

• Keep docker-compose.yml organized with comments for maintainability.

Tip: Multi-host Docker Compose setups require consistent networking, secrets man-
agement, and monitoring to ensure production-grade deployments. Combine Com-
pose with Swarm/Kubernetes for scalability and fault-tolerance.

22 Docker Security & Compliance – Advanced

22.1 Image Security and Scanning

• Always use minimal, official base images to reduce attack surface.

• Scan images for vulnerabilities using tools like Trivy, Clair, or Docker Hub built-in
scans.

• Ensure images are signed and verified using Notary or Docker Content Trust.

Scan Image with Trivy:

$ trivy image myapp:1.0

Enable Docker Content Trust:

$ export DOCKER_CONTENT_TRUST=1
$ docker pull myorg/myapp:1.0

22.2 User Permissions and Least Privilege

• Run containers as non-root users whenever possible.

• Use USER instruction in Dockerfile to specify a restricted user.

• Avoid giving containers host privileges unless absolutely necessary.

Run Container as Non-Root User:

$ docker run -u 1001:1001 myapp:1.0

34
22.3 Secrets Management
• Never hardcode sensitive information like passwords, API keys, or certificates.

• Use Docker secrets for sensitive data in Swarm, or environment variables in Compose
for local dev (avoid production usage).

• Integrate with external secret managers like HashiCorp Vault or AWS Secrets Man-
ager for enterprise-grade security.

Create and Use Docker Secret:

$ echo "supersecret" | docker secret create db_password -

$ docker service create --name db --secret db_password mydb:1.0

22.4 Network Security

• Use user-defined bridge or overlay networks instead of default bridge.

• Isolate sensitive services in private networks.

• Limit exposed ports to only necessary services; avoid using -p 0:0 to map all ports.

Create a Secure Overlay Network:

$ docker network create --driver overlay --attachable secure_net

22.5 Runtime Security and Monitoring

• Enable AppArmor or SELinux profiles for containers to limit actions.

• Use tools like Falco to monitor suspicious behavior at runtime.

• Monitor container resource usage (CPU, memory, I/O) to detect anomalies or DoS
attempts.

Check Container Stats:

$ docker stats myapp

22.6 Image Provenance and Compliance

• Maintain image provenance by using signed images and keeping a secure registry.

• Ensure compliance with industry standards (CIS Docker Benchmark, NIST guide-
lines).

35
 • Regularly update images and rebuild pipelines to incorporate security patches.

Tip: Security is multi-layered. Focus on image integrity, runtime restrictions, se-

crets management, network isolation, and continuous monitoring to maintain a secure
Docker deployment. Regular audits and vulnerability scans should be part of your
CI/CD pipeline.

23 Docker Troubleshooting, Logging & Observabil-

ity

23.1 Container Logs

• Docker captures stdout and stderr streams from containers.

• Always inspect logs to diagnose runtime issues, crashes, or errors in your applica-
tions.

• Use log rotation to avoid disk overflow in production environments.

View Logs of a Container:

$ docker logs myapp

Follow Real-Time Logs:

$ docker logs -f myapp

23.2 Monitoring Resource Usage

• Monitor CPU, memory, network I/O, and disk usage for each container.

• Identify resource hogs and prevent Denial of Service (DoS) situations.

• Use monitoring tools like cAdvisor, Prometheus, and Grafana for detailed observ-
ability.

Check Container Stats:

$ docker stats myapp

36
23.3 Investigating Crashes and Failures
• Use docker inspect to view container configuration, environment variables, and
mounts.

• Check health checks defined in Dockerfile or Compose.

• Review logs for stack traces or error messages.

Inspect Container Details:

$ docker inspect myapp

23.4 Restart Policies and Automatic Recovery

• Define restart policies to automatically recover from failures (e.g., --restart unless-stopped).

• Essential for high-availability production deployments.

Run Container with Restart Policy:

$ docker run --restart unless-stopped myapp:1.0

23.5 Troubleshooting Networking Issues

• Use docker network ls and docker network inspect to verify networks.

• Test connectivity between containers using ping or curl.

• Ensure proper firewall rules and port mappings are configured.

Inspect Docker Network:

$ docker network inspect my_overlay_network

23.6 Log Drivers and Centralized Logging

• Configure log drivers for centralized logging (e.g., json-file, syslog, fluentd,
gelf).

• Centralized logs help in troubleshooting across multi-host setups.

• Integrate with ELK Stack or Splunk for enterprise-grade observability.

Run Container with Syslog Logging:

$ docker run --log-driver=syslog myapp

37
23.7 Monitoring Multi-Host Setups
• Track swarm services and node health with docker service ls and docker node
ls.

• Use metrics and dashboards to detect overloaded nodes or failing services.

Check Swarm Services:

$ docker service ls

Check Node Status:

$ docker node ls

23.8 Security Considerations During Troubleshooting

• Never log secrets or sensitive environment variables.

• Restrict docker exec access to trusted admins.

• Monitor unexpected containers or processes to detect intrusions.

Tip: Combine logs, metrics, and container inspections for full observability. Proac-
tively set alerts for resource limits, container crashes, and security anomalies to main-
tain a reliable production environment.

24 Docker CI/CD Integration & Automation

24.1 Introduction to Docker in CI/CD

• Docker enables consistent and reproducible builds across environments.

• Integrating Docker with CI/CD pipelines automates application deployment.

• Helps maintain DevOps best practices: versioned artifacts, automated testing, and
rapid deployment.

• Essential for both development and production environments.

38
24.2 Docker Pipelines with Git Integration
• Connect your Git repository (GitHub, GitLab, Bitbucket) with Docker CI/CD
pipelines.

• Automated builds trigger whenever code is pushed or merged.

• Versioned Docker images allow rollback to previous stable releases.

Clone Git Repository for CI/CD:

$ git clone https://github.com/example/app.git

$ cd app

Build Docker Image from Repository:

$ docker build -t myapp:${GIT_COMMIT} .

24.3 Automated Builds and Testing

• Integrate testing frameworks (unit, integration, and security tests) into Docker
builds.

• Use automated scripts in the pipeline to verify build stability.

• Prevent broken code from reaching production environments.

Run Unit Tests in Docker Container:

$ docker run --rm myapp:${GIT_COMMIT} npm test

24.4 CI/CD Tools Integration

• Jenkins: Define Docker pipelines using Declarative or Scripted Pipelines.

• GitLab CI/CD: Use ‘.gitlab-ci.yml‘ to build, test, and deploy Docker containers.

• GitHub Actions: Automate Docker workflows using ‘workflow.yml‘ files.

• Automate container build, push, and deployment in a single pipeline.

Push Docker Image to Registry:

$ docker login -u myuser -p mypass registry.example.com

$ docker tag myapp:${GIT_COMMIT} registry.example.com/myapp:${GIT_COMMIT}
$ docker push registry.example.com/myapp:${GIT_COMMIT}

39
24.5 Deployment Automation
• Deploy containers automatically to development, staging, and production environ-
ments.

• Use Docker Compose or Kubernetes manifests for multi-container deployments.

• Automate rollback on failures to ensure uptime and stability.

Deploy Docker Compose Application:

$ docker-compose -f docker-compose.prod.yml up -d

24.6 Environment Variables and Secrets Management

• Store sensitive information like API keys, passwords in ‘.env‘ files or secret man-
agers.

• Avoid hardcoding secrets in Dockerfiles or pipeline scripts.

• Integrate with CI/CD tools to inject secrets at runtime.

Run Container with Environment Variables:

$ docker run --env-file .env myapp:${GIT_COMMIT}

24.7 Automated Rollbacks and Versioning

• Tag images with commit hash or version number for traceability.

• Rollback to previous stable image if the deployment fails.

• Keep at least 3–5 previous images in registry for safety.

Rollback to Previous Image:

$ docker pull registry.example.com/myapp:previous_tag

$ docker run -d registry.example.com/myapp:previous_tag

24.8 Monitoring CI/CD Docker Pipelines

• Monitor automated builds, container health, and logs.

• Integrate Slack/email notifications for failed builds.

• Use Grafana/Prometheus for pipeline metrics and observability.

40
 Example: Notify Build Status in Slack (using webhook)

$ curl -X POST -H ’Content-type: application/json’ \

--data ’{"text":"Build Successful: myapp v1.2"}’ \
https://hooks.slack.com/services/XXXX/XXXX/XXXX

24.9 Tips for Effective CI/CD with Docker

• Use small, lightweight images to reduce build and deployment time.

• Keep Dockerfiles clean and follow best practices for caching layers.

• Run security scans during CI/CD pipelines to detect vulnerabilities.

• Automate cleanup of dangling images and stopped containers.

• Implement blue-green or canary deployments for zero downtime.

Tip: Combining Git, Docker, and CI/CD pipelines ensures faster, more reliable,
and secure deployments. Always test in staging before production and maintain
observability to prevent downtime.

25 Advanced Docker Topics

25.1 Distroless Images

Distroless images are minimal Docker images containing only the application runtime
and libraries, without shell or package managers. They improve security and reduce
image size.

Tip: Use distroless images for production containers to reduce the attack surface.

Using Distroless Base Image:

FROM gcr.io/distroless/python3
COPY app.py /
CMD ["app.py"]

25.2 Multi-Stage Builds

Multi-stage builds allow separating the build environment from the runtime environment,
keeping the final image small.

41
 Example Multi-Stage Build:

FROM golang:1.20 AS builder

WORKDIR /app
COPY . .
RUN go build -o myapp

FROM gcr.io/distroless/base
COPY --from=builder /app/myapp /myapp
CMD ["/myapp"]

25.3 Docker Security Hardening

• Run containers as non-root users.

• Enable user namespaces.

• Apply seccomp, AppArmor, or SELinux profiles.

• Use rootless Docker for safer environments.

Run Container as Non-Root User:

docker run -u 1000:1000 myapp:latest

25.4 Advanced Networking

• Use overlay networks for Swarm or multi-host communication.

• Isolate services using custom bridge networks.

• Macvlan networks for direct container-to-network communication.

Create Custom Bridge Network:

docker network create \

--driver bridge my_custom_network

25.5 Resource Management & Limits

• Limit CPU, memory, PIDs, and block IO for containers.

• Ensures production stability and prevents resource hogging.

42
 Run Container with Resource Limits:

docker run -d --name myapp \

--memory="512m" --cpus="1.0" myapp:latest

25.6 Health Checks

• Define container health to allow orchestration tools to auto-restart unhealthy con-
tainers.

Dockerfile Health Check Example:

HEALTHCHECK --interval=30s --timeout=5s \

CMD curl -f http://localhost:8080/ || exit 1

25.7 Docker Secrets & Configs

• Securely manage passwords, API keys, and configs.

• Integrate secrets in Swarm or Compose without exposing them in images.

Create Docker Secret:

echo "mypassword" | docker secret create db_pass -

25.8 Docker Registry Best Practices

• Use private registries for sensitive images.

• Sign images using Notary or Cosign.

• Integrate vulnerability scanning before deployment.

25.9 Image Optimization Techniques

• Minimize layers and image size.

• Use Alpine or scratch base images.

• Leverage build cache for faster CI/CD pipelines.

25.10 Advanced Logging & Observability

• Centralize logs using ELK stack, Fluentd, or Grafana Loki.

• Export metrics for Prometheus and monitor container health.

43
25.11 Container Runtime Differences
• Docker vs containerd vs CRI-O.

• Understand runtimes for Kubernetes integration and orchestration.

25.12 Automated Security Scans in CI/CD

• Integrate Trivy, Clair, or Anchore to scan images.

• Fail pipelines on vulnerabilities to maintain secure deployments.

25.13 Advanced Storage in Production

• Use NFS, GlusterFS, or Ceph for persistent container storage.

• Manage volumes for multi-host and clustered environments.

25.14 Docker in Kubernetes

• Deploy Docker containers on Kubernetes pods.

• Understand how images and container runtimes interact with K8s.

25.15 Immutable Infrastructure & Blue-Green Deployments

• Use Docker images to implement immutable deployments.

• Rollback and update strategies using tagged images and environment isolation.

Tip: Always tag images with versions and never use ‘latest‘ in production pipelines
to ensure predictable deployments.

25.16 Summary
These advanced Docker topics cover security, optimization, observability, CI/CD inte-
gration, and production best practices. Mastering them will help engineers build secure,
scalable, and maintainable containerized environments.

44
26 Case Studies: Real Production Scenarios

26.1 Scenario 1: Container Failure in Production

A critical container failed during peak traffic. Steps to diagnose, rollback, and
improve:

• Step 1: Check container logs

$ docker logs myapp_container

• Step 2: Inspect container status and resource usage

$ docker ps -a
$ docker stats myapp_container

• Step 3: Rollback to previous stable image

$ docker stop myapp_container

$ docker rm myapp_container
$ docker run -d --name myapp_container myapp:previous-stable

• Step 4: Analyze root cause and update Dockerfile / configuration

Ensure proper health checks, resource limits, and logging for future failures.

26.2 Scenario 2: Multi-Container Pipeline Failure

A Docker Compose stack failed to start due to dependency order issues.

• Check service logs and dependency status

$ docker-compose logs
$ docker-compose ps

• Restart services in correct order

45
 $ docker-compose up -d db
$ docker-compose up -d backend
$ docker-compose up -d frontend

• Example ASCII diagram of container dependencies:

+-----------+ +-----------+ +-----------+

| DB | <---> | Backend | <---> | Frontend |
+-----------+ +-----------+ +-----------+

• Tip: Use ‘dependso n‘indocker−compose.ymlandhealthcheckstoautomateproperstartuporder.

26.3 Scenario 3: Resource Exhaustion in Production

Container crashes due to memory/CPU limits being exceeded.

• Check container resource usage

$ docker stats myapp_container

• Update container limits in Compose / Swarm

$ docker run -d --memory="512m" --cpus="1.0" myapp:latest

• Tip: Monitor container metrics with Prometheus/Grafana for proactive alerting.

27 Visual Diagrams & Architecture

27.1 Docker Networking Architecture

Docker networking allows containers to communicate within the same host or across
multiple hosts.

• Bridge Network (default): Containers communicate on a single host.

• Host Network: Shares the host’s network namespace.

• Overlay Network: Connects multiple Docker hosts (Swarm mode).

46
 • Macvlan Network: Assigns MAC addresses to containers for direct LAN access.

ASCII Diagram: Docker Networking Basics

+-----------+
| Container |
+-----+-----+
|
+-----v-----+
| Bridge |
+-----+-----+
|
+-----v-----+
| Host |
+-----------+

27.2 Multi-Host Setup

Multi-host networking enables containers to communicate across different physical or
virtual hosts.
ASCII Diagram: Multi-Host Docker Overlay Network

Host1 Host2
+-------+ +-------+
| App1 | | App2 |
+---+---+ +---+---+
| |
+---------Overlay--------+
Network

27.3 Docker Compose Stack Architecture

• Define multi-container applications in ‘docker-compose.yml‘.

• Services can be linked, networked, and scaled easily.

ASCII Diagram: Docker Compose Stack

+-----------+ +-----------+ +-----------+

| DB | <---> | Backend | <---> | Frontend |
+-----------+ +-----------+ +-----------+
\ \ /
\ \ /

47
 \ \ /
+----------+----+
| Network |
+----------------+

27.4 Docker Swarm Cluster Architecture

Swarm mode enables clustering, scaling, and orchestration.

• Manager Nodes: Schedule tasks, maintain cluster state.

• Worker Nodes: Execute containers.

• Services: Define tasks, replicas, and scaling.

ASCII Diagram: Docker Swarm Cluster

+----------------+
| Manager Node |
+--------+-------+
|
----------------------------
| | |
+------+ +------+ +------+
|Worker| |Worker| |Worker|
+------+ +------+ +------+
\ | /
\ | /
\----------+---------/
|
Services

Tip: Always design networks, Compose stacks, and Swarm clusters with scalability,
security, and fault tolerance in mind. Use overlay networks for multi-host communi-
cation and monitor cluster health continuously.

28 Glossary of Docker Terms

• Container: A lightweight, portable, and self-sufficient executable package that
includes application code, runtime, libraries, and dependencies. Containers share
the host OS kernel but run isolated processes.

48
• Image: A read-only template used to create containers. Images consist of layers
and include the filesystem and application dependencies. Images are immutable
and versioned.

• Volume: A persistent storage mechanism for Docker containers. Volumes allow

data to survive container restarts and can be shared between containers.

• Layer: Each instruction in a Dockerfile creates a new layer in the image. Layers
are cached and reused to optimize builds.

• Overlay Network: A network that allows containers across multiple Docker hosts
to communicate securely as if they were on the same host. Used in Swarm mode.

• Secret: Securely stored sensitive data, such as passwords, tokens, or certificates,

that can be accessed by containers at runtime without embedding in images.

• Registry: A centralized repository to store and distribute Docker images. Exam-

ples include Docker Hub, AWS ECR, and private registries.

• CI/CD: Continuous Integration and Continuous Deployment pipelines automate

building, testing, and deploying containerized applications, ensuring fast and reli-
able delivery.

• Immutable: A principle where containers and images are never modified after cre-
ation. Updates require building a new image, ensuring consistency and traceability.

• Swarm: Docker’s native clustering and orchestration solution. Swarm allows scal-
ing services, scheduling containers, and managing multi-host deployments.

• Service: A long-running containerized application definition in Swarm mode. Ser-

vices define the desired state, number of replicas, and networking.

• Task: An instance of a service running on a Swarm node. Each task corresponds

to a container.

• Registry Mirror: A proxy cache for Docker registries to speed up image down-
loads and reduce external network dependency.

• Bind Mount: Mounts a directory from the host filesystem into a container. Useful
for development, but less portable than volumes.

• Entrypoint: The default executable run when a container starts. Often used to
define the main application or script in an image.

• CMD: Default command for a container if no command is provided during ‘docker

run‘. Can be overridden.

49
 • Dockerfile: A script containing instructions to build a Docker image, layer by
layer, including base image, dependencies, environment variables, and commands.

• Registry Authentication: Mechanism to securely log in to private registries to

pull or push images.

• Compose File: YAML file (‘docker-compose.yml‘) defining multi-container appli-

cations, networks, volumes, and dependencies.

• Health Check: Instructions in Dockerfiles or Compose files to verify container

health, allowing automated monitoring and recovery.

• Namespace: Kernel-level isolation mechanism used by Docker to separate con-

tainer processes, network interfaces, and filesystems.

Tip: Understanding these terms thoroughly helps in designing, deploying, and man-
aging containers effectively. Mastery of Docker terminology is essential for DevOps
and CI/CD pipelines.

29 Top 25 Real-Time Docker Interview Questions

• Can you explain the difference between a Docker image and a Docker container?

• How do you optimize Docker images for production use?

• Describe the steps you would take to troubleshoot a failing container.

• What is a Docker volume, and how is it different from a bind mount?

• Explain the role of Docker networks and the difference between bridge, host, and
overlay networks.

• How do you handle persistent storage in Docker containers?

• What is the difference between Docker Swarm and Kubernetes for orchestration?

• Can you explain what a multi-stage Dockerfile is and why it’s useful?

• How would you secure sensitive information like passwords or API keys in Docker?

• What is the difference between CMD and ENTRYPOINT in a Dockerfile?

• How do you monitor Docker containers and collect logs for production troubleshoot-
ing?

• Explain how Docker handles process isolation using namespaces and cgroups.

50
 • How would you roll back a containerized application in production if a deployment
fails?

• What is a Docker registry, and how do you authenticate with private registries?

• How do you use Docker Compose to manage multi-container applications?

• Explain the differences between Docker images built from scratch, Alpine, and
Distroless images.

• How do you perform zero-downtime deployments using Docker?

• Describe a situation where a containerized application ran into resource constraints.

How did you handle it?

• Can you explain the concept of immutable containers and why it’s important for
CI/CD?

• How do you handle environment-specific configurations in Docker containers?

• Explain the differences between rolling updates and blue-green deployments in a

Docker environment.

• How would you troubleshoot a container that cannot communicate with another
container on the same host?

• What are Docker secrets and how do you manage them across multiple services?

• How do you ensure compliance and security scanning of Docker images before de-
ployment?

• Describe a real-world scenario in which Docker improved your CI/CD pipeline effi-
ciency.

Tip: Prepare answers with examples from your real projects. Interviewers often focus
on how you solved production issues, handled scaling, and implemented security in
Docker environments.

30 Docker Command Cheat Sheet

51
30.1 Basic Commands

$ docker --version # Show Docker version installed

$ docker info # Display system-wide Docker info
$ docker help # List all Docker commands
$ docker run hello-world # Test Docker installation
$ docker ps # List running containers
$ docker ps -a # List all containers
$ docker stop <container_id> # Stop a running container
$ docker start <container_id> # Start a stopped container
$ docker restart <container_id> # Restart a container
$ docker rm <container_id> # Remove a container
$ docker images # List all Docker images
$ docker rmi <image_name> # Remove a Docker image
$ docker pull <image_name> # Pull image from Docker Hub
$ docker push <image_name> # Push image to Docker Hub
$ docker logs <container_id> # View container logs
$ docker exec -it <container_id> /bin/bash # Open interactive shell

52
30.2 Intermediate Commands

$ docker inspect <container_id> # View container details in JSON

$ docker diff <container_id> # Show file changes in container
$ docker top <container_id> # Show running processes
$ docker stats <container_id> # Display container resource usage
$ docker build -t <image_name>:<tag> . # Build image from Dockerfile
$ docker tag <image_id> <repo>:<tag> # Tag image for repository
$ docker run -d <image_name> # Run container in detached mode
$ docker run -p 8080:80 <image_name> # Map host port to container port
$ docker run --name <container_name> <image_name> # Name container
$ docker cp <container_id>:/path /host/path # Copy files from container
$ docker network ls # List Docker networks
$ docker network inspect <network_name> # Inspect network details
$ docker network create <network_name> # Create custom network
$ docker network connect <net> <container> # Connect container to network
$ docker network disconnect <net> <container> # Disconnect container
$ docker volume ls # List Docker volumes
$ docker volume inspect <volume_name> # Inspect a volume
$ docker volume create <volume_name> # Create a Docker volume
$ docker volume rm <volume_name> # Remove a Docker volume
$ docker commit <container_id> <image_name> # Create image from container
$ docker save -o <file.tar> <image_name> # Save image as tar
$ docker load -i <file.tar> # Load image from tar
$ docker system df # Show disk usage
$ docker system prune -a # Remove unused objects

53
30.3 Advanced Commands

$ docker-compose up # Start multi-container app

$ docker-compose down # Stop and remove compose containers
$ docker-compose logs # View logs of all services
$ docker-compose build # Build/rebuild compose images
$ docker-compose exec <service> /bin/bash # Open shell in service container
$ docker swarm init # Initialize Swarm cluster
$ docker swarm join <manager_ip> # Join a node to Swarm
$ docker node ls # List nodes in Swarm
$ docker service create --name <service> <image> # Create Swarm service
$ docker service ls # List all Swarm services
$ docker service ps <service> # Show tasks of a service
$ docker service scale <service>=<num> # Scale service replicas
$ docker stack deploy -c docker-compose.yml <stack_name> # Deploy stack
$ docker stack services <stack_name> # List services in stack
$ docker stack ps <stack_name> # List tasks in stack
$ docker secret create <name> <file> # Create secret in Swarm
$ docker secret ls # List all secrets
$ docker secret rm <name> # Remove a secret
$ docker config create <name> <file> # Create Swarm config
$ docker config ls # List configs
$ docker config rm <name> # Remove config
$ docker events # Monitor real-time events
$ docker attach <container_id> # Attach to container output
$ docker update --cpu <val> --memory <val> <container> # Update resources
$ docker stats # Monitor all container stats
$ docker run --restart=always <image> # Auto-restart container
$ docker inspect --format=’{{.State.Running}}’ <container> # Check running
$ docker build --no-cache -t <image_name> . # Build ignoring cache
$ docker system prune --volumes # Remove all unused objects
$ docker trust sign <image> # Sign image for Docker Content Trust
$ docker trust inspect <image> # Inspect signed images
$ docker scan <image> # Scan image for vulnerabilities
$ docker buildx create --use # Create builder instance
$ docker buildx build --platform linux/amd64,linux/arm64 -t <image> . # Multi-arch b

54
31 Docker Secrets Nobody Tells You

31.1 1. Distroless Images

Use Google’s distroless images to reduce attack surface and image size. Example:

$ docker pull gcr.io/distroless/java:11

31.2 2. Immutable Containers

Treat containers as immutable. Avoid using ‘docker exec‘ in production. Redeploy

updated images instead.

31.3 3. Multi-Stage Builds

Multi-stage builds reduce image size by separating build and runtime stages.

FROM golang:1.21 AS builder

WORKDIR /app
COPY . .
RUN go build -o myapp

FROM gcr.io/distroless/base
COPY --from=builder /app/myapp /myapp
CMD ["/myapp"]

31.4 4. Avoid Running as Root

Run containers as non-root for security.

RUN useradd -ms /bin/bash appuser

USER appuser

55
31.5 5. Docker Healthchecks

Use healthchecks to automatically monitor container health.

HEALTHCHECK --interval=30s --timeout=3s \

CMD curl -f http://localhost/ || exit 1

31.6 6. Reduce Layer Count

Combine commands with ‘‘ to reduce layers and image size.

31.7 7. Use .dockerignore

Exclude unnecessary files from the image to reduce build size.

31.8 8. Secrets Management

Never store secrets in Dockerfiles or images. Use Swarm secrets or CI/CD injection.

31.9 9. Container Runtime Security

Enable user namespaces, read-only root filesystem, and drop capabilities.

$ docker run --read-only --cap-drop=ALL myapp

31.10 10. BuildKit for Faster Builds

Enable BuildKit for caching, parallel builds, secrets injection, and multi-platform
builds.

$ export DOCKER_BUILDKIT=1
$ docker build .

31.11 11. Image Squashing

Squash layers to reduce final image size; ideal for production-ready images.

56
31.12 12. Docker Events & Debugging

Monitor container lifecycle events in real time.

$ docker events

31.13 13. Resource Limits for Stability

Prevent containers from destabilizing host resources.

$ docker run --memory=512m --cpus=1 myapp

31.14 14. Networking Gotchas

Containers in different networks cannot communicate unless explicitly connected.

31.15 15. Image Signing

Use Docker Content Trust to sign images.

$ docker trust sign <image>

$ docker trust inspect <image>

31.16 16. Garbage Collection

Remove unused images, containers, volumes, and networks regularly.

$ docker system prune -a --volumes

31.17 17. Logging Drivers

Forward container logs to central systems using ‘fluentd‘ or ‘syslog‘.

31.18 18. CI/CD Integration

Automate builds with pipelines including linting, scanning, multi-arch builds, and
tagging.

57
31.19 19. Multi-Arch Images

Build images for multiple platforms using buildx.

$ docker buildx build --platform linux/amd64,linux/arm64 -t myapp .

31.20 20. Use Labels for Metadata

Include build info, maintainer, or version in images using LABEL.

LABEL maintainer="yourname@example.com"
LABEL version="1.0"

31.21 21. Slim Base Images

Use minimal base images like ‘alpine‘ to reduce image size and attack surface.

FROM alpine:3.18
RUN apk add --no-cache curl

31.22 22. Read-Only File Systems

Run containers with read-only root filesystem and mount volumes for writable paths
only.

$ docker run --read-only -v /data myapp

31.23 23. Avoid Installing Debug Tools in Production

Do not include unnecessary tools like ‘vim‘, ‘curl‘, ‘wget‘ in production images to
reduce attack surface.

58
31.24 24. Leverage Docker Build Secrets

Inject secrets (API keys, passwords) securely during build without baking into the
image.

$ DOCKER_BUILDKIT=1 docker build --secret id=mysecret,src=secret.txt .

31.25 25. Container Health Probes

Use startup, liveness, and readiness probes in orchestration platforms like Swarm or
Kubernetes to auto-heal unhealthy containers.

31.26 26. Efficient Layer Caching

Order Dockerfile commands to maximize cache hits and reduce rebuild time. Place
frequently changing commands last.

31.27 27. Multi-Stage Build Secrets

Combine multi-stage builds with BuildKit secrets to avoid leaking sensitive data in
intermediate layers.

31.28 28. Docker Configs in Swarm

Store non-sensitive configuration files in Swarm configs to separate code from config.

$ docker config create my_config config.yml

$ docker service create --name my_service --config source=my_config,target=/app/co

31.29 29. Docker Content Trust (DCT)

Sign images to ensure authenticity and integrity in production pipelines.

$ export DOCKER_CONTENT_TRUST=1
$ docker pull myapp:latest

59
31.30 30. Clean Up Dangling Resources Regularly

Avoid disk bloat by removing dangling images, stopped containers, and unused vol-
umes.

$ docker image prune -f

$ docker container prune -f
$ docker volume prune -f

31.31 31. Readable Logs and Debugging

Forward logs to centralized systems, and use ‘–log-driver‘ and ‘–log-opt‘ for structured
logging.

$ docker run --log-driver=json-file --log-opt max-size=10m myapp

31.32 32. Network Isolation

Use separate overlay or bridge networks for microservices to isolate communication

and improve security.

$ docker network create --driver overlay app_net

$ docker service create --name web --network app_net mywebapp

31.33 33. Using Labels for CI/CD Automation

Apply labels to automate deployments, monitoring, and tagging.

LABEL com.company.service="web" \
com.company.version="1.0"

31.34 34. Readiness for Cloud-Native Deployments

Design containers to start fast, respond to signals, and exit cleanly for orchestrators
like Kubernetes or Swarm.

60
31.35 35. Minimize Secrets in Environment Variables

Inject secrets dynamically via orchestrators instead of baking them into ENV for
security.

32 Advanced Production-Level Docker Secrets

32.1 36. Advanced Multi-Stage Builds for Smaller Images

Use multi-stage builds to separate build dependencies from runtime dependencies,

reducing image size and attack surface.

# Stage 1: Build
FROM golang:1.20 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp

# Stage 2: Runtime
FROM alpine:3.18
COPY --from=builder /app/myapp /usr/local/bin/myapp
ENTRYPOINT ["myapp"]

32.2 37. Image Provenance and Trust in Production

Ensure images are authentic and unmodified by using Docker Content Trust and
signed images.

$ export DOCKER_CONTENT_TRUST=1
$ docker pull myapp:latest
$ docker trust inspect myapp

61
32.3 38. CI/CD Pipeline Optimizations with Docker

Use Docker layers effectively, cache dependencies, and run tests in containers to speed
up CI/CD pipelines.

# Cache dependencies in CI
FROM node:20 AS build
WORKDIR /app
COPY package.json package-lock.json ./
RUN npm ci
COPY . .
RUN npm run build

32.4 39. Immutable Infrastructure with Docker

Treat containers as immutable; deploy new versions instead of patching running con-
tainers to improve reliability.

32.5 40. Dynamic Environment Injection

Inject configuration dynamically at runtime using environment variables or secret

management tools like HashiCorp Vault.

dockerrun − eAP IK EY =APIK EY myapp

32.6 41. Layer Caching and BuildKit for CI

Use BuildKit for advanced caching strategies across CI pipelines to reduce build time.

DOCKERB U ILDKIT = 1dockerbuild − −targetbuilder − tmyapp : cache.

32.7 42. Runtime Resource Constraints

Set CPU, memory, and I/O limits to prevent noisy neighbors in production.

dockerrun − −cpus = ”2” − −memory = ”1g”myapp

62
32.8 43. Health Checks and Auto-Healing

Define container health checks to automatically restart unhealthy containers.

HEALTHCHECK –interval=30s –timeout=5s CMD curl -f http://localhost/

—— exit 1

32.9 44. CI/CD Orchestrator Integration

Integrate Docker with Jenkins, GitLab CI, or GitHub Actions for end-to-end automa-
tion with minimal manual steps.

32.10 45. Versioned Artifacts and Rollbacks

Tag images with semantic versions and maintain rollback capability for production
deployments.

dockertagmyapp : latestmyapp : 1.0.1 docker push myapp:1.0.1

32.11 46. Minimize Secrets in Build Context

Never bake secrets in Dockerfile; use ‘.dockerignore‘ and build-time secret injection.

DOCKERB U ILDKIT = 1dockerbuild − −secretid = mysecret, src =

secret.txt.

32.12 47. Continuous Image Scanning

Scan images continuously for vulnerabilities using tools like ‘docker scan‘ or third-
party scanners.

dockerscanmyapp : latest

32.13 48. CI/CD Cache Sharing Across Builds

Use remote cache or CI/CD caching strategies to share Docker layer caches and
accelerate builds.

63
Docker eBook Summary
This Docker Handbook has been designed to provide a comprehensive guide from foun-
dational concepts to advanced production-level practices. Below is a concise summary of
key topics covered:

• Introduction & Basics: Docker architecture, installation on Linux/Mac/Windows,

Docker Desktop, initial commands.

• Images & Containers: Building, pulling, running, and managing containers;

Dockerfile deep dive with best practices.

• Volumes & Persistent Storage: Creating, managing, and securing volumes;

importance of data persistence.

• Networking & Multi-Container Applications: Container linking, Docker net-

works, Docker Compose fundamentals.

• Swarm & Orchestration: Master/agent setups, service scaling, stack deploy-

ments, Swarm secrets and configs.

• Security & Compliance: Image scanning, user permissions, secrets management,

role-based access control, production best practices.

• Logging, Monitoring & Troubleshooting: Container logs, resource monitoring,

observability, debugging strategies.

• CI/CD Integration & Automation: Docker pipelines, Git integration, auto-

mated builds and deployments, multi-stage caching.

• Advanced Topics: Distroless images, multi-arch builds, image provenance, ad-

vanced caching, performance optimization.

• Case Studies & Real Production Scenarios: Production failures, rollback

strategies, pipeline improvements, ASCII diagrams of setups.

• Visual Diagrams & Architecture: Docker networking, multi-host setups, Com-

pose stacks, Swarm clusters.

• Glossary & Command Cheat Sheet: Key Docker terms, 100+ commands from
basic to advanced with examples.

Key Takeaways:

64
• Docker empowers DevOps engineers to build, ship, and run applications efficiently.

• Security, monitoring, and best practices are essential for production-grade deploy-
ments.

• Multi-stage builds, CI/CD integration, and orchestration significantly improve effi-

ciency and reliability.

• Advanced Docker secrets, caching, and image provenance enhance both security
and performance.

65
Captain’s Log
Our voyage with Docker ends here, but the real adventure begins in your
production environments.
Keep shipping, keep scaling, keep innovating.

Thank You for reading this Docker Digital Guide!

Author: Sainath Shivaji Mitalakar
Edition: 2025

”Excellence happens not by accident. It is a process.”

– APJ Abdul Kalam

Key Takeaways:

• Follow security best practices: scan images, manage secrets, use least privilege.

• Monitor containers continuously to prevent production issues.

• Automate builds, tests, and deployments with CI/CD pipelines.

• Optimize Docker images using multi-stage builds and caching.

• Collaborate and share knowledge within your DevOps community.

Call-to-Action:
Connect with me on LinkedIn to share ideas, learn together, and grow as Docker and DevOps
professionals!
Sainath Shivaji Mitalakar

66