Docker is a container technology. Cointainers standardize software packaging. It’s a well timed fusion of

Think of a container not as a virtual machine but a very lightweight wrapper around an isolated group of processes. These processes are restricted to private root filesystem and process namespace.

Docker revision-controls:

  1. filesystem layers
  2. image tags


docker architecture


Docker server - the docker command run in daemon mode on a Linux host:

$ sudo docker -d -H unix:///var/run/docker.sock -H tcp://

Docker image - one or more filesystem layers and metadata that represent all the files required to run a Dockerized application:

docker images

Docker container - a Linux container that has been instantiated from a Docker image


Two ways to launch a container:

To create a custom image you need a Dockerfile - each line in a Dockerfile creates a new image layer that is stored by Docker

Build an image:

git clone
cd docker-node-hello
docker build -t example/docker-node-hello:latest .

Run an image (or a container?):

docker run -d -p 80:8080 example/docker-node-hello:latest

Remove an image:

docker images
docker rmi <image_id>

Remove all images on your Docker host:

docker rmi $(docker images -q -)


A container is a self-contained execution environment that shares the kernel of the host system and which is isolated from other containers in the system.

Containers are a Linux only technology.

Create a container (see also “Run an image” above):

docker run --rm -it ubuntu /bin/bash

Get into a running container:

docker ps
docker exec -it <container_id> /bin/bash # new process created in the container

Stop a container:

docker stop <container_id>

Remove a container:

docker ps -a
docker rm <container_id>

Remove all containers on your Docker host:

docker rm  $(docker ps -a -q)


Add a volume to a container (-v):

$ docker run -v /data --rm --hostname web --name web -d nginx
$ docker inspect -f '{{ json .Mounts }}' web | jq
    "Type": "volume",
    "Name": "2d80bc1056787f16b71fb0edced98b3036252083044b1c8db536627c2544a121",
    "Source": "/var/lib/docker/volumes/2d80bc1056787f16b71fb0edced98b3036252083044b1c8db536627c2544a121/_data",
    "Destination": "/data",
    "Driver": "local",
    "Mode": "",
    "RW": true,
    "Propagation": ""

Add bind volume (mount volume on the host and in a container simultaneously):

$ docker run -v /mnt/data:/data --rm --name web -d nginx
$ docker inspect -f '{{ json .Mounts }}' web

Have a data volume container:

$ docker create -v /mnt/data:/data --name nginx-data nginx          # never runs
$ docker run --volumes-from nginx-data -p80:80 --name web -d nginx


During installation Docker creates three default networks:

$ docker network ls
NETWORK ID          NAME                DRIVER              SCOPE
0e07cd43ad1b        bridge              bridge              local
1876373e07e4        host                host                local
e3f087868688        none                null                local
  1. bridge (virtual switch, poor man’s router) is the default –> private namespaced network within the host
  2. with host networking no separate network namespace is used (docker run --net host ...)
  3. none is for advanced use cases

docker bridge network

When you use -p Docker creates iptables rules that route traffic from the host’s public interface on the container’s interface on the bridge network.

Monitoring and cleanup

Containers’ statistics:

docker stats [--no-stream]

Clean up:

# you will be asked to confirm
docker system prune                                     # containers, images
docker images prune                                     # only images

# be careful!
docker volume rm $(docker volume ls -qf dangling=true)  # volumes

Limiting a container’s resources


To limit the memory resource to 500 MB and forbid access to swap for a container:

docker run --rm --it --name mem-muncher --memory=500m --memory-swap=500m mem-muncher

See mem-muncher and Limit a container’s resources for more.



comments powered by Disqus