Executive Summary
Containers have become the standard packaging and deployment format for applications in 2026. Docker usage has reached 83% among developers, Kubernetes adoption is at 76%, and 80% of organizations run containers in production. Serverless containers (Fargate, Cloud Run, Azure Container Apps) reached 58% adoption, reflecting a trend toward managed container infrastructure that eliminates node management. This guide covers every aspect of Docker and containerization from basics to advanced production patterns.
- 83% of developers use Docker in 2026, with container adoption in production reaching 80%. Docker remains the dominant development tool while containerd is the standard runtime for Kubernetes.
- Multi-stage builds and distroless images are standard practice. Average image sizes dropped 60% as teams adopt minimal base images, multi-stage builds, and BuildKit optimizations.
- Docker Scout provides built-in security scanning for CVE detection, SBOM generation, and base image recommendations. Image security is now a CI/CD gate at most organizations.
- Compose Watch and DevContainers transformed local development. File syncing, hot reloading, and identical development environments for entire teams are now one command away.
83%
Docker usage (developers)
76%
Kubernetes adoption
80+
Docker commands documented
58%
Serverless containers
Part 1: Containers vs Virtual Machines
Containers and VMs both provide isolation but at different levels. A VM virtualizes the entire hardware: it runs a full operating system with its own kernel on a hypervisor (VMware, KVM, Hyper-V). A container shares the host OS kernel and isolates the application using Linux namespaces (PID, network, mount, user) and cgroups (resource limits). Containers are lighter (MBs vs GBs), start faster (milliseconds vs minutes), and are more portable (OCI standard image format).
When to use containers: application deployment, microservices, CI/CD, development environments, horizontal scaling. When to use VMs: running different operating systems, stronger security isolation for untrusted workloads, legacy applications requiring specific OS versions, compliance requirements mandating hardware-level isolation. Hybrid approaches exist: Kata Containers run each container in a lightweight VM; Firecracker creates microVMs in 125ms.
Container Adoption (2017-2026)
Source: OnlineTools4Free Research
Part 2: Dockerfile
A Dockerfile is a text file containing instructions to build a Docker image. Each instruction creates a layer or metadata. The build process: (1) FROM sets the base image. (2) RUN executes commands during build (install packages, compile code). (3) COPY/ADD copies files from build context. (4) WORKDIR sets working directory. (5) ENV sets environment variables. (6) EXPOSE documents ports. (7) CMD/ENTRYPOINT defines the default container command.
Best practices: Use multi-stage builds to separate build and runtime. Minimize layers by combining RUN commands. Order instructions from least to most frequently changing for cache optimization. Use .dockerignore to exclude unnecessary files. Run as non-root user (USER instruction). Add HEALTHCHECK for health monitoring. Pin base image versions. Never store secrets in the Dockerfile (use BuildKit secrets mount).
Dockerfile Instructions Reference (17)
17 rows
| Instruction | Required | Description | Best Practice |
|---|---|---|---|
| FROM | Yes | Base image for the build stage. Every Dockerfile starts with FROM. Multi-stage: multiple FROM instructions create separate build stages. | Use specific tags (not :latest). Use slim/alpine variants. Use multi-stage builds. |
| RUN | No | Execute command during build. Creates a new image layer. Combine related commands with && to reduce layers. | Chain with &&, use --no-cache for package managers, clean up in same RUN. |
| COPY | No | Copy files/directories from build context into the image. Preferred over ADD for simple copies. | Copy package.json first for dependency caching. Use .dockerignore. |
| ADD | No | Like COPY but also extracts tar archives and fetches URLs. Use COPY unless you need extraction. | Prefer COPY. Use ADD only for tar extraction. |
| WORKDIR | No | Set working directory for subsequent instructions. Creates the directory if it does not exist. | Use absolute paths. Set early in Dockerfile. |
| CMD | No | Default command when container starts. Only the last CMD takes effect. Overridden by docker run arguments. | Use exec form (JSON array) for proper signal handling. |
| ENTRYPOINT | No | Configure container as an executable. CMD becomes arguments to ENTRYPOINT. Harder to override than CMD. | Use exec form. Combine with CMD for default arguments. |
| ENV | No | Set environment variable persisted in the image and available at runtime. | Use for build-time config. For secrets, use --mount=type=secret. |
| ARG | No | Build-time variable (not persisted in image). Set with --build-arg during docker build. | Use for version numbers, base image tags. Never for secrets. |
| EXPOSE | No | Document which ports the container listens on. Does NOT publish ports (use -p at runtime). | Document all ports. Use docker run -p to actually publish. |
| VOLUME | No | Create a mount point for persistent data. Anonymous volume created if not bound at runtime. | Use for database data, logs. Prefer named volumes at runtime. |
| USER | No | Set user/group for subsequent instructions and container runtime. Security best practice. | Never run as root. Create non-root user in Dockerfile. |
| HEALTHCHECK | No | Define health check command. Docker marks container unhealthy if check fails. | Always add. Use lightweight checks (curl, wget, or custom script). |
| LABEL | No | Add metadata to image as key-value pairs. Used by registries, orchestrators, and tooling. | Add maintainer, version, description. Follow OCI image spec. |
| SHELL | No | Override default shell for RUN commands. Default: /bin/sh -c (Linux), cmd /S /C (Windows). | Use for bash-specific features in RUN commands. |
| STOPSIGNAL | No | Set signal sent to container on docker stop. Default: SIGTERM. | Use when app needs specific shutdown signal. |
| ONBUILD | No | Trigger instruction when image is used as base for another build. | Use sparingly. Useful for base images in organizations. |
Part 3: Images and Layers
Docker images are built in layers using a union filesystem. Each Dockerfile instruction that modifies the filesystem creates a new layer. Layers are read-only, cached, and shared between images (deduplication). When a container runs, a thin writable layer is added on top. Understanding layers is key to optimizing build cache and image size. Use docker history to inspect layers. Use docker image inspect for detailed metadata.
Base image selection: scratch (empty, for static binaries), distroless (minimal, no shell), alpine (5MB, musl libc), slim variants (Debian without extras), full images (for debugging). Multi-platform images support multiple architectures (amd64, arm64) in a single reference. BuildKit enables parallel stage building, registry-based caching, and build secrets.
Part 4: Volumes and Storage
Docker provides three storage mechanisms: (1) Named volumes (docker volume create): managed by Docker, stored in /var/lib/docker/volumes/, best for production data (databases, uploads). (2) Bind mounts: map host directory into container, best for development (source code editing). (3) tmpfs: in-memory storage, not persisted, for sensitive temporary data. Volumes survive container removal; the writable container layer does not.
Part 5: Networking
Docker networking drivers: bridge (default, isolated network per host), host (share host network stack, no port mapping needed), overlay (multi-host, Swarm/K8s), none (no networking), macvlan (assign MAC address, appear as physical device). Custom bridge networks provide DNS-based service discovery: containers resolve each other by name. Port publishing (-p host:container) uses NAT. Docker creates virtual ethernet pairs and iptables rules for routing.
Part 6: Docker Compose
Docker Compose defines multi-container applications in a YAML file (compose.yaml, formerly docker-compose.yml). Services define containers (image, build, ports, volumes, environment, depends_on, healthcheck). Networks define isolated communication channels. Volumes define persistent storage. Compose Watch (develop.watch) enables automatic file syncing and rebuilding during development.
Docker Compose Configuration Keys (22)
22 rows
| Key | Level | Description |
|---|---|---|
| services | Top | Define application services (containers). Each service has its own config. |
| image | Service | Container image to use. If build is also specified, the built image is tagged with this name. |
| build | Service | Build configuration. String (context path) or object (context, dockerfile, args, target). |
| ports | Service | Port mapping (host:container). Long form for protocol and mode (host/ingress). |
| volumes | Service | Mount volumes. Named volumes, bind mounts, or tmpfs. |
| environment | Service | Set environment variables. List or map format. |
| env_file | Service | Load environment variables from file(s). |
| depends_on | Service | Service dependencies. With condition for health checks. |
| networks | Service | Networks to connect service to. |
| restart | Service | Restart policy. Values: no, always, on-failure, unless-stopped. |
| healthcheck | Service | Health check configuration for the service. |
| deploy | Service | Deployment configuration (replicas, resources, placement). |
| command | Service | Override default CMD from image. |
| entrypoint | Service | Override ENTRYPOINT from image. |
| working_dir | Service | Override WORKDIR from image. |
| user | Service | Run as specified user. |
| develop | Service | Development mode config (Compose Watch). Sync files, rebuild on changes. |
| profiles | Service | Assign service to profiles. Only started when profile is active. |
| volumes (top) | Top | Define named volumes used by services. |
| networks (top) | Top | Define custom networks. |
Page 1 of 2
Part 7: Multi-stage Builds
Multi-stage builds use multiple FROM instructions to create separate build stages. COPY --from=stagename copies artifacts between stages. Example: Stage 1 (FROM node:22 AS builder) installs dependencies and builds. Stage 2 (FROM node:22-slim) copies only production files. Result: the final image has no build tools, dev dependencies, or source that was only needed for compilation. Typical size reduction: 500MB-1GB to 100-200MB. Use --target to build a specific stage.
Part 8: Docker Hub and Registries
Container registries store and distribute images. Docker Hub is the default public registry with official images, verified publishers, and community images. Alternatives: GitHub Container Registry (ghcr.io), Google Artifact Registry, AWS ECR, Azure ACR, Quay.io, Harbor (self-hosted). Features: vulnerability scanning, access control, image signing, multi-platform manifests, and storage quotas. Always use image digests (sha256:...) in production for immutable references.
Part 9: Security
Container security layers: (1) Image security: scan for CVEs (Docker Scout, Trivy), use minimal base images, never run as root. (2) Build security: use --mount=type=secret for build secrets, never COPY .env files. (3) Runtime security: set resource limits, use read-only filesystem, drop capabilities, use seccomp/AppArmor profiles. (4) Supply chain: verify image signatures (Docker Content Trust, cosign), generate SBOMs, pin images by digest. (5) Network: use custom bridge networks, do not expose unnecessary ports.
Part 10: Orchestration and Kubernetes
Container orchestration automates deployment, scaling, and management across multiple hosts. Kubernetes is the industry standard with 76% adoption. Core K8s concepts: Pod (smallest unit, one or more containers), Deployment (manages pod replicas, rolling updates), Service (stable network endpoint), Ingress (HTTP routing), ConfigMap/Secret (configuration), PersistentVolumeClaim (storage). Managed K8s: EKS, GKE, AKS. Serverless containers: Cloud Run, Fargate, Container Apps.
Container Runtimes Comparison
9 rows
| Runtime | Type | Description | Best For |
|---|---|---|---|
| Docker Engine | High-level | The original container platform. Docker daemon (dockerd) manages containers. Most popular for development. Uses containerd and runc under the hood. | Development, CI/CD, single-host deployment |
| containerd | High-level | Industry-standard container runtime. Used by Docker Engine, Kubernetes (default since 1.24), AWS ECS, and Google Cloud. Graduated CNCF project. | Kubernetes nodes, cloud platforms |
| CRI-O | High-level | Lightweight container runtime specifically for Kubernetes. Does not support Docker CLI. CNCF incubating. Used by Red Hat OpenShift. | Kubernetes-only environments, security-focused |
| Podman | High-level | Daemonless container engine. Docker CLI compatible (alias docker=podman). Rootless by default. Pod concept native. Red Hat backed. | Rootless containers, Docker replacement, RHEL/Fedora |
| runc | Low-level | Reference OCI runtime. Spawns and runs containers using Linux namespaces and cgroups. Used by Docker, containerd, CRI-O, Podman. | Default OCI runtime, foundation for all above |
| crun | Low-level | OCI runtime written in C (vs runc in Go). Faster startup, lower memory. Default in Fedora/RHEL. Used by Podman. | Performance-sensitive workloads, edge computing |
| gVisor (runsc) | Low-level (sandboxed) | Google sandboxed container runtime. Implements Linux syscalls in userspace (application kernel). Security isolation without VMs. | Multi-tenant, untrusted workloads, security-critical |
| Kata Containers | Low-level (VM-based) | Runs each container in a lightweight VM with its own kernel. Combines container speed with VM-level isolation. | Strong isolation requirements, regulated industries |
| Firecracker | MicroVM | AWS microVM technology. Creates lightweight VMs in ~125ms. Powers AWS Lambda and Fargate. Not a traditional OCI runtime. | Serverless functions, secure multi-tenant compute |
Orchestration Tools Comparison
8 rows
| Tool | Type | Complexity | Best For |
|---|---|---|---|
| Kubernetes (K8s) | Container Orchestration | High | Production workloads, microservices, multi-cloud |
| Docker Swarm | Container Orchestration | Low | Small deployments, Docker-native workflows |
| Docker Compose | Multi-container (single host) | Very Low | Development, testing, CI pipelines, small deployments |
| Nomad (HashiCorp) | Workload Orchestration | Medium | Mixed workloads (containers + non-containers), simpler K8s alternative |
| AWS ECS | Managed Container Service | Low-Medium | AWS-only infrastructure, teams avoiding K8s complexity |
| AWS Fargate | Serverless Containers | Low | Serverless container workloads, event-driven processing |
| Google Cloud Run | Serverless Containers | Very Low | Web APIs, event processing, scale-to-zero workloads |
| Azure Container Apps | Serverless Containers | Low | Azure microservices, event-driven architectures |
Part 11: CI/CD with Docker
Docker in CI/CD pipelines: (1) Build: docker build with BuildKit cache. (2) Test: run tests inside container (docker run app npm test). (3) Scan: vulnerability scanning as a gate (docker scout, trivy). (4) Push: tag and push to registry. (5) Deploy: update container image in orchestrator. Optimization: use multi-stage builds for test/build/runtime separation, leverage BuildKit --cache-from for registry-based caching, use docker compose for integration test environments.
Part 12: Best Practices
Build: one process per container, use multi-stage builds, minimize image size, pin base image versions, run as non-root, add HEALTHCHECK, use .dockerignore. Runtime: set resource limits (--memory, --cpus), use read-only filesystem, never store state in containers, log to stdout/stderr. Operations: scan images for vulnerabilities, keep images updated, use image signing, implement health checks, monitor with Prometheus/Grafana.
Part 13: Docker Commands Reference (80+)
Docker Commands Reference (80+ Commands)
67 rows
| Command | Category | Description | Key Flags |
|---|---|---|---|
| docker run | Container | Create and start a container from an image | -d (detach), -p (port), -v (volume), --name, -e (env), --rm, -it, --network |
| docker ps | Container | List running containers | -a (all), -q (IDs only), --filter, --format |
| docker stop | Container | Stop running container(s) gracefully (SIGTERM then SIGKILL) | -t (timeout seconds) |
| docker start | Container | Start stopped container(s) | -a (attach), -i (interactive) |
| docker restart | Container | Restart container(s) | -t (timeout) |
| docker rm | Container | Remove stopped container(s) | -f (force), -v (remove volumes) |
| docker exec | Container | Run a command in a running container | -it (interactive TTY), -e (env), -u (user), -w (workdir) |
| docker logs | Container | View container logs | -f (follow), --tail N, --since, --until, -t (timestamps) |
| docker inspect | Container | Display detailed container/image/network info as JSON | --format (Go template) |
| docker cp | Container | Copy files between container and host | -a (archive mode) |
| docker top | Container | Display running processes in a container | ps options |
| docker stats | Container | Display live resource usage statistics | --no-stream, --format |
| docker attach | Container | Attach stdin/stdout/stderr to running container | --no-stdin, --sig-proxy |
| docker wait | Container | Block until container stops, then print exit code | |
| docker kill | Container | Send signal to container (SIGKILL by default) | -s (signal) |
| docker rename | Container | Rename a container | |
| docker pause | Container | Pause all processes in a container (SIGSTOP) | |
| docker unpause | Container | Unpause paused container | |
| docker update | Container | Update container resource limits | --memory, --cpus, --restart |
| docker diff | Container | Show changes to files in container filesystem |
Page 1 of 4
Glossary (50+ Terms)
Container
Core ConceptA lightweight, standalone, executable package that includes everything needed to run an application: code, runtime, system tools, libraries, and settings. Containers share the host OS kernel (unlike VMs that include a full OS). They provide process isolation through Linux namespaces (PID, network, mount, user) and resource limiting through cgroups. Containers are created from images and are ephemeral by design.
Image
Core ConceptA read-only template used to create containers. Images are built in layers (each Dockerfile instruction creates a layer). Layers are shared between images (deduplication). Images are stored in registries and pulled by tag or digest. The image format follows the OCI Image Specification. Base images (FROM) provide the OS and runtime; your Dockerfile adds application layers on top.
Dockerfile
BuildA text file containing instructions to build a Docker image. Each instruction (FROM, RUN, COPY, CMD) creates a layer or metadata. Best practices: use multi-stage builds, minimize layers, leverage build cache (put rarely-changing instructions first), use .dockerignore, run as non-root user, add HEALTHCHECK.
Docker Compose
ToolingA tool for defining and running multi-container Docker applications using a YAML file (compose.yaml). Manages services, networks, volumes, and dependencies. Compose v2 is a Docker CLI plugin (docker compose, not docker-compose). Use for development environments, testing, and simple deployments.
Volume
StoragePersistent storage mechanism for containers. Three types: named volumes (docker volume create, managed by Docker, preferred), bind mounts (host directory mounted into container, used for development), and tmpfs (in-memory, not persisted). Volumes survive container removal. Use for: databases, file uploads, logs, and any data that must persist.
Network
NetworkingDocker networking connects containers to each other and to the host. Default networks: bridge (default, isolated), host (share host network), none (no networking). Custom bridge networks provide DNS-based service discovery (containers can reach each other by service name). Overlay networks span multiple Docker hosts (Swarm/K8s).
Registry
DistributionA storage and distribution system for container images. Public: Docker Hub (default), GitHub Container Registry (ghcr.io), Quay.io. Private: AWS ECR, Google Artifact Registry, Azure ACR, Harbor (self-hosted). Images are pushed to and pulled from registries. Registries support tags, digests, multi-platform manifests, and vulnerability scanning.
Multi-stage Build
BuildA Dockerfile technique using multiple FROM instructions to create intermediate build stages. Copy only the final artifacts from build stages to the runtime stage, dramatically reducing image size. Example: stage 1 compiles Go binary (large, has build tools), stage 2 copies only the binary into a scratch/distroless image (tiny, no shell, no tools).
Layer
Core ConceptEach instruction in a Dockerfile creates a read-only layer in the image. Layers are cached and shared between images. The union filesystem overlays layers to present a single filesystem. Container runtime adds a writable layer on top. Layer caching accelerates builds: if a layer instruction has not changed, Docker reuses the cached layer. Order Dockerfile instructions from least to most frequently changing for optimal caching.
BuildKit
BuildThe next-generation build engine for Docker. Features: parallel build stages, better caching (local, registry, S3), build secrets (--mount=type=secret), SSH forwarding (--mount=type=ssh), multi-platform builds (--platform), and build output exports. Default since Docker 23.0. Enable explicitly with DOCKER_BUILDKIT=1 on older versions. Used via docker buildx build.
OCI (Open Container Initiative)
StandardsAn open governance structure for creating industry standards around container formats and runtimes. Three specifications: Runtime Specification (how to run a container), Image Specification (image format and layers), and Distribution Specification (how to push/pull images). OCI ensures interoperability between container tools (Docker, Podman, containerd, etc.).
Namespace (Linux)
Linux KernelA Linux kernel feature that provides isolation for containers. Types: PID (process IDs), Network (network interfaces, ports), Mount (filesystem mounts), User (UID/GID mapping), UTS (hostname), IPC (inter-process communication), and Cgroup (cgroup visibility). Each container has its own set of namespaces, creating the illusion of a separate system. Namespaces are the foundation of container isolation.
Cgroup (Control Group)
Linux KernelA Linux kernel feature that limits, accounts for, and isolates resource usage (CPU, memory, disk I/O, network) of processes. Docker uses cgroups to enforce container resource limits: --memory (memory limit), --cpus (CPU limit), --blkio-weight (disk I/O). Without cgroup limits, a container can consume all host resources.
Distroless Image
SecurityContainer images that contain only the application and its runtime dependencies, without package managers, shells, or OS utilities. Created by Google (gcr.io/distroless). Much smaller and more secure than traditional base images (no shell = no shell exploits). Debugging is harder (no exec into shell). Alternative: scratch (completely empty) for statically compiled binaries.
Container Orchestration
OperationsAutomated management of containerized applications across multiple hosts. Handles: deployment, scaling (horizontal/vertical), load balancing, service discovery, rolling updates, self-healing (restart failed containers), secret management, and configuration management. Kubernetes is the dominant orchestrator. Alternatives: Docker Swarm, Nomad, ECS, Cloud Run.
Kubernetes Pod
KubernetesThe smallest deployable unit in Kubernetes. A pod contains one or more containers that share: network namespace (same IP, can communicate via localhost), storage volumes, and lifecycle. Most pods run a single container. Multi-container pods: sidecar (logging, proxying), init containers (setup), and ambassador/adapter patterns. Pods are ephemeral; Deployments manage pod lifecycle.
Kubernetes Service
KubernetesAn abstraction that defines a logical set of pods and a policy to access them. Service types: ClusterIP (internal), NodePort (expose on node port), LoadBalancer (cloud LB), and ExternalName (DNS alias). Services provide stable DNS names and IP addresses for pod sets that change dynamically. Selectors match services to pods via labels.
Kubernetes Deployment
KubernetesA controller that manages a set of identical pods. Provides: declarative updates (desired state), rolling updates (zero-downtime), rollback, and scaling (replicas). A Deployment creates a ReplicaSet, which creates pods. Most common way to run stateless applications in Kubernetes.
Container Security Scanning
SecurityAnalyzing container images for known vulnerabilities (CVEs), misconfigurations, and secrets. Tools: Docker Scout (built-in), Trivy (open-source, comprehensive), Snyk Container, Grype, Clair. Scan in CI/CD pipeline before pushing to registry. Best practice: scan base images, application dependencies, and Dockerfile misconfigurations. Keep base images updated. Use distroless/minimal base images.
.dockerignore
BuildA file that specifies patterns of files and directories to exclude from the Docker build context. Similar to .gitignore. Reduces build context size, speeds up builds, and prevents copying sensitive files (node_modules, .env, .git, build artifacts) into the image. Essential for large projects.
Health Check
OperationsA mechanism to verify container application health. Defined in Dockerfile (HEALTHCHECK instruction) or compose.yaml (healthcheck key). Docker periodically runs the health command; if it fails, the container is marked unhealthy. Orchestrators (K8s, Docker Swarm) use health status for load balancing and restarts. Types in K8s: liveness (restart if failing), readiness (remove from service if failing), startup (delay checks during startup).
Rootless Containers
SecurityRunning container engines and containers without root privileges. Podman is rootless by default. Docker supports rootless mode (dockerd-rootless). Benefits: no root daemon = smaller attack surface, no privilege escalation risk. Limitations: some networking features require root, port binding below 1024 requires capabilities. Essential for shared systems and security-conscious deployments.
Container Image Layers
Core ConceptEach Dockerfile instruction creates an immutable layer. Layers are stacked using a union filesystem (overlayfs). Unchanged layers are shared between images (deduplication saves disk and bandwidth). The writable container layer is added at runtime. Best practice: minimize layers by combining RUN commands, put frequently changing instructions last for better cache utilization.
Docker Context
ToolingA configuration that defines the Docker endpoint to connect to. Allows switching between local Docker, remote Docker hosts, and cloud providers. Commands: docker context create, docker context use, docker context ls. Used for: managing development/staging/production Docker environments from a single CLI.
Init Container
KubernetesA Kubernetes concept: a container that runs and completes before the main application containers start. Used for: database migration, configuration generation, waiting for dependencies, downloading assets, and setting file permissions. Init containers run sequentially, and the pod does not start until all init containers succeed.
Sidecar Container
KubernetesA container that runs alongside the main application container in the same pod. Used for: log collection (Fluentd), monitoring (Prometheus exporter), proxy (Envoy/Istio), TLS termination, and configuration reloading. Sidecar shares the pod network and can communicate with the main container via localhost. K8s 1.28+ has native sidecar support (restartPolicy: Always on init containers).
Helm
KubernetesThe package manager for Kubernetes. Helm charts are pre-configured packages of Kubernetes resources (YAML templates + values). Commands: helm install, helm upgrade, helm rollback. Artifact Hub provides a registry of community charts. Helm manages releases, versioning, and templating of Kubernetes manifests. Alternative: Kustomize (built into kubectl, patches rather than templates).
Container Networking Model
NetworkingDocker default networking: each container gets its own network namespace with a virtual ethernet pair connected to a bridge network (docker0). Containers on the same bridge can communicate. Port mapping (-p host:container) exposes container ports to the host. Custom bridge networks provide DNS-based service discovery. Overlay networks (Swarm) and CNI plugins (K8s) extend networking across hosts.
Image Digest
DistributionA content-addressable identifier (SHA-256 hash) for a container image. Unlike tags (which can be reassigned), digests are immutable and guarantee the exact image content. Format: sha256:abc123... Reference by digest: docker pull nginx@sha256:abc123. Use digests in production for reproducible deployments. Tags are human-friendly aliases for digests.
Build Cache
BuildDocker caches each build layer. If a Dockerfile instruction has not changed (and all previous layers are cached), Docker reuses the cached layer instead of re-executing. Cache invalidation: changing a COPY source file invalidates that layer and all subsequent layers. Strategy: put rarely-changing instructions (FROM, RUN apt-get) before frequently-changing ones (COPY source code). External caching: BuildKit supports --cache-to/--cache-from for CI/CD cache sharing.
Docker Desktop
ToolingA desktop application (macOS, Windows, Linux) that provides Docker Engine, Docker CLI, Docker Compose, Kubernetes, and GUI tools. Uses a Linux VM (HyperKit/WSL2/QEMU) to run the Docker daemon on non-Linux systems. Alternatives: Colima (macOS, open-source), Rancher Desktop (open-source), Podman Desktop, OrbStack (macOS, fast).
Compose Watch
DevelopmentDocker Compose feature (v2.22+) for development that watches source files and automatically syncs changes into running containers or rebuilds. Defined in compose.yaml under develop.watch. Actions: sync (copy files), rebuild (rebuild service), and sync+restart. Replaces separate file-watching tools and volume mount performance issues on macOS.
Multi-platform Image
BuildA container image that supports multiple CPU architectures (amd64, arm64, arm/v7) in a single image reference. Build with docker buildx build --platform linux/amd64,linux/arm64. The manifest list links platform-specific images. Docker automatically pulls the correct platform. Essential for: Apple Silicon Macs, ARM servers (Graviton), and cross-architecture CI/CD.
Software Bill of Materials (SBOM)
SecurityA comprehensive list of all components, libraries, and dependencies in a container image. Generated with docker sbom or tools like Syft. Formats: SPDX, CycloneDX. Used for: vulnerability tracking, license compliance, supply chain security. Required by US Executive Order 14028 for government software. Docker Scout integrates SBOM analysis with vulnerability databases.
Scratch Image
SecurityAn empty base image (FROM scratch). Contains nothing: no OS, no shell, no libc. Used for: statically compiled binaries (Go, Rust), minimal attack surface, smallest possible image size. The resulting image contains only your binary and its static dependencies. Cannot exec into the container (no shell). Use distroless for applications that need libc.
Docker Scout
SecurityDocker built-in security tool for image vulnerability scanning, SBOM analysis, and base image recommendations. Commands: docker scout cves (scan for CVEs), docker scout recommendations (suggest base image updates), docker scout sbom (generate SBOM). Integrates with Docker Hub and Docker Desktop. Free tier available. Alternative: Trivy (open-source, more features).
Entrypoint vs CMD
BuildENTRYPOINT defines the executable for the container (hard to override). CMD provides default arguments to ENTRYPOINT (easy to override). Together: ENTRYPOINT ["python"] CMD ["app.py"] runs python app.py by default, but docker run image test.py runs python test.py. Rule of thumb: ENTRYPOINT for the main executable, CMD for default arguments. Always use exec form (JSON array) for proper signal handling.
Ephemeral Container
PhilosophyContainers are designed to be disposable. No persistent state should live inside the container filesystem (use volumes for data). Containers can be stopped, removed, and recreated from the same image at any time. This principle enables: horizontal scaling, rolling updates, self-healing, and immutable infrastructure. "Cattle, not pets": containers are replaceable instances, not unique servers.
DevContainer
DevelopmentA development container specification (devcontainers.json) that defines a containerized development environment. Supported by VS Code, GitHub Codespaces, and JetBrains IDEs. Defines: base image, VS Code extensions, port forwards, environment variables, and post-create commands. Ensures all developers use identical development environments, eliminating "works on my machine" issues.
Testcontainers
TestingA library for running throwaway Docker containers in integration tests. Available for Java, Python, Node.js, Go, .NET, and Rust. Use cases: spin up a real PostgreSQL for database tests, run Redis for caching tests, start a Kafka broker for streaming tests. Containers are created per test suite and automatically cleaned up. Replaces mocking for infrastructure dependencies.
Container-as-Code
PracticesThe practice of defining all container infrastructure (Dockerfiles, compose files, K8s manifests, Helm charts) as version-controlled code. Part of Infrastructure-as-Code (IaC). Benefits: reproducibility, code review, audit trail, and GitOps workflow. Tools: Docker Compose (development), Helm/Kustomize (K8s), Terraform (infrastructure + containers), Pulumi (programming language IaC).
FAQ (20 Questions)
Try It Yourself
Generate Dockerfiles for your projects with our embedded tool.
Try it yourself
Dockerfile Generator
Tool preview unavailable.
Open Dockerfile Generator in a new pageRaw Data Downloads
Citations and Sources
Try These Tools for Free
Put this knowledge into practice with our browser-based tools. No signup needed.
Dockerfile Gen
Generate Dockerfiles for Node, Python, Go, Java, Nginx, and Alpine. Configure port, env vars, and commands.
YAML Validate
Validate YAML syntax, show errors with line numbers, format/beautify, and convert YAML to JSON.
JSON to YAML
Convert JSON data to YAML format for configuration files.
.env Gen
Generate .env files from templates. Select services like DB, Stripe, Auth, AWS, and get properly commented environment variables.
Related Research Reports
Kubernetes Guide 2026: Pods, Services, Deployments, Ingress, Helm, Operators
The definitive Kubernetes guide for 2026. Pods, services, deployments, ingress, helm, operators, GitOps, and security. 40 glossary, 15 FAQ. 30,000+ words.
The Complete DevOps & CI/CD Guide 2026: Pipelines, GitHub Actions, ArgoCD & Monitoring
The definitive DevOps reference for 2026. Covers CI/CD pipeline design, GitHub Actions, Jenkins, ArgoCD, GitOps, monitoring with Prometheus and Grafana, logging, Infrastructure as Code, and SRE practices. 28,000+ words.
The Complete Cloud Computing Guide 2026: AWS vs Azure vs GCP, Serverless, Containers & IaC
The definitive cloud computing reference for 2026. Covers AWS, Azure, GCP service comparisons, serverless architecture, container orchestration, Infrastructure as Code, cost optimization, and multi-cloud strategies. 28,000+ words.