Skip to content
On this page


Docker implements a container solution. Containers are a lighter weight alternative to a full virtual machine. They are run on the host operating system, but they are encapsulated to provide isolation, security, and compartmentalization.

Docker documentation:


Cheat sheet with an overview (similar intent as this doc)

Introduction to what containers are:

See Also


Docker Compose

GitHub - veggiemonk/awesome-docker: A curated list of Docker resources and projects


How you set up the image that gets run in a container

A Dockerfile determines how your image is configured (and ultimately what is run in your container). These can be tracked as part of the project's source code.

to keep a container running, choose a process that won't exit:

CMD [ "tail", "-f", "/dev/null" ]

See also dockerfiles

FROM node:lts

# Set the working directory.


Just follow along. These stay more up to date

At this point Docker should be installed and you can verify with:

sudo systemctl status docker

Docker Compose

Go ahead and grab docker-compose

sudo apt-get install docker-compose -y

Rootless & Permissions

Visit to learn about rootless mode.

Seems necessary to still install docker as usual above.

sudo apt-get install -y uidmap

With Ubuntu, I already had:

sudo apt-get install -y dbus-user-session

If the system-wide Docker daemon is already running, consider disabling it:

sudo systemctl disable --now docker.service docker.socket

To run Docker as a non-privileged user, consider setting up the Docker daemon in rootless mode for your user: install

Automatically start up when user logs in:

systemctl --user enable docker
sudo loginctl enable-linger $(whoami)

Make sure the following environment variables are set by adding them to ~/.bashrc

export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock

To expose privileged ports (< 1024), set CAP_NET_BIND_SERVICE on rootlesskit binary and restart the daemon.

sudo setcap cap_net_bind_service=ep $(which rootlesskit)
systemctl --user restart docker

Add user to docker group

This allows you to execute docker without using sudo for every command.
docker-compose is a frequent command.

sudo groupadd docker

sudo usermod -aG docker ${USER}

Log out and log back in, or:

su - ${USER}

Test that you have permissions to run docker commands without sudo:

docker ps

To run the Docker daemon as a fully privileged service, but granting non-root users access, refer to

WARNING: Access to the remote API on a privileged Docker daemon is equivalent to root access on the host. Refer to the 'Docker daemon attack surface' documentation for details:

Docker Desktop for Linux

Looking forward to giving this a try. KVM/QEMU -- sounds promising!

sudo usermod -aG kvm $USER


Install docker as usual -- ends up expecting docker-ce-cli package anyway

Install KVM/QEMU ahead of time


sudo apt-get install pass tree

download package for system

sudo dpkg -i docker-desktop-4.8.0-amd64.deb 


systemctl status docker

To see a list of currently running docker containers:

docker ps

To see the name of the container (and the size of disk in use):

docker ps -s

Shares & Storage

It is possible to share storage between the host and containers. For a general overview:

Bind Mounts are shares data between the container and the host:

Volumes are encapsulated in the container engine itself (managed separately from the host):

For development, a bind mount may work well. For deployments, a volume is a better choice.

These can be specified when running a container, or as part of a compose setup:

docker run -d \
  -it \
  --name devtest \
  --mount type=bind,src="$(pwd)"/target,dst=/app \

Copy Data

You can copy data into and out of a container manually:

// don't use * with docker cp docker cp e9f10889f0da:/synthea/output/fhir ui/public/data/
docker cp | Docker Documentation


See a list of available docker images (see what is currently available):

docker image ls -a

Is equivalent to:

docker images

docker images are stored in:


(don't forget, docker sometimes run in a VM, so this location is on that VM) via:

Official Images

Different dependencies will result in different sized containers. Smaller is generally better, everything else being the same:


docker build -t simple-node .
docker run -p 3000:3000 simple-node

Now you should be able to connect to localhost without specifying a VM host. Without the explicit forward for the port, the port won't be available:


To specify a Dockerfile, use -f:

docker build -t simple-node -f Dockerfile.debug .

Running a Container

When you 'run' a command with docker, you specify the docker image to use to run it. The run command will download the image, build the container (if it doesn't exist already), and then run the command in the container.

docker run mhart/alpine-node node --version

Even with single container setups, it may make sense to use docker-compose to specify what the container is named and any volumes that should be mounted. That also makes it easier to integrate with other docker-compose setups.

Connecting to a Container

start and connect to a docker container:

docker run -i -t --entrypoint /bin/bash <imageID>
docker run -i -t --entrypoint /bin/bash docker_web_run_1

start a new shell in an already running container:

docker exec -it <containerIdOrName> bash
docker exec -it 393b12a61839 /bin/sh
docker exec -it docker_web_run_1 bash

connect to a (already running) docker container (Note: this will share the same shell if another instance is already connected interactively)

docker attach loving_heisenberg 


Stopping a Container

docker container stop devtest

To stop everything:

docker stop $(docker ps -q)


docker container stop $(docker container list -q)

Removing a Container

docker rm [container]

Cleaning up old images

docker system prune 

This seems like a well maintained answer with up-to-date options & descriptions:


Some of the following options may be more aggressive in what they delete. Be careful if you have important data stored!

Sometimes when testing builds, docker will complain about running out of space:

Thin Pool has 2738 free data blocks which is less than minimum required 2915 free data blocks. Create more free space in thin pool or use dm.min_free_space option to change behavior

You can get rid of all images with:

docker image prune -a --force

Clear everything out (!!! dangerous !!!)

docker image rm $(docker image ls -a -q)
docker image rm -f $(docker image ls -a -q)

See also:

Still not enough space? There are some nuclear options outlined here -- they will clear everything out, including volumes that may have data on them!


Containers can be set to restart automatically. As long as the parent docker process is configured to run at start up (usually is by default), then those containers will restart automatically.

You could also do a systemctrl setup like:

sudo systemctl enable docker-MYPROJECT-oracle_db.service

As described in How do I make a Docker container start automatically on system boot? - Stack Overflow Start containers automatically | Docker Documentation docker start container at boot at DuckDuckGo


See all networks currently configured:

docker network ls

See details for a specific network:

docker network inspect bridge

Docker containers can be referenced from other containers using the container name. Be sure to use the full container name, not the abbreviated service name that is used in docker-compose files.

ping is not always available. On debian based containers, install it with:

apt-get update
apt-get install iputils-ping

From there, can testing pinging containers by name:

ping nginx

See a list of all IP addresses for all containers:

sudo docker ps | tail -n +2 | while read cid b; do echo -n "$cid\t"; sudo docker inspect $cid | grep IPAddress | cut -d \" -f 4; done


wasn't sure about how to get one container to talk to another... they've documented that well:

(on macs) set up a terminal to know how to interact with docker by running:

eval "$(docker-machine env default)"

way to generalize reference to containers in configuration files? what if the IP for the api server changes? would require manually updating nginx.conf file just use docker name


I ran into an issue where a container was not able to resolve DNS lookups. (to confirm this, connect to the container via bash and run ping

This turned out to be an issue with the way lookups are configured on my host machine (20.04).

Docker uses the host's name resolution. Running this on the host fixes the resolution within containers:

sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf

The link that helped:

Note: If you're using hosts defined in /etc/hosts, the updated symlink won't resolve those correctly. See also: ~/alpha/web_ui_api_db/

Troubleshooting connections in docker

A successful approach was to launch the server, connect to the container using another shell

apk update

this provides the "ss" command for "socket statistics" RUN apk add --no-cache iproute2 e.g. to see if a server is running on expected port:

ss -lntp

verify server was on correct ports using above command

apk add lynx


curl is another good option!

To see what ports are open, install netstat. This approach will not persist across restarts.

apt update
apt install net-tools

netstat -pan | egrep " LISTEN "

Restart docker

I was getting an error like:

ERROR: for ui  Cannot start service ui: driver failed programming external connectivity on endpoint gpdb_ui (4625d0f53435c85529b8a8d6317401d6aba192fb2adbe742b4e98c828cb76125): Error starting userland proxy: error while calling PortManager.AddPort(): cannot expose privileged port 443, you can add 'net.ipv4.ip_unprivileged_port_start=443' to /etc/sysctl.conf (currently 1024), or set CAP_NET_BIND_SERVICE on rootlesskit binary, or choose a larger port number (>= 1024): listen tcp4 bind: permission denied
ERROR: Encountered errors while bringing up the project.

It didn't look like anything was listening on port 443.

I think this is an issue with running in rootlesskit mode

TODO: How-to determine which version of docker is being run locally

systemctl --user status docker
sudo service docker stop
sudo rm /var/lib/docker/network/files/local-kv.db
sudo service docker start && service docker status

service -- that's cool, appears to be the same thing as sysctl in other distros. (or is it systemctl or systemcontrol? I forget.)

I was curious, what is actually in this file that you are asking me to delete as sudo? Looks like local-kv.db is where the networking configurations are stored
Decoding Docker’s local-kv.db – The Qiqitori Blogs'net.ipv4.ip_unprivileged_port_start%3D443'+to+%2Fetc%2Fsysctl.conf+(currently+1024)%2C+or+set+CAP_NET_BIND_SERVICE+on+rootlesskit+binary%2C+or+choose+a+larger+port+number+(>%3D+1024)%3A+listen+tcp4+
Cannot start service driver failed programming external connectivity on endpoint Error starting userland proxy: error while calling PortManager.AddPort(): cannot expose privileged port 443, you can add 'net.ipv4.ip_unprivileged_port_start=443' to /etc/sysctl.conf (currently 1024), or set CAP_NET_BIND_SERVICE on rootlesskit binary, or choose a larger port number (>= 1024): listen tcp4 bind: permission denied at DuckDuckGo
docker: driver failed programming external connectivity on endpoint webserver - Stack Overflow
/var/lib/docker/network/files/local-kv.db at DuckDuckGo

Context Specific Applications


See Node Notes


Example Dockerfile

FROM python:3
COPY requirements.txt /srv/app/requirements.txt
WORKDIR /srv/app
RUN pip install -r requirements.txt


RUN groupadd --gid 9876 projectgroup
RUN useradd -ms /bin/bash --uid 1234567 --gid 9876 projectdev
USER projectdev