The aim of this cheat sheet is to provide an easy to use list of common security mistakes and good practices that will help you securing your Docker containers. RULE #4 - Add –no-new-privileges flag. Always run your docker images with -security-opt=no-new-privileges in order to prevent escalate privileges using setuid or setgid binaries. Docker Cheat Sheet # docker # devops # webdev # showdev. HasOne Aug 4, 2020 ・Updated on. I have sent a PR about te DOCKERBUILDKIT=1 flag.
This is just a cheat sheet of commands and terminology for Docker and ASP.NET Core; it contains commands that you can find in the original cheat sheet, plus a Dockerfile for ASP.NET Core and a quick guide on how to created one from Visual Studio. Hopefully, both developers that are in the process of getting into the containerize world with Docker and developers that are already in but need a quick recap will find it useful.
Basic terminology
| Term | Short explanation |
|---|---|
| Docker | Docker is a set of platform as a service products that uses OS-level virtualization to deliver software in packages called containers. Download Docker for Windows here. |
| Image | An image, or more correct, a Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings. |
| Container | A container image becomes a container at runtime when they run on Docker Engine |
| Docker Engine | Docker Engine is a container runtime that runs on various Linux (CentOS, Debian, Fedora, Oracle Linux, RHEL, SUSE, and Ubuntu) and Windows Server operating systems… |
| Docker Hub | Docker Hub is a service provided by Docker for finding and sharing container images with your team. |
| Dockerfile | A Dockerfile is a text document that contains all the commands a user could call on the command line to assemble an image. |
Read more information about Docker Container Images and Docker Containers here.
Basic commands
Follows, a list of basic commands that you will regularly need. Run them using command line from the root of your application – where the Dockerfile should exists.
| Term | Short explanation |
|---|---|
docker pull | Retrieve an image from a registry. If you specify only the repository name, Docker will download the image tagged latest from that repository on Docker Hub. e.g. docker pull mcr.microsoft.com/dotnet/core/aspnet:3.1 pulls the 3.1 runtime, where docker pull mcr.microsoft.com/dotnet/core/sdk pulls the latest .NET Core SDK. |
docker build | Create a new image by running a Dockerfile. User the -t flag to specify the name of the new image and don’t forget the . (build context for the source files for the COPY command)e.g. docker build -t image.name.for.my.app:v1 . |
docker image list | After pulling an image, view the images in your local registry with the docker image list command. |
docker ps | View active containers. Use the -a flag to view all.e.g. docker ps -a |
docker run | Run an image – it will become a container. Specify the option -p for port mapping (left hand side local port, right hand side port exposed by docker) and -d to run it as a background service.Speficy the --name option to set the name of the container.e.g. docker run -p 8080:80 -d --name container.name image.name.for.my.app |
docker stop | Stop an active container by specifying the container ID. Get that with the docker ps commande.g. docker stop elegant_ramanujan |
docker start | Restart a stopped container. e.g. docker start elegant_ramanujan |
docker container rm | Remove a stopped container. Add the -f flag to force remove a running container (not a graceful shutdown)e.g. docker container rm -f elegant_ramanujan |
docker image rm | Remove an image. There is no force flag here, all containers using this image must be stopped. e.g. docker image rm mcr.microsoft.com/dotnet/core/samples:aspnetapp |
A Dockerfile sample
Living in the root of the application, a Dockerfile is just a plain text file; you can either use the following command to create it in Windows, or anyway you like: copy NUL Dockerfile. The sample below contains everything necessary to build and run an image. Comments above each command attempt to provide a bit of clarity:
A cheat with Microsoft Visual Studio
If it happens to have a Visual Studio around, just right click on your main project, select ‘Add’ and then ‘Docker Support…’:
.
Usually, for ASP.NET Core, I choose ‘Linux’ as Operating System; at the end it comes cheaper if you want to host it, for example, in Azure.
Docker Run Flags
Docker’s purpose is to build and manage compute images and to launch them in a container. So, the most useful commands do and expose this information.
Here’s a cheat sheet on the top Docker commands to know and use.
(This is part of our Docker Guide. Use the right-hand menu to navigate.)
Images and containers
The docker command line interface follows this pattern:
docker <COMMAND>
The docker images and container commands grant access to the images and containers. From here, you are permitted to do something with them, hence:
Docker Build Flags
There are:
- is lists the resources.
- cp copies files/folders between the container and the local file system.
- create creates new container.
- diff inspects changes to files or directories in a running container.
- logs fetches the logs of a container.
- pause pauses all processes within one or more containers.
- rename renames a container.
- run runs a new command in a container.
- start starts one or more stopped containers.
- stop stops one or more running containers.
- stats displays a livestream of containers resource usage statistics.
- top displays the running processes of a container.
Docker Cheat Sheet 2020
View resources with ls
From the container ls command, the container id can be accessed (first column).
Control timing with start, stop, restart, prune
- start starts one or more stopped containers.
- stop stops one or more running containers.
- restart restarts one or more containers.
- prune (the best one!) removes all stopped containers.
Name a container
View vital information: Inspect, stats, top
- stats displays a live stream of container(s) resource usage statistics
- top displays the running processes of a container:
- inspect displays detailed information on one or more containers. With inspect, a JSON is returned detailing the name and states and more of a container.
Additional resources
For more on this topic, there’s always the Docker documentation, the BMC DevOps Blog, and these articles: