Docker Operations Cheatsheet

Thu, 26 Mar 2026 12:21:52 +0100

Theory
#

namespaces - abstraction which makes it possible for the system to isolate processes from one another. Processes internally store a pointer to a namespaces when calling specified commands “dealing with” a specific kernel resource it first checks for appropriate namespace and returns appropriate data. Some important namespaces:
- PID namespaces - process isolation - container can only see processes made inside the container
- network namespace - netowork isolation - each container gets it’s own ports,ip addresses, etc. Connected via docker0 bridge to the host network.
- mount namespace - filesystem isolation - each container gets it’s own filesystem hierarchy, mount points etc.
cgroups - used to limit the system resources available to the container, CPU, memory etc.
union mount filesystem - filesystem technique used in docker containers. We define the filesystem in multiple layers (defined typically in Dockerfile) during build we only look at the “top”. If conflicting upper layers overwrite the lower layers. All layers beside the top one are read only, the top one is read/write.
docker daemon - runs in the background and manages the containers, volumes etc. We communicate with it via CLI. If docker is installed on linux we communicate with it via exposed socket at /var/run/docker.sock. If installed on a different system a virtual machine with linux is setup and we communicate with the docker via socket at the same location but within the VM.

images - contain information about how to build the container.
containers - working instances where we actually operate and that do the “actual” work.
volumes - data storage objects can be mounted onto containers
networks - define how containers communicate with each other

with all of those --help flag lists all available commands with a short description