Docker Container Basics

Docker容器基础

Comprehensive guide to containerization with Docker, from image fundamentals to production deployments.

全面介绍Docker容器化的指南，涵盖从镜像基础到生产环境部署的所有内容。

When to Use

适用场景

Building and running Docker containers
Understanding Docker networking and volumes
Debugging container issues
Resource management and limits
Container security best practices
Multi-stage builds for optimization
Registry operations (push/pull/login)
Debugging container runtime issues

构建并运行Docker容器
理解Docker网络与卷
调试容器问题
资源管理与限制
容器安全最佳实践
多阶段构建优化
镜像仓库操作（推送/拉取/登录）
调试容器运行时问题

Core Concepts

核心概念

Container Lifecycle

容器生命周期

bash

undefined

bash

undefined

Build image

docker build -t myapp:latest .

Run container (foreground)

docker run --rm -it myapp:latest

Run container (background)

docker run -d --name my-container myapp:latest

View logs

docker logs -f my-container

Stop/start container

docker stop my-container docker start my-container

Remove container

docker rm my-container

View processes

docker ps -a

undefined

docker ps -a

undefined

Image Management

镜像管理

bash

undefined

bash

undefined

List images

docker images

Tag image

docker tag myapp:latest myapp:v1.0.0

Remove image

docker rmi myapp:latest

Inspect image

docker inspect myapp:latest

View image layers

docker history myapp:latest

undefined

docker history myapp:latest

undefined

Dockerfile Best Practices

Dockerfile最佳实践

Structure

结构

dockerfile

undefined

dockerfile

undefined

Use specific version tags (NOT latest)

FROM node:20.11-alpine

Set working directory

WORKDIR /app

Copy package files

COPY package*.json ./

Install dependencies

RUN npm ci --only=production

Copy application code

COPY . .

Expose port (documentation only)

EXPOSE 3000

Health check

HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3
CMD node healthcheck.js

Run application

CMD ["node", "server.js"]

undefined

CMD ["node", "server.js"]

undefined

Multi-Stage Builds

多阶段构建

dockerfile

undefined

dockerfile

undefined

Build stage

FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci COPY . . RUN npm run build

Production stage

FROM node:20-alpine WORKDIR /app COPY --from=builder /app/dist ./dist COPY package*.json ./ RUN npm ci --only=production EXPOSE 3000 CMD ["node", "dist/server.js"]

undefined

FROM node:20-alpine WORKDIR /app COPY --from=builder /app/dist ./dist COPY package*.json ./ RUN npm ci --only=production EXPOSE 3000 CMD ["node", "dist/server.js"]

undefined

Optimization

优化建议

Use
```
.dockerignore
```
to exclude unnecessary files
Minimize layer count (combine RUN commands with
```
&&
```
)
Order commands by change frequency (stable → frequently changing)
Use specific base image versions (not
```
latest
```
)
Leverage layer caching for faster builds

使用
```
.dockerignore
```
排除不必要的文件
减少镜像层数（使用
```
&&
```
合并RUN命令）
按变更频率排序命令（稳定部分→频繁变更部分）
使用特定版本的基础镜像（而非
```
latest
```
）
利用镜像层缓存加速构建

Networking

网络配置

Network Types

网络类型

bash

undefined

bash

undefined

List networks

docker network ls

Create custom bridge network

docker network create myapp-net

Run container on network

docker run -d --network myapp-net --name db postgres:15 docker run -d --network myapp-net --name api myapp:latest

Container DNS resolution

Services on same network can reach each other by container name

undefined

undefined

Port Mapping

端口映射

bash

undefined

bash

undefined

Map single port

docker run -p 8080:3000 myapp:latest

Map multiple ports

docker run -p 8080:3000 -p 8443:3000 myapp:latest

Map to random port

docker run -p 3000 myapp:latest

View port mappings

docker port my-container

undefined

docker port my-container

undefined

Volumes and Mounts

卷与挂载

Named Volumes

命名卷

bash

undefined

bash

undefined

Create volume

docker volume create mydata

Run container with volume

docker run -v mydata:/app/data myapp:latest

View volume details

docker volume inspect mydata

Clean up unused volumes

docker volume prune

undefined

docker volume prune

undefined

Bind Mounts

绑定挂载

bash

undefined

bash

undefined

Mount host directory into container

docker run -v /host/path:/container/path myapp:latest

Read-only mount

docker run -v /host/path:/container/path:ro myapp:latest

undefined

docker run -v /host/path:/container/path:ro myapp:latest

undefined

Tmpfs Mounts

Tmpfs挂载

bash

undefined

bash

undefined

Mount temporary filesystem (memory-backed)

docker run --tmpfs /tmp:rw,size=1gb myapp:latest

undefined

docker run --tmpfs /tmp:rw,size=1gb myapp:latest

undefined

Resource Limits

资源限制

Memory and CPU

内存与CPU

bash

undefined

bash

undefined

Limit memory

docker run -m 512m myapp:latest

Limit CPU (1.0 = 1 core, 0.5 = half core)

docker run --cpus 1.0 myapp:latest

Memory swap limit

docker run -m 512m --memory-swap 1g myapp:latest

CPU shares (relative priority)

docker run --cpu-shares 1024 myapp:latest

undefined

docker run --cpu-shares 1024 myapp:latest

undefined

Viewing Resource Usage

查看资源使用情况

bash

undefined

bash

undefined

Monitor container resources

docker stats

Specific container

docker stats my-container

undefined

docker stats my-container

undefined

Container Debugging

容器调试

Execute Commands

执行命令

bash

undefined

bash

undefined

Execute command in running container

docker exec -it my-container /bin/sh

Run one-off command

docker exec my-container npm test

undefined

docker exec my-container npm test

undefined

Inspect Container

检查容器信息

bash

undefined

bash

undefined

View detailed container info

docker inspect my-container

View environment variables

docker inspect my-container | grep -A 20 "Env"

View mounted volumes

docker inspect my-container | grep -A 10 "Mounts"

undefined

docker inspect my-container | grep -A 10 "Mounts"

undefined

View Logs

查看日志

bash

undefined

bash

undefined

Tail logs

docker logs -f my-container

Last 100 lines

docker logs --tail 100 my-container

With timestamps

docker logs -t my-container

Since specific time

docker logs --since 2025-01-15T10:00:00 my-container

undefined

docker logs --since 2025-01-15T10:00:00 my-container

undefined

Security Best Practices

安全最佳实践

Non-Root User

非root用户运行

dockerfile

undefined

dockerfile

undefined

Create non-root user

RUN groupadd -r appuser && useradd -r -g appuser appuser

Use non-root user

USER appuser

undefined

USER appuser

undefined

Read-Only Filesystem

只读文件系统

bash

docker run --read-only -v /tmp:/tmp myapp:latest

bash

docker run --read-only -v /tmp:/tmp myapp:latest

Capability Dropping

权限缩减

bash

undefined

bash

undefined

Drop unnecessary capabilities

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp:latest

undefined

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp:latest

undefined

Security Scanning

安全扫描

bash

undefined

bash

undefined

Scan image for vulnerabilities

docker scan myapp:latest

Build with BuildKit (enables better layer caching and features)

DOCKER_BUILDKIT=1 docker build .

undefined

DOCKER_BUILDKIT=1 docker build .

undefined

Registry Operations

镜像仓库操作

Docker Hub

bash

undefined

bash

undefined

Login

docker login

Tag for registry

docker tag myapp:latest username/myapp:latest

Push image

docker push username/myapp:latest

Pull image

docker pull username/myapp:latest

Logout

docker logout

undefined

docker logout

undefined

Private Registry

私有镜像仓库

bash

undefined

bash

undefined

Login to private registry

docker login registry.example.com

Tag for private registry

docker tag myapp:latest registry.example.com/myapp:latest

Push to private registry

docker push registry.example.com/myapp:latest

undefined

docker push registry.example.com/myapp:latest

undefined

Troubleshooting

故障排查

Container Won't Start

容器无法启动

bash

undefined

bash

undefined

Check exit code and error logs

docker logs my-container

View container events

docker events --filter "container=my-container"

Inspect container config

docker inspect my-container | grep -A 20 "State"

undefined

docker inspect my-container | grep -A 20 "State"

undefined

High Resource Usage

资源占用过高

bash

undefined

bash

undefined

Monitor in real-time

docker stats

Identify processes consuming resources

docker top my-container

undefined

docker top my-container

undefined

Network Issues

网络问题

bash

undefined

bash

undefined

Test DNS resolution

docker exec my-container nslookup db

Test connectivity

docker exec my-container curl http://db:5432

View network settings

docker network inspect myapp-net

undefined

docker network inspect myapp-net

undefined

Production Patterns

生产环境模式

Health Checks

健康检查

dockerfile

HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1

dockerfile

HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
  CMD curl -f http://localhost:3000/health || exit 1

Signal Handling

信号处理

bash

undefined

bash

undefined

Applications should handle SIGTERM gracefully

Docker gives 10 seconds (default) before SIGKILL

docker stop --time 30 my-container

undefined

docker stop --time 30 my-container

undefined

Graceful Shutdown

优雅关闭

bash

undefined

bash

undefined

Wait for container to stop (with timeout)

docker stop -t 30 my-container

Verify container stopped

docker wait my-container echo $? # Exit code

undefined

docker wait my-container echo $? # Exit code

undefined

Common Patterns

常见模式

Development Container

开发容器

bash

docker run -it \
  -v $(pwd):/app \
  -p 3000:3000 \
  -e NODE_ENV=development \
  myapp:dev

bash

docker run -it \
  -v $(pwd):/app \
  -p 3000:3000 \
  -e NODE_ENV=development \
  myapp:dev

Production Container

生产容器

bash

docker run -d \
  --name myapp \
  --restart unless-stopped \
  -m 1g \
  --cpus 2 \
  -p 3000:3000 \
  -e NODE_ENV=production \
  --health-cmd="curl -f http://localhost:3000/health" \
  --health-interval=30s \
  myapp:latest

bash

docker run -d \
  --name myapp \
  --restart unless-stopped \
  -m 1g \
  --cpus 2 \
  -p 3000:3000 \
  -e NODE_ENV=production \
  --health-cmd="curl -f http://localhost:3000/health" \
  --health-interval=30s \
  myapp:latest

Sidecar Pattern

边车模式

bash

undefined

bash

undefined

Main application

docker run -d --name app myapp:latest

Sidecar (logging, monitoring, etc)

docker run -d --network container:app --volumes-from app logging-agent:latest

undefined

docker run -d --network container:app --volumes-from app logging-agent:latest

undefined

References

参考资料

Docker documentation: https://docs.docker.com/
Best practices: https://docs.docker.com/develop/dev-best-practices/
Security: https://docs.docker.com/engine/security/

Docker官方文档: https://docs.docker.com/
最佳实践: https://docs.docker.com/develop/dev-best-practices/
安全指南: https://docs.docker.com/engine/security/

docker-container-basics

Original

Translation

Docker Container Basics

Docker容器基础

When to Use

适用场景

Core Concepts

核心概念

Container Lifecycle

容器生命周期

Build image

Build image

Run container (foreground)

Run container (foreground)

Run container (background)

Run container (background)

View logs

View logs

Stop/start container

Stop/start container

Remove container

Remove container

View processes

View processes

Image Management

镜像管理

List images

List images

Tag image

Tag image

Remove image

Remove image

Inspect image

Inspect image

View image layers

View image layers

Dockerfile Best Practices

Dockerfile最佳实践

Structure

结构

Use specific version tags (NOT latest)

Use specific version tags (NOT latest)

Set working directory

Set working directory

Copy package files

Copy package files

Install dependencies

Install dependencies

Copy application code

Copy application code

Expose port (documentation only)

Expose port (documentation only)

Health check

Health check

Run application

Run application

Multi-Stage Builds

多阶段构建

Build stage

Build stage

Production stage

Production stage

Optimization

优化建议

Networking

网络配置

Network Types

网络类型

List networks

List networks

Create custom bridge network

Create custom bridge network

Run container on network

Run container on network

Container DNS resolution

Container DNS resolution

Services on same network can reach each other by container name

Services on same network can reach each other by container name

Port Mapping