How to Learn Docker as a New Student
1. Clear Definition
How to Learn Docker as a New Student: Docker learning should start with the problem it solves, then move to hands-on commands, then projects. Do not begin by memorizing every command.
2. Explanation for New People
If you are completely new, Docker can feel like many strange words: image, container, registry, Dockerfile, Compose, volume, network, daemon. The best way to learn is not to memorize those words separately. The best way is to follow one story: a developer has an application, the application needs an environment, Docker packages that environment, and containers run from that package.
Every Docker topic should be connected to a real question. Why do we need images? Because we need a reusable package. Why do we need containers? Because we need to run that package. Why do we need volumes? Because container data can disappear. Why do we need networks? Because apps need to talk to databases, APIs, and users. Why do we need Compose? Because real apps usually need many containers.
3. Detailed Study Explanation
This course is designed for new students. Each chapter explains the concept slowly, then gives commands, then explains what the commands mean, then gives business use cases and mistakes. You should not just read the page. You should open a terminal and run the labs.
Use a notebook. For every chapter, write five things: definition, why it matters, one command, one mistake, and one business use case. This turns Docker from a list of commands into a skill you can explain in interviews and use in projects.
The learning order is important: Docker problem, architecture, image/container, basic run commands, Dockerfile, build cache, volumes, networking, Compose, registry, CI/CD, security, troubleshooting, and final projects.
4. Business Use Case
A company does not care whether you memorized docker ps. A company cares whether you can make an application run consistently, troubleshoot it when it fails, explain the reason for Dockerfile decisions, protect secrets, avoid data loss, and document the setup for other team members.
5. Mental Model / Diagram
Student learning flow:
1. Understand the problem
2. Run a ready-made container
3. Build your own image
4. Store data using volumes
5. Connect app and database using networks
6. Use Compose for multi-container apps
7. Push image to registry
8. Add security and CI/CD thinking
9. Build portfolio projects6. Commands / Configuration
docker --version
docker run hello-world
docker ps -a
docker images
docker system df
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker --version | Checks that the Docker command line is installed. |
| docker run hello-world | Tests whether Docker can pull and run a basic image. |
| docker ps -a | Shows all containers, including stopped ones. |
| docker images | Shows images stored on your machine. |
| docker system df | Shows Docker disk usage. |
8. Common Mistakes
- Trying to learn Docker by memorizing commands only.
- Skipping hands-on practice.
- Not writing your own notes.
- Not building projects.
- Not learning troubleshooting.
9. Troubleshooting Steps
- If Docker command is not found, Docker is not installed or PATH is not configured.
- If Docker daemon is not running, start Docker Desktop or Docker Engine.
- If image pull fails, check internet/proxy/registry access.
10. Student Practice
- Create a Docker practice folder.
- Run hello-world.
- Write what happened in your own words.
- Take a screenshot of docker ps -a.
- Move to the next chapter only after you can explain image and container roughly.
11. Interview Answer
Docker learning should start with the problem it solves, then move to hands-on commands, then projects. Do not begin by memorizing every command.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
The Real Problem Docker Solves
1. Clear Definition
The Real Problem Docker Solves: Docker reduces environment mismatch by packaging an application and its dependencies into a consistent container image.
2. Explanation for New People
Before Docker, many students and developers faced this problem: the code runs on one machine but fails on another. The code may be correct, but the environment is different. One system has Python 3.12, another has Python 3.9. One system has a package installed, another does not. One system has a database running, another does not. One system has a different environment variable.
Docker solves this by packaging the application environment. Instead of saying, “install many things manually,” Docker lets you describe the environment in a Dockerfile and run it as a container.
3. Detailed Study Explanation
Think of Docker as a consistent application box. The box contains the application files, runtime, dependencies, default command, and environment expectations. When another developer runs the same image, they get the same packaged environment.
Docker does not remove the need for testing, security, database design, monitoring, or deployment planning. It only makes the application package more repeatable. That repeatability is very powerful in development, QA, CI/CD, and production-like deployments.
For new learners, always connect Docker to one idea: consistency. If you understand consistency, image, container, Dockerfile, registry, and Compose become easier.
4. Business Use Case
In a business project, a new employee may spend days setting up software. Docker can reduce setup to a few commands. QA can test the same image built by CI. Production teams can deploy the same approved image. This saves time and reduces mistakes.
5. Mental Model / Diagram
Without Docker:
Code + manual setup + different machines = unpredictable behavior
With Docker:
Code + Dockerfile = Image
Image + runtime settings = Container
Same image can move across environments6. Commands / Configuration
docker run hello-world
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker | Calls the Docker client. |
| run | Creates and starts a container. |
| hello-world | The image name Docker will run. If not found locally, Docker pulls it from a registry. |
8. Common Mistakes
- Thinking Docker fixes bugs in application code.
- Thinking Docker means no need to understand the app.
- Thinking Docker is only for production.
- Thinking Docker is only for Linux experts.
9. Troubleshooting Steps
- If hello-world fails with daemon error, Docker Engine/Desktop is not running.
- If pull fails, check internet/proxy/registry access.
- If permission denied on Linux, check Docker group or use proper permissions.
10. Student Practice
- Explain the 'works on my machine' problem.
- Write three reasons environments differ.
- Run hello-world.
- Explain why hello-world does not mean you know Docker fully.
11. Interview Answer
Docker reduces environment mismatch by packaging an application and its dependencies into a consistent container image.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker Architecture in Simple Words
1. Clear Definition
Docker Architecture in Simple Words: Docker uses a client-server architecture: the Docker CLI sends requests to the Docker daemon, and the daemon manages images, containers, networks, volumes, and registries.
2. Explanation for New People
When you type a Docker command, your terminal is not doing all the work by itself. The Docker command line is the client. It talks to the Docker daemon, which is the background service that actually builds images, runs containers, creates networks, manages volumes, and pulls images from registries.
This is like ordering food in a restaurant. You tell the waiter what you want. The waiter sends the request to the kitchen. The kitchen prepares the food. In Docker, the CLI is like the waiter and the Docker daemon is like the kitchen.
3. Detailed Study Explanation
This architecture matters because Docker errors can come from different places. If the Docker CLI is installed but the daemon is not running, commands fail. If the daemon is running but cannot reach the registry, image pulls fail. If an image exists but the application command is wrong, the container exits. Good troubleshooting starts by locating the failing layer.
Docker Desktop on Windows/macOS hides some complexity, but the same idea remains. Docker Engine runs the daemon. The daemon uses the container runtime and operating system features to start containers. The Docker root directory stores images, containers, volumes, and build cache.
4. Business Use Case
A developer reports, “Docker is not working.” A good support engineer checks whether Docker Desktop is running, whether Docker context is correct, whether the daemon is reachable, whether the registry login works, and whether disk space is available. This saves time compared with reinstalling everything.
5. Mental Model / Diagram
Terminal -> Docker CLI -> Docker Daemon
Docker Daemon:
- pulls images
- builds images
- creates containers
- creates networks
- manages volumes
- talks to container runtime6. Commands / Configuration
docker version
docker info
docker context ls
docker system df
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker version | Shows client and server versions. Server means daemon side. |
| docker info | Shows detailed engine information. |
| docker context ls | Shows which Docker endpoint your CLI talks to. |
| docker system df | Shows disk usage by images, containers, volumes, and cache. |
8. Common Mistakes
- Thinking CLI and daemon are the same.
- Not checking whether Docker Desktop is running.
- Ignoring Docker context.
- Not checking disk usage.
- Assuming every Docker problem is an app problem.
9. Troubleshooting Steps
- If docker version shows client but no server, daemon is not reachable.
- If pulls fail, check registry/network/proxy.
- If disk is full, clean unused Docker objects carefully.
10. Student Practice
- Run docker version and identify client/server.
- Run docker info and find Docker root directory.
- Run docker system df and record disk usage.
- Explain Docker daemon role.
11. Interview Answer
Docker uses a client-server architecture: the Docker CLI sends requests to the Docker daemon, and the daemon manages images, containers, networks, volumes, and registries.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Image, Container, and Registry Explained Slowly
1. Clear Definition
Image, Container, and Registry Explained Slowly: An image is a reusable package, a container is a running instance of that package, and a registry is a place where images are stored and shared.
2. Explanation for New People
This is the most important Docker mental model. A Docker image is like a recipe or blueprint. A container is like the actual dish cooked from the recipe or the actual house built from the blueprint. A registry is like a library where recipes are stored.
One image can create many containers. For example, the nginx image can create web1, web2, and web3 containers. Each container can have its own name, ports, environment variables, and runtime state.
3. Detailed Study Explanation
Images are read-only templates. They contain layers, files, runtime dependencies, environment defaults, and startup metadata. Containers are created from images. When a container runs, Docker adds a writable layer on top of the image layers.
A registry stores images so other machines can pull them. Docker Hub is a public registry. Companies also use private registries such as Amazon ECR, GitHub Container Registry, Azure Container Registry, or internal registries.
If you remove a container, the image may still remain. If you remove an image, existing containers may still exist but you cannot create new containers from that image unless it is rebuilt or pulled again.
4. Business Use Case
A team builds company-api:1.0.0 and pushes it to a private registry. QA pulls the same image for testing. Production later deploys the approved image. This avoids copying files manually and makes release tracking easier.
5. Mental Model / Diagram
Dockerfile + app code -> Image
Image -> Container 1
Image -> Container 2
Image -> Container 3
Registry stores image versions:
company-api:1.0.0
company-api:1.0.1
company-api:git-abc1236. Commands / Configuration
docker pull nginx:alpine
docker images
docker run --name web1 -d nginx:alpine
docker run --name web2 -d nginx:alpine
docker ps
docker ps -a
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker pull nginx:alpine | Downloads the nginx image with alpine tag. |
| docker images | Lists local images. |
| docker run --name web1 -d nginx:alpine | Creates and starts a container named web1 in background. |
| docker ps | Lists running containers. |
| docker ps -a | Lists all containers. |
8. Common Mistakes
- Calling an image a container.
- Thinking deleting a container deletes the image.
- Using only latest tags for everything.
- Not understanding registry role.
- Not knowing the difference between local image and remote image.
9. Troubleshooting Steps
- If container exits, check docker logs.
- If image not found, check image name and tag.
- If pull fails, check registry access.
10. Student Practice
- Run two containers from one image.
- Stop and remove one container.
- Check that image still exists.
- Explain image/container/registry with your own analogy.
11. Interview Answer
An image is a reusable package, a container is a running instance of that package, and a registry is a place where images are stored and shared.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Running Containers: run, ps, stop, start, rm
1. Clear Definition
Running Containers: run, ps, stop, start, rm: Container lifecycle commands create, start, list, stop, restart, and remove containers.
2. Explanation for New People
A container is usually one main running process. If that process keeps running, the container keeps running. If the process finishes, the container stops. This is why some containers exit immediately and some stay alive.
For example, nginx stays running because it is a web server. But alpine echo hello exits immediately because the echo command finishes.
3. Detailed Study Explanation
docker run creates and starts a new container. docker ps shows running containers. docker ps -a shows stopped and running containers. docker stop stops a running container. docker start starts an existing stopped container. docker rm removes a stopped container. docker logs shows what the container process printed.
This lifecycle is different from a virtual machine. A container is not meant to be a full computer that keeps running forever by default. It runs the command configured for the image or passed at runtime.
4. Business Use Case
In a QA environment, a container exits immediately. Instead of saying Docker failed, an engineer checks docker ps -a and docker logs. The logs show a missing environment variable. The fix is runtime configuration, not rebuilding the server.
5. Mental Model / Diagram
docker run -> container created and started
main process running -> container running
main process exits -> container stopped
docker start -> starts stopped container
docker rm -> removes container metadata and writable layer6. Commands / Configuration
docker run --name short alpine echo hello
docker ps
docker ps -a
docker logs short
docker start short
docker rm short
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker run --name short alpine echo hello | Creates a container from alpine and runs echo hello. |
| docker ps | Will not show short if it already exited. |
| docker ps -a | Shows short because it includes stopped containers. |
| docker logs short | Shows output from the container. |
| docker rm short | Removes the stopped container. |
8. Common Mistakes
- Checking only docker ps and missing stopped containers.
- Expecting every container to run forever.
- Deleting containers before reading logs.
- Not understanding main process behavior.
- Confusing container restart with image rebuild.
9. Troubleshooting Steps
- If container is missing from docker ps, check docker ps -a.
- If it exited, check docker logs and exit code.
- If it restarts repeatedly, inspect restart policy and application error.
10. Student Practice
- Run a short-lived container.
- Run a long-running nginx container.
- Compare ps vs ps -a.
- Stop and start a container.
- Remove stopped containers.
11. Interview Answer
Container lifecycle commands create, start, list, stop, restart, and remove containers.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
First Web Container: Nginx and Port Mapping
1. Clear Definition
First Web Container: Nginx and Port Mapping: Port mapping connects a port on your host machine to a port inside the container so outside users can reach the service.
2. Explanation for New People
Nginx is a web server. Inside the container, Nginx listens on port 80. Your browser runs on your laptop, outside the container. To reach Nginx from your browser, Docker must forward a host port to the container port.
The syntax -p 8080:80 means host port 8080 goes to container port 80. The left side is host. The right side is container.
3. Detailed Study Explanation
This chapter is essential because many Docker beginner problems are port problems. A container can be running perfectly, but if the port is not published, your browser cannot access it from the host. Also, EXPOSE in a Dockerfile is only documentation. It does not publish the port. Publishing happens with docker run -p, Compose ports, or orchestration platform settings.
In production, users may not directly access Docker host ports. Traffic may come through load balancers, reverse proxies, ingress controllers, or service meshes. But the concept remains: traffic needs a defined route to the container service.
4. Business Use Case
A documentation team wants to serve a static website locally without installing Nginx. They run Nginx in a container and publish port 8080. Everyone can preview the site the same way.
5. Mental Model / Diagram
Browser on host:
http://localhost:8080
|
Host port 8080
|
Docker mapping -p 8080:80
|
Container port 80
|
Nginx process6. Commands / Configuration
docker run --name web -d -p 8080:80 nginx:alpine
docker ps
docker port web
curl -I http://localhost:8080
docker logs web
docker stop web
docker rm web
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| -d | Run in detached/background mode. |
| -p 8080:80 | Map host port 8080 to container port 80. |
| docker port web | Shows published port mappings. |
| curl -I | Requests only HTTP headers to test response. |
8. Common Mistakes
- Reversing port order.
- Forgetting -p.
- Using host port already in use.
- Thinking EXPOSE publishes ports.
- App listening on wrong interface.
9. Troubleshooting Steps
- If browser fails, check docker ps and port mapping.
- Check container logs.
- Check if host port is already in use.
- Try curl from host.
10. Student Practice
- Run Nginx on 8080.
- Run another on 8081.
- Explain host port vs container port.
- Find port mapping with docker port.
11. Interview Answer
Port mapping connects a port on your host machine to a port inside the container so outside users can reach the service.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Dockerfile: Building Your Own Image
1. Clear Definition
Dockerfile: Building Your Own Image: A Dockerfile is a text file with instructions Docker uses to build an image.
2. Explanation for New People
Running existing images is not enough. Real projects need your own app packaged as an image. A Dockerfile is the recipe for that. It says which base image to use, where to place files, which dependencies to install, which port the app uses, and how to start it.
For a student, a Dockerfile is like a step-by-step setup guide that Docker can execute automatically.
3. Detailed Study Explanation
A Dockerfile is part of your project source code. It should be versioned with the application. If a new developer clones the repository, the Dockerfile tells them how to build the application image.
A good Dockerfile is not only working; it is maintainable. It should be readable, cache-friendly, secure, and not include unnecessary files or secrets. A Dockerfile affects build speed, image size, vulnerability count, and production reliability.
Start simple, then improve. First build a working image. Then add .dockerignore. Then improve cache. Then run as non-root. Then reduce image size. Then scan vulnerabilities.
4. Business Use Case
A company has a Python API. Developers previously installed Python and libraries manually. Now the team writes a Dockerfile. CI builds the image and QA runs the same image. Setup becomes repeatable.
5. Mental Model / Diagram
Project files:
app.py
requirements.txt
Dockerfile
.dockerignore
docker build -> image
docker run -> container6. Commands / Configuration
FROM python:3.12-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
EXPOSE 8000
CMD ["python", "app.py"]
# Build and run
docker build -t python-api:dev .
docker run --name api -p 8000:8000 python-api:dev
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| FROM python:3.12-slim | Starts from a Python base image. |
| WORKDIR /app | Sets /app as working directory. |
| COPY requirements.txt . | Copies dependency list first. |
| RUN pip install... | Installs dependencies during build. |
| COPY . . | Copies app source. |
| EXPOSE 8000 | Documents expected container port. |
| CMD ... | Default command when container starts. |
8. Common Mistakes
- Copying secrets into image.
- No .dockerignore.
- Using very large base image without reason.
- Not checking if app listens on 0.0.0.0.
- Not explaining each line in README.
9. Troubleshooting Steps
- If build fails, read the failing Dockerfile step.
- If run fails, check docker logs.
- If app unreachable, check port and app bind address.
10. Student Practice
- Create a simple app.py.
- Write requirements.txt.
- Build image.
- Run container.
- Explain each Dockerfile line.
11. Interview Answer
A Dockerfile is a text file with instructions Docker uses to build an image.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Dockerfile Instructions Explained for Beginners
1. Clear Definition
Dockerfile Instructions Explained for Beginners: Dockerfile instructions are commands such as FROM, RUN, COPY, WORKDIR, ENV, ARG, EXPOSE, USER, CMD, and ENTRYPOINT that define build steps and runtime defaults.
2. Explanation for New People
Do not memorize Dockerfile instructions like random vocabulary. Group them into two categories. Some instructions prepare the image during build. Some instructions define how the container should behave at runtime.
Build-time examples: FROM, WORKDIR, COPY, RUN. Runtime/default examples: ENV, EXPOSE, USER, CMD, ENTRYPOINT.
3. Detailed Study Explanation
FROM chooses the base image. RUN executes commands while building the image. COPY copies files from your project into the image. WORKDIR sets the directory for later commands. ENV sets environment variables available in the container. ARG sets build-time variables. EXPOSE documents the intended port. USER changes the user that runs the process. CMD gives a default command. ENTRYPOINT sets the fixed executable.
CMD vs ENTRYPOINT is confusing. Use CMD for simple default startup commands. Use ENTRYPOINT when the image should behave like a command-line tool or fixed executable. CMD can provide default arguments to ENTRYPOINT.
Each instruction can affect cache, security, image size, and runtime behavior.
4. Business Use Case
A DevOps reviewer checks a Dockerfile before approving deployment. They ask: Is the base image trusted? Are dependencies installed cleanly? Are secrets avoided? Is the app running as non-root? Is the startup command clear?
5. Mental Model / Diagram
Build phase:
FROM -> WORKDIR -> COPY -> RUN
Runtime defaults:
ENV -> EXPOSE -> USER -> CMD / ENTRYPOINT6. Commands / Configuration
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci --omit=dev
COPY . .
ENV NODE_ENV=production
EXPOSE 3000
USER node
CMD ["node", "server.js"]
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| FROM | Base image. |
| RUN | Build-time command. |
| COPY | Copy files into image. |
| ENV | Runtime environment variable. |
| EXPOSE | Port documentation. |
| USER | Run as selected user. |
| CMD | Default startup command. |
8. Common Mistakes
- Using ADD when COPY is enough.
- Confusing ARG and ENV.
- Using ENV for secrets.
- Thinking EXPOSE publishes ports.
- Using root unnecessarily.
9. Troubleshooting Steps
- If file missing, check COPY path and build context.
- If command not found, check RUN install step.
- If container exits, check CMD/ENTRYPOINT and logs.
10. Student Practice
- Take any Dockerfile and label each line as build-time or runtime.
- Write examples for ENV and ARG.
- Explain CMD vs ENTRYPOINT.
- Add USER to a Dockerfile.
11. Interview Answer
Dockerfile instructions are commands such as FROM, RUN, COPY, WORKDIR, ENV, ARG, EXPOSE, USER, CMD, and ENTRYPOINT that define build steps and runtime defaults.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Build Context and .dockerignore
1. Clear Definition
Build Context and .dockerignore: The build context is the set of files Docker can use during a build; .dockerignore excludes files from that context.
2. Explanation for New People
When you run docker build -t myapp ., the dot means current folder. Docker sends files from that folder to the builder. If that folder has huge or sensitive files, they may go into the build context unless excluded.
A .dockerignore file tells Docker what not to send.
3. Detailed Study Explanation
This matters for speed and security. If node_modules, venv, .git, logs, screenshots, build output, or .env files enter the context, builds become slower and riskier. Even if a secret is not copied into the final image, sending it into a build environment is bad practice.
A good .dockerignore keeps the context clean. It also helps build cache because unnecessary file changes do not invalidate build steps. Teams should treat .dockerignore as a normal required project file, not an optional extra.
Students should always create .dockerignore when creating a Dockerfile.
4. Business Use Case
A CI pipeline takes 20 minutes because Docker sends node_modules and coverage reports into the build context. The team adds .dockerignore, and build time becomes much faster.
5. Mental Model / Diagram
Project folder:
app.py
requirements.txt
.env
.git/
venv/
logs/
.dockerignore removes:
.env
.git
venv
logs6. Commands / Configuration
.git
.env
*.log
__pycache__
venv
node_modules
coverage
dist
build
# Build with detailed output
docker build --progress=plain -t myapp:dev .
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| .dockerignore | File containing patterns to exclude. |
| docker build . | Uses current directory as build context. |
| --progress=plain | Shows detailed build output useful in CI and debugging. |
8. Common Mistakes
- No .dockerignore.
- Sending .env into build context.
- Sending node_modules or venv.
- Ignoring large context size.
- Copying everything blindly.
9. Troubleshooting Steps
- If Dockerfile COPY cannot find a file, check whether .dockerignore excluded it.
- If build is slow, check context size and unnecessary folders.
- If secrets are included, rotate them and fix .dockerignore.
10. Student Practice
- Create .dockerignore for Python or Node project.
- Build before and after adding it.
- Observe context size in build output.
- Write why each ignore pattern exists.
11. Interview Answer
The build context is the set of files Docker can use during a build; .dockerignore excludes files from that context.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Build Cache and Layer Order
1. Clear Definition
Build Cache and Layer Order: Docker build cache reuses previous layers when instructions and their inputs have not changed.
2. Explanation for New People
Imagine you cook every day. If the rice is already cooked and unchanged, you do not cook it again. Docker build cache is similar. If a build step did not change, Docker can reuse it.
But if you write your Dockerfile in the wrong order, Docker may reinstall dependencies every time you change one source file.
3. Detailed Study Explanation
Docker reads Dockerfile instructions in order. If an instruction changes, that step and following steps may rebuild. So stable steps should come before frequently changing steps.
For Python, copy requirements.txt first and install dependencies. Then copy the source code. For Node.js, copy package.json/package-lock.json first, run npm ci, then copy the rest. This way, code changes do not reinstall dependencies unless dependency files changed.
Cache optimization is a major business benefit in CI/CD because it reduces build time and compute cost.
4. Business Use Case
A team has 80 microservices. Each build takes 10 minutes because dependencies reinstall every time. After fixing Dockerfile order and cache use, builds become much faster, saving developer time and CI cost.
5. Mental Model / Diagram
Bad:
COPY . .
RUN install dependencies
Good:
COPY dependency-file .
RUN install dependencies
COPY source .6. Commands / Configuration
# Python pattern
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
# Node pattern
COPY package*.json ./
RUN npm ci
COPY . .
docker build --progress=plain -t myapp:dev .
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| Copy dependency file first | This file changes less often. |
| Install dependencies second | This layer can be cached. |
| Copy source last | Source changes do not always break dependency cache. |
8. Common Mistakes
- Copying all source before dependency install.
- Changing early layers unnecessarily.
- Not reading cache output.
- No .dockerignore.
- Assuming cache always exists in CI.
9. Troubleshooting Steps
- If dependencies reinstall every build, check Dockerfile order.
- If cache is not used in CI, check builder/cache configuration.
- If unexpected old files appear, rebuild with no cache for verification.
10. Student Practice
- Build once.
- Change only source code and rebuild.
- Change dependency file and rebuild.
- Write which layers were reused.
11. Interview Answer
Docker build cache reuses previous layers when instructions and their inputs have not changed.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Image Layers, Tags, and Digests
1. Clear Definition
Image Layers, Tags, and Digests: Docker images are made of layers; tags are readable labels; digests identify exact image content.
2. Explanation for New People
A Docker image is not one single simple file. It is built from layers. Layers help Docker reuse work and save disk space. Tags are names like myapp:1.0.0 or nginx:alpine. Digests are exact content identifiers.
A tag is like a nickname. A digest is like a fingerprint.
3. Detailed Study Explanation
Layers come from image history and build steps. If two images use the same base layer, Docker can share that layer. This is why image pulling and caching can be efficient.
Tags are convenient but can move. For example, latest may point to one image today and another image tomorrow. For production, this can be risky if you do not know exactly what was deployed. Digests are content-addressed and identify the exact image.
A serious release process often records image name, tag, and digest. This helps rollback and audit.
4. Business Use Case
A production issue happens. The team checks the deployed image digest and compares it to the previous successful deployment. They roll back to the earlier image version quickly.
5. Mental Model / Diagram
Image:
Layer 1: base OS
Layer 2: runtime
Layer 3: dependencies
Layer 4: app files
Tag:
myapp:1.2.0
Digest:
sha256:exact-content-fingerprint6. Commands / Configuration
docker images
docker history myapp:dev
docker image inspect myapp:dev
docker tag myapp:dev myrepo/myapp:1.0.0
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker history | Shows image layers/history. |
| docker image inspect | Shows detailed image metadata. |
| docker tag | Adds another tag to an image. |
8. Common Mistakes
- Using latest everywhere.
- Not recording deployed digest.
- Thinking tag is always immutable.
- Not understanding image history.
- Pushing unclear tags.
9. Troubleshooting Steps
- If wrong version runs, inspect image tag/digest.
- If image too large, inspect layers.
- If pull gets unexpected content, check tag strategy.
10. Student Practice
- Inspect nginx layers.
- Tag your own image.
- Explain why latest is risky.
- Write a tag strategy for dev/qa/prod.
11. Interview Answer
Docker images are made of layers; tags are readable labels; digests identify exact image content.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Multi-Stage Builds with Real Examples
1. Clear Definition
Multi-Stage Builds with Real Examples: A multi-stage build uses multiple FROM stages so build tools stay in the build stage and only final runtime files go into the final image.
2. Explanation for New People
Some applications need tools only while building. A React app needs Node.js to build static files, but production only needs Nginx to serve the built files. A Go app needs a compiler to create a binary, but production only needs the binary.
Multi-stage builds split these responsibilities.
3. Detailed Study Explanation
The first stage is usually the build stage. It may contain compilers, package managers, source code, and dev dependencies. The final stage is the runtime stage. It should contain only what is needed to run the app.
This makes images smaller and safer. Smaller images pull faster, deploy faster, and often contain fewer vulnerable packages. Multi-stage builds are common in professional Dockerfiles.
Do not use multi-stage blindly. Always test the final image because sometimes required runtime files are accidentally not copied.
4. Business Use Case
A frontend image contains Node.js, node_modules, and source files. It is very large. The team uses a multi-stage build and final image contains only Nginx plus built static files. Deployment becomes faster.
5. Mental Model / Diagram
Stage 1:
node image -> install -> build -> dist/
Stage 2:
nginx image -> copy dist/ -> serve website6. Commands / Configuration
FROM node:20 AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM nginx:alpine
COPY --from=build /app/dist /usr/share/nginx/html
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| FROM node:20 AS build | Creates a build stage named build. |
| RUN npm run build | Creates production output. |
| FROM nginx:alpine | Starts final runtime stage. |
| COPY --from=build | Copies only build output from previous stage. |
8. Common Mistakes
- Copying too much into final stage.
- Forgetting runtime files.
- Not testing final image.
- Keeping build tools in final image.
- Not comparing image size.
9. Troubleshooting Steps
- If final app files missing, check COPY --from path.
- If build stage fails, debug dependency install/build command.
- If runtime fails, test final image independently.
10. Student Practice
- Create a simple multi-stage frontend image.
- Compare size with single-stage.
- Run final image.
- Explain which files are not in final image.
11. Interview Answer
A multi-stage build uses multiple FROM stages so build tools stay in the build stage and only final runtime files go into the final image.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
BuildKit and buildx for Modern Builds
1. Clear Definition
BuildKit and buildx for Modern Builds: BuildKit is Docker's modern build backend, and buildx exposes advanced build capabilities such as multi-platform builds, cache control, and advanced outputs.
2. Explanation for New People
At first, docker build is enough. Later, you will see buildx and BuildKit. They are used for modern, faster, and more powerful builds. Do not fear them. They are just advanced build tools around the same Dockerfile idea.
3. Detailed Study Explanation
BuildKit improves build performance and capabilities. It can skip unused stages, build independent stages in parallel, transfer only changed files, and support advanced features like build secrets.
buildx is commonly used for multi-platform builds. This matters because your laptop may be ARM64 and your production server may be AMD64. A multi-platform image can support both.
BuildKit also supports safer build secrets. Instead of using ARG or ENV for secret values, secret mounts make sensitive data available only during the build step that needs it.
4. Business Use Case
A company supports both amd64 and arm64 servers. CI uses buildx to build multi-platform images and push them to registry. Developers and servers pull the correct platform image.
5. Mental Model / Diagram
Dockerfile
|
BuildKit / buildx
|-- better caching
|-- multi-platform support
|-- build secrets
|-- parallel build behavior
|
image / registry6. Commands / Configuration
docker buildx version
docker buildx create --use
docker buildx build \
--platform linux/amd64,linux/arm64 \
-t myrepo/myapp:1.0.0 \
--push .
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker buildx version | Checks buildx availability. |
| --platform | Builds for selected CPU/OS platforms. |
| --push | Pushes result to registry instead of only local store. |
8. Common Mistakes
- Ignoring platform mismatch.
- Using secrets through ARG/ENV.
- Not testing on target platform.
- Assuming buildx is only for Kubernetes.
- Not configuring CI cache.
9. Troubleshooting Steps
- If image cannot run, check architecture/platform.
- If buildx builder missing, create/use a builder.
- If push fails, check registry login.
10. Student Practice
- Check buildx version.
- Find your machine architecture.
- Write when multi-platform images are needed.
- Explain BuildKit in one paragraph.
11. Interview Answer
BuildKit is Docker's modern build backend, and buildx exposes advanced build capabilities such as multi-platform builds, cache control, and advanced outputs.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Environment Variables and Runtime Settings
1. Clear Definition
Environment Variables and Runtime Settings: Runtime configuration is passed when a container starts, using environment variables, port mappings, volumes, networks, commands, and restart policies.
2. Explanation for New People
The same image should usually work in different environments. You should not build a new image only because the database host changed. Instead, pass configuration when the container starts.
For example, the same app image can run with APP_ENV=dev on your laptop and APP_ENV=prod on a server.
3. Detailed Study Explanation
A good image contains application code and dependencies. Environment-specific values should be provided at runtime. Common runtime values include database host, log level, API URL, feature flag, and environment name.
Do not store secrets in the Dockerfile. For local development, .env files are common, but do not commit real secrets. In production, use a secret manager or platform secret system.
Runtime settings also include memory limits, CPU limits, restart policies, container name, network, and command overrides. These settings define how the container behaves after image build.
4. Business Use Case
A company builds one payment-api image. Dev, QA, and production use the same image but different database endpoints and log levels. This supports build-once-promote workflow.
5. Mental Model / Diagram
Image:
payment-api:1.0.0
Dev runtime:
APP_ENV=dev
DB_HOST=dev-db
QA runtime:
APP_ENV=qa
DB_HOST=qa-db6. Commands / Configuration
docker run --name api \
-e APP_ENV=dev \
-e DB_HOST=dev-db \
-p 8000:8000 \
--restart unless-stopped \
myapi:1.0.0
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| -e APP_ENV=dev | Passes environment variable. |
| -p 8000:8000 | Publishes port. |
| --restart unless-stopped | Restarts container unless manually stopped. |
| --name api | Gives a friendly container name. |
8. Common Mistakes
- Hard-coding environment-specific values.
- Putting secrets in Dockerfile.
- No documentation of required variables.
- Building separate images for every environment.
- Using random names/scripts.
9. Troubleshooting Steps
- If app says config missing, inspect env variables.
- If container restarts, check logs and restart policy.
- If port fails, check mapping and app bind address.
10. Student Practice
- Run same image with APP_ENV=dev and APP_ENV=test.
- Print the variable from app.
- Document required variables.
- Classify variables as config or secret.
11. Interview Answer
Runtime configuration is passed when a container starts, using environment variables, port mappings, volumes, networks, commands, and restart policies.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Container Writable Layer: Why Data Disappears
1. Clear Definition
Container Writable Layer: Why Data Disappears: A container writable layer stores changes made inside one container, but it is not a safe place for important persistent data.
2. Explanation for New People
If you create a file inside a container and then remove the container, the file may disappear. This surprises many students. The reason is that containers are designed to be replaceable. The container's writable layer belongs to that container.
3. Detailed Study Explanation
Docker images are read-only. A running container gets a writable layer on top. This writable layer stores changes made during runtime. It is useful for temporary files, but not for important business data.
If a database writes data only into the container writable layer, removing the container can remove the data. This is why Docker provides volumes, bind mounts, and other storage options.
The core rule for students: container can be temporary; important data needs persistent storage.
4. Business Use Case
A developer runs a database in a container and stores test records. Later they remove the container and data is gone. The team learns to use named volumes for database data.
5. Mental Model / Diagram
Read-only image layers
+
Container writable layer
|
Temporary data unless volume/mount is used6. Commands / Configuration
docker run --name temp alpine sh -c "echo hello > /demo.txt"
docker diff temp
docker rm temp
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker diff temp | Shows filesystem changes in the container. |
| docker rm temp | Removes container and its writable layer. |
| /demo.txt | File created only inside that container. |
8. Common Mistakes
- Saving important data only inside container.
- Confusing restart with remove.
- No volume for database.
- Removing containers without checking data.
- Assuming Docker stores all data forever.
9. Troubleshooting Steps
- If data disappeared, check whether a volume was used.
- Inspect container mounts before removal.
- Use backups for important volume data.
10. Student Practice
- Create a file in a container.
- Use docker diff.
- Remove container and observe result.
- Repeat using a volume.
11. Interview Answer
A container writable layer stores changes made inside one container, but it is not a safe place for important persistent data.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker Volumes for Persistent Data
1. Clear Definition
Docker Volumes for Persistent Data: A Docker volume is Docker-managed persistent storage that can survive container removal and be reused by new containers.
2. Explanation for New People
A volume is like a separate storage box attached to a container. The container can be replaced, but the box can remain. This is why volumes are used for database files and application-generated data.
3. Detailed Study Explanation
Volumes are managed by Docker and stored in Docker's storage area. They are preferred for data generated and used by containers because they are independent of one specific container lifecycle.
When a database container uses a volume, the database writes to a path inside the container, but that path maps to the volume. If the container is removed and recreated with the same volume, the data can still exist.
Remember: volume persistence is not the same as backup. A volume can still be deleted or corrupted. Important data needs backup and restore planning.
4. Business Use Case
A student registration app uses PostgreSQL. Developers want database data to remain even if the db container is recreated. They store PostgreSQL data in a named volume pgdata.
5. Mental Model / Diagram
PostgreSQL container:
/var/lib/postgresql/data
|
v
Docker volume:
pgdata
Container can be removed; volume can remain.6. Commands / Configuration
docker volume create pgdata
docker run -d --name db \
-e POSTGRES_PASSWORD=pass \
-v pgdata:/var/lib/postgresql/data \
postgres:16
docker volume ls
docker volume inspect pgdata
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker volume create pgdata | Creates a named volume. |
| -v pgdata:/var/lib/postgresql/data | Mounts volume into the database data path. |
| docker volume inspect | Shows volume details. |
8. Common Mistakes
- No volume for database.
- Removing volumes accidentally.
- No backup.
- Mounting volume to wrong path.
- Thinking volume means automatic disaster recovery.
9. Troubleshooting Steps
- If data not persisting, confirm correct volume path.
- Use docker inspect to check mounts.
- Check app/database actually writes to the mounted path.
10. Student Practice
- Run PostgreSQL with a volume.
- Remove and recreate container with same volume.
- Verify data remains.
- Write backup command.
11. Interview Answer
A Docker volume is Docker-managed persistent storage that can survive container removal and be reused by new containers.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Bind Mounts for Development
1. Clear Definition
Bind Mounts for Development: A bind mount maps a file or directory from the host machine into a container.
2. Explanation for New People
When developing, you edit files on your laptop. You may want the container to see those changes immediately. A bind mount lets your host folder appear inside the container.
3. Detailed Study Explanation
Bind mounts are common in development because they let source code on the host be used by the container. You can edit code in VS Code and run it inside a container without rebuilding every time.
But bind mounts depend on host paths and permissions. If the host path does not exist, or if permissions differ, the container may fail. Bind mounts can also hide files already inside the image at the mount destination. This can surprise students.
For persistent container-managed data, volumes are usually better. For local code editing, bind mounts are very useful.
4. Business Use Case
A Node.js team runs the app in a container but edits source code locally. A bind mount maps ./src into /app/src so changes appear immediately during development.
5. Mental Model / Diagram
Host folder:
./src
Container path:
/app/src
Bind mount:
./src -> /app/src6. Commands / Configuration
docker run --rm -it \
--mount type=bind,src="$(pwd)",dst=/app \
-w /app \
node:20 \
npm test
# Read-only example
docker run --rm \
--mount type=bind,src="$(pwd)",dst=/app,readonly \
alpine ls /app
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| --mount type=bind | Uses a bind mount. |
| src=$(pwd) | Host directory to mount. |
| dst=/app | Path inside container. |
| readonly | Prevents container from writing to that mount. |
8. Common Mistakes
- Using bind mounts for production data without planning.
- Wrong path.
- Permission mismatch.
- Mount hiding image files.
- Committing local-only paths.
9. Troubleshooting Steps
- If files missing, check host path and mount target.
- If permission denied, check user IDs and file permissions.
- If image files disappeared, check whether bind mount hides them.
10. Student Practice
- Mount current folder into Alpine.
- List files from inside container.
- Try read-only mount.
- Compare bind mount and volume use cases.
11. Interview Answer
A bind mount maps a file or directory from the host machine into a container.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Backup and Restore for Docker Data
1. Clear Definition
Backup and Restore for Docker Data: Backup and restore means copying persistent Docker data to a safe location and proving it can be recovered.
2. Explanation for New People
A volume keeps data when a container is removed, but it is not a backup by itself. If the volume is deleted, corrupted, or the host machine fails, data can still be lost.
3. Detailed Study Explanation
For real business systems, persistence and backup are different. Persistence means data survives normal container recreation. Backup means data can be recovered after deletion, corruption, or system failure.
For databases, official database dump tools are often safer than raw file copies. For learning, you can use a temporary container to tar volume contents. The most important lesson is: test restore. A backup you cannot restore is not useful.
Document backup frequency, retention, encryption, owner, and restore procedure for business systems.
4. Business Use Case
A small internal tool stores uploaded files in a Docker volume. After a cleanup command deletes the volume, files are lost. The team adds scheduled backups and restore testing.
5. Mental Model / Diagram
Volume -> backup file/location -> restore test -> documented recovery6. Commands / Configuration
# Backup a volume
docker run --rm \
-v pgdata:/data \
-v "$(pwd)":/backup \
alpine \
tar czf /backup/pgdata-backup.tgz -C /data .
# Restore to a new volume
docker volume create pgdata-restore
docker run --rm \
-v pgdata-restore:/data \
-v "$(pwd)":/backup \
alpine \
tar xzf /backup/pgdata-backup.tgz -C /data
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| -v pgdata:/data | Mounts source volume. |
| -v $(pwd):/backup | Mounts host folder for backup file. |
| tar czf | Creates compressed backup. |
| restore volume | Tests recovery into a new volume. |
8. Common Mistakes
- Thinking volume equals backup.
- Never testing restore.
- Backing up running databases incorrectly.
- No retention policy.
- No documentation.
9. Troubleshooting Steps
- If backup file empty, check mount path.
- If restore fails, check archive path and permissions.
- If database backup inconsistent, use database-native backup tools.
10. Student Practice
- Create a volume with files.
- Back it up.
- Restore into a new volume.
- Verify restored content.
- Write backup/restore README.
11. Interview Answer
Backup and restore means copying persistent Docker data to a safe location and proving it can be recovered.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker Networking for New Students
1. Clear Definition
Docker Networking for New Students: Docker networking controls how containers communicate with each other, with the host, and with external systems.
2. Explanation for New People
A container is isolated. It does not automatically share your host network in the same way a normal app does. Docker creates networks so containers can communicate.
The most common beginner pattern is: app container and database container are on the same Docker network. The app connects to the database using the database container/service name, not localhost.
3. Detailed Study Explanation
Docker uses network drivers. The bridge driver is common for local containers. Containers on a user-defined bridge network can communicate and resolve each other by name. This name-based communication is very important in Compose.
There are two separate ideas: container-to-container communication and host-to-container access. Container-to-container communication uses Docker networks. Host-to-container access usually requires port publishing.
Do not publish internal services unnecessarily. If only the API needs to talk to the database, the database does not need a host port.
4. Business Use Case
A backend API needs PostgreSQL. Both containers are on app-net. API uses DB_HOST=db. Only API is published to host. Database remains private to the Docker network.
5. Mental Model / Diagram
Host browser -> published API port
API container -> Docker network -> DB container
API uses hostname: db6. Commands / Configuration
docker network create app-net
docker run -d --name db --network app-net postgres:16
docker run -d --name api --network app-net -p 8000:8000 myapi:dev
docker network inspect app-net
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker network create app-net | Creates a user-defined bridge network. |
| --network app-net | Attaches container to that network. |
| docker network inspect | Shows connected containers and network details. |
8. Common Mistakes
- Using localhost for another container.
- Publishing database ports unnecessarily.
- Not using custom networks.
- Confusing host and container ports.
- Not inspecting networks.
9. Troubleshooting Steps
- Check both containers are on same network.
- Use service/container name, not localhost.
- Check app bind address and port publishing.
- Use docker network inspect.
10. Student Practice
- Create a network.
- Run two containers on it.
- Resolve one container by name.
- Explain when ports need publishing.
11. Interview Answer
Docker networking controls how containers communicate with each other, with the host, and with external systems.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Port Publishing and Localhost Confusion
1. Clear Definition
Port Publishing and Localhost Confusion: Port publishing maps host traffic to a container port; localhost means different things depending on where the command runs.
2. Explanation for New People
This is one of the biggest Docker beginner problems. On your laptop, localhost means your laptop. Inside a container, localhost means that container itself. Inside another container, localhost means that other container.
If your API container tries to connect to localhost:5432, it is trying to connect to PostgreSQL inside the API container, not the db container.
3. Detailed Study Explanation
For host-to-container access, use -p host_port:container_port. For container-to-container access, use Docker network service names. In Compose, if your database service is named db, the app should connect to db:5432.
Also check application bind address. Many frameworks bind to 127.0.0.1 by default. Inside a container, this may prevent traffic from reaching the app through published ports. For containers, apps usually need to listen on 0.0.0.0.
Understanding localhost, port publishing, and service names solves many Docker issues.
4. Business Use Case
A QA environment fails because API uses DB_HOST=localhost. The database is in another container named db. Changing DB_HOST=db fixes connectivity.
5. Mental Model / Diagram
Host:
localhost = host machine
API container:
localhost = API container
DB container:
localhost = DB container
API to DB:
use hostname db on Docker network6. Commands / Configuration
docker run -d --name api -p 8000:8000 myapi:dev
docker port api
docker exec -it api sh
# Inside container
curl http://localhost:8000
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| host_port:container_port | Left side is host, right side is container. |
| docker port api | Displays published ports. |
| localhost inside container | Means the container itself. |
8. Common Mistakes
- Using localhost to connect to another container.
- Reversing port mapping order.
- Forgetting app must bind to 0.0.0.0.
- Publishing internal DB ports without need.
- Testing only from browser.
9. Troubleshooting Steps
- If host cannot access app, check -p and app bind address.
- If app cannot access db, check DB_HOST and network.
- If port busy, choose another host port.
10. Student Practice
- Run a web app with and without -p.
- Change host port.
- Explain localhost in host vs container.
- Fix DB_HOST from localhost to db.
11. Interview Answer
Port publishing maps host traffic to a container port; localhost means different things depending on where the command runs.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker Network Troubleshooting
1. Clear Definition
Docker Network Troubleshooting: Docker network troubleshooting checks container state, published ports, bind address, network membership, service-name DNS, and host firewall/proxy rules.
2. Explanation for New People
If an app is not reachable, do not immediately rebuild. First ask: is the container running? Is the port published? Is the app listening inside the container? Is the app on the right network? Is the hostname correct?
3. Detailed Study Explanation
Troubleshooting should be layered. For host access, check docker ps, docker port, curl from host, and application logs. For container-to-container access, exec into one container and test DNS or connection to the other service name.
If DNS fails, check whether both containers are on the same user-defined network. If DNS works but connection fails, check the service port and application readiness. If external internet fails, check DNS, proxy, VPN, Docker daemon network, and firewall.
Write results down. Network issues are easier when you compare expected path and actual failure point.
4. Business Use Case
A developer says Redis is down. The Redis container is running. API logs show connection refused to localhost:6379. The real issue is wrong hostname. REDIS_HOST should be redis.
5. Mental Model / Diagram
Check order:
1. Container running?
2. Port published?
3. App listening?
4. Correct network?
5. Correct service name?
6. DNS works?
7. Firewall/proxy?6. Commands / Configuration
docker ps
docker port api
docker logs api
docker network inspect app-net
docker exec -it api sh
nslookup db
ping db
curl http://db:5432
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker network inspect | Shows containers on a network. |
| nslookup db | Tests container DNS. |
| ping db | Tests name resolution and reachability if ping is available. |
| curl | Tests HTTP services. |
8. Common Mistakes
- Testing only from the host.
- Not checking service names.
- Ignoring app logs.
- Forgetting app bind address.
- Publishing ports instead of fixing internal network.
9. Troubleshooting Steps
- Use docker exec to test from inside the source container.
- Check service is listening on expected port.
- Check network membership.
- Check logs on both source and destination services.
10. Student Practice
- Create wrong service name issue.
- Fix it.
- Create missing network issue.
- Fix it.
- Write a network troubleshooting checklist.
11. Interview Answer
Docker network troubleshooting checks container state, published ports, bind address, network membership, service-name DNS, and host firewall/proxy rules.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker Compose: Multi-Container Apps
1. Clear Definition
Docker Compose: Multi-Container Apps: Docker Compose defines and runs multi-container applications using a compose.yaml file.
2. Explanation for New People
Real applications usually need more than one container. An API may need a database. A worker may need Redis. A frontend may need a backend. Starting all of them manually with docker run becomes difficult.
Compose puts the full setup in one file. This file becomes both documentation and automation.
3. Detailed Study Explanation
Compose describes services, networks, volumes, ports, environment variables, dependencies, builds, images, commands, and health checks. When you run docker compose up, Compose creates the needed network and starts services.
Compose is excellent for local development, QA, demos, and learning. It teaches how real applications are made of multiple components. In Compose, services can communicate by service name. If the database service is named db, the API can use DB_HOST=db.
Compose is not only a shortcut. It is a readable description of your application architecture.
4. Business Use Case
A new developer joins a project with API, PostgreSQL, Redis, and Nginx. Instead of installing each tool manually, the developer runs docker compose up and gets the same stack as the team.
5. Mental Model / Diagram
compose.yaml:
services:
api
db
redis
volumes:
pgdata
networks:
default app network6. Commands / Configuration
docker compose version
docker compose up --build
docker compose ps
docker compose logs -f
docker compose down
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker compose up | Starts services defined in compose.yaml. |
| --build | Builds images before starting. |
| docker compose ps | Shows service containers. |
| docker compose logs -f | Follows logs. |
| docker compose down | Stops and removes stack resources created by Compose. |
8. Common Mistakes
- No Compose file for multi-container app.
- Using localhost between services.
- Forgetting database volume.
- Hard-coding secrets.
- Not reading compose logs.
9. Troubleshooting Steps
- Run docker compose config to validate.
- Check docker compose ps.
- Check logs for failing service.
- Use service names for internal connections.
10. Student Practice
- Create compose.yaml with API and DB.
- Run it.
- Check logs.
- Stop it.
- Explain each section.
11. Interview Answer
Docker Compose defines and runs multi-container applications using a compose.yaml file.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
compose.yaml Services, Networks, and Volumes
1. Clear Definition
compose.yaml Services, Networks, and Volumes: Compose services define application components, networks define communication, and volumes define persistent storage.
2. Explanation for New People
A Compose file is not just a random YAML file. It is an application map. Each service is one part of the app. Networks decide how parts talk. Volumes decide what data remains.
3. Detailed Study Explanation
A service can use an existing image or build from a Dockerfile. It can publish ports, define environment variables, mount volumes, define dependencies, and run health checks.
Compose creates a default network, but you can define custom networks. Services on the same network can reach each other by service name. You can also define named volumes for databases.
For students, the goal is to look at compose.yaml and understand the full app stack: what starts, what talks to what, what is public, and what data persists.
4. Business Use Case
A CRM application has frontend, API, database, and Redis. Compose defines all services. Only frontend/API ports are published. Database and Redis stay internal. PostgreSQL data uses a named volume.
5. Mental Model / Diagram
Frontend -> API -> DB
|
v
Redis
DB uses volume pgdata6. Commands / Configuration
services:
api:
build: .
ports:
- "8000:8000"
environment:
DB_HOST: db
REDIS_HOST: redis
depends_on:
- db
- redis
db:
image: postgres:16
environment:
POSTGRES_PASSWORD: pass
volumes:
- pgdata:/var/lib/postgresql/data
redis:
image: redis:7-alpine
volumes:
pgdata:
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| services | Defines application components. |
| ports | Publishes host-to-container ports. |
| environment | Passes runtime configuration. |
| depends_on | Defines startup dependency order. |
| volumes | Defines persistent storage. |
8. Common Mistakes
- Publishing every service.
- No volume for database.
- Using localhost in API config.
- Hard-coding production secrets.
- No comments/README.
9. Troubleshooting Steps
- Use docker compose config to validate YAML.
- Check service logs individually.
- Check service names and environment variables.
- Inspect volumes and networks.
10. Student Practice
- Add Redis service to a Compose app.
- Use REDIS_HOST=redis.
- Add volume for DB.
- Explain which service is public.
11. Interview Answer
Compose services define application components, networks define communication, and volumes define persistent storage.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Compose Health Checks and Startup Order
1. Clear Definition
Compose Health Checks and Startup Order: Health checks test whether a service is ready; startup order only controls which container starts first.
2. Explanation for New People
A container can be started but not ready. A database may need time to initialize. If the API starts too early, it may fail. This is why startup order and readiness are not the same.
3. Detailed Study Explanation
depends_on can control order, but a service being started does not always mean it is ready. Compose supports health checks and dependency conditions such as service_healthy. The database can be marked healthy only after a command like pg_isready succeeds.
Applications should also have retry logic. Even if the database is healthy at startup, it can restart later. A robust app should retry connections instead of crashing permanently.
Health checks are also important in production platforms. They help decide if traffic should be sent to a service.
4. Business Use Case
A QA stack randomly fails because the API starts before PostgreSQL is ready. Adding a PostgreSQL health check and service_healthy dependency stabilizes startup.
5. Mental Model / Diagram
Container started -> process running
Health check passes -> service ready
Dependent service starts -> app can connect6. Commands / Configuration
services:
db:
image: postgres:16
environment:
POSTGRES_PASSWORD: pass
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres"]
interval: 5s
timeout: 3s
retries: 10
api:
build: .
depends_on:
db:
condition: service_healthy
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| healthcheck | Defines readiness test. |
| pg_isready | PostgreSQL readiness check. |
| condition: service_healthy | Starts dependent service after health check passes. |
| retries/interval/timeout | Controls health check timing. |
8. Common Mistakes
- Thinking depends_on always means ready.
- No health endpoint.
- No retry logic in app.
- Health check too heavy.
- Ignoring unhealthy state.
9. Troubleshooting Steps
- Check docker compose ps health status.
- Check health check command manually.
- Read service logs.
- Add app retry logic.
10. Student Practice
- Add health check for database.
- Break DB password and observe failure.
- Add API /health endpoint.
- Explain started vs healthy.
11. Interview Answer
Health checks test whether a service is ready; startup order only controls which container starts first.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Compose Profiles and Watch for Development
1. Clear Definition
Compose Profiles and Watch for Development: Compose profiles enable optional services, and Compose Watch can update running services as files change during development.
2. Explanation for New People
Not every service is needed every time. You may need phpMyAdmin only when debugging. Profiles let you start optional services only when needed. Watch helps development by syncing or rebuilding when files change.
3. Detailed Study Explanation
Profiles keep Compose files clean. Instead of maintaining separate compose files for every optional tool, you can mark services with profiles. Then start them only with --profile.
Compose Watch improves development speed. It can sync source files into running containers, rebuild when dependency files change, or restart services. It is useful when you want a fast edit-test loop.
Students should still understand Dockerfile, volumes, and bind mounts. Watch is not magic. It works best when you know which files should sync and which changes require rebuild.
4. Business Use Case
A team uses normal services for app/db/redis. Debug tools run only with --profile debug. During UI development, Compose Watch syncs source changes quickly.
5. Mental Model / Diagram
Normal:
docker compose up
With debug tools:
docker compose --profile debug up
With live development:
docker compose watch6. Commands / Configuration
services:
adminer:
image: adminer
profiles: ["debug"]
ports:
- "8081:8080"
web:
build: .
develop:
watch:
- action: sync
path: ./src
target: /app/src
- action: rebuild
path: package.json
# Run optional profile
docker compose --profile debug up
# Watch files
docker compose watch
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| profiles | Marks services as optional. |
| --profile debug | Enables optional services. |
| develop.watch | Defines development file watching behavior. |
| sync/rebuild | Controls what happens when files change. |
8. Common Mistakes
- Starting debug tools always.
- Watching too many files.
- Syncing node_modules unnecessarily.
- Not knowing when rebuild is needed.
- No .dockerignore.
9. Troubleshooting Steps
- If profile service not starting, check --profile flag.
- If watch does not update, check paths and Compose version.
- If rebuild loops, ignore generated files.
10. Student Practice
- Add optional admin tool with profile.
- Start with and without profile.
- Add watch rules for src.
- Document your development workflow.
11. Interview Answer
Compose profiles enable optional services, and Compose Watch can update running services as files change during development.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Registry, Login, Push, Pull, and Tags
1. Clear Definition
Registry, Login, Push, Pull, and Tags: A registry stores images; push uploads images; pull downloads images; tags identify image versions.
2. Explanation for New People
Building an image on your laptop is local. Other people cannot automatically use it. To share it, push it to a registry. A registry is like a storage server for images.
Tags help identify image versions. A good tag tells the team what version is being used.
3. Detailed Study Explanation
Public images are commonly pulled from Docker Hub. Companies often use private registries to protect internal application images. You usually need docker login before pushing to a private registry.
Tagging strategy is important. latest is convenient but risky for serious deployments. Use version tags, Git SHA tags, or build numbers. For production, record the digest too.
A good release flow builds once, tests, scans, pushes, and promotes the same image across environments.
4. Business Use Case
A company builds myapp:git-abc123 in CI and pushes it to a private registry. QA and production pull the same image version. Rollback uses a previous tag.
5. Mental Model / Diagram
Local image -> docker tag -> registry name
docker push -> registry
deployment server -> docker pull -> run container6. Commands / Configuration
docker build -t myapp:dev .
docker tag myapp:dev myrepo/myapp:1.0.0
docker login
docker push myrepo/myapp:1.0.0
docker pull myrepo/myapp:1.0.0
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker tag | Creates a new tag for an image. |
| docker login | Authenticates to a registry. |
| docker push | Uploads image. |
| docker pull | Downloads image. |
8. Common Mistakes
- Using latest for all releases.
- No tag strategy.
- Pushing secrets inside images.
- Not logging into correct registry.
- No rollback version.
9. Troubleshooting Steps
- If push denied, check login and repository permission.
- If image not found, check name/tag.
- If wrong image runs, inspect tag and digest.
10. Student Practice
- Tag a local image.
- Write a tag strategy.
- Push to a registry if available.
- Explain rollback using old tag.
11. Interview Answer
A registry stores images; push uploads images; pull downloads images; tags identify image versions.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker in CI/CD Pipelines
1. Clear Definition
Docker in CI/CD Pipelines: Docker in CI/CD means building, testing, scanning, tagging, pushing, and deploying container images automatically.
2. Explanation for New People
CI/CD is automation for software delivery. Docker gives CI/CD a clear package: the image. Instead of copying files and installing dependencies manually, the pipeline builds an image and moves that image forward.
3. Detailed Study Explanation
A practical pipeline may do these steps: checkout code, build image, run unit tests, run integration tests, scan image, tag with Git SHA, push to registry, deploy to test environment, run smoke test, and promote to production after approval.
The image should be traceable to source code. If production fails, you should know exactly which Git commit and image tag/digest is running. This is important for rollback, audit, and incident response.
Docker helps ensure tests run against the same runtime package that will be deployed.
4. Business Use Case
A fintech API cannot be deployed manually because risk is high. CI builds the image, runs tests, scans vulnerabilities, pushes approved images, and production deploys only approved tags.
5. Mental Model / Diagram
Code commit -> build image -> test -> scan -> tag -> push -> deploy -> smoke test -> promote6. Commands / Configuration
docker build -t myrepo/myapp:$GIT_SHA .
docker run --rm myrepo/myapp:$GIT_SHA pytest
docker scout cves myrepo/myapp:$GIT_SHA
docker push myrepo/myapp:$GIT_SHA
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| $GIT_SHA | Unique commit-based tag. |
| docker run --rm ... pytest | Runs tests in container. |
| docker scout cves | Scans image vulnerabilities. |
| docker push | Publishes approved image. |
8. Common Mistakes
- No immutable tag.
- Skipping tests.
- Skipping scan.
- Rebuilding separately for each environment.
- No rollback plan.
9. Troubleshooting Steps
- If CI build fails, read Dockerfile step.
- If registry push fails, check credentials.
- If test fails only in container, compare environment differences.
10. Student Practice
- Write a CI pipeline plan.
- Choose tags for dev/qa/prod.
- Add test and scan step.
- Write rollback steps.
11. Interview Answer
Docker in CI/CD means building, testing, scanning, tagging, pushing, and deploying container images automatically.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker Security Basics for Students
1. Clear Definition
Docker Security Basics for Students: Docker security means protecting the image, container runtime, host, registry, secrets, network exposure, and CI/CD supply chain.
2. Explanation for New People
Docker makes running apps easier, but easy does not mean automatically secure. A bad Dockerfile can include secrets. A container can run as root. A database port can be exposed by mistake. An old base image can contain vulnerabilities.
3. Detailed Study Explanation
Security starts during build. Use trusted base images, keep dependencies updated, avoid unnecessary packages, use .dockerignore, and scan images. Do not copy .env files, SSH keys, tokens, or passwords into images.
Runtime security means least privilege. Run as non-root when possible. Avoid privileged containers. Drop unnecessary Linux capabilities. Publish only required ports. Avoid mounting the Docker socket unless absolutely necessary.
Operational security includes registry permissions, vulnerability policies, logging, monitoring, and incident response.
4. Business Use Case
A company discovers an API container runs as root and the Dockerfile copied .env into the image. The team rotates secrets, fixes .dockerignore, adds non-root USER, and adds image scanning.
5. Mental Model / Diagram
Security layers:
Source code
Dockerfile
Build context
Image
Registry
Container runtime
Network exposure
Host
Monitoring6. Commands / Configuration
docker history myapp:dev
docker scout cves myapp:dev
docker run --user 1000:1000 myapp:dev
docker run --cap-drop ALL myapp:dev
docker run --read-only --tmpfs /tmp myapp:dev
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker history | Can reveal risky image history patterns. |
| docker scout cves | Checks known vulnerabilities. |
| --user | Runs container as selected user. |
| --cap-drop ALL | Drops Linux capabilities. |
| --read-only | Makes root filesystem read-only. |
8. Common Mistakes
- Putting secrets in image.
- Running as root unnecessarily.
- Publishing internal ports.
- Mounting Docker socket.
- Ignoring scan results.
9. Troubleshooting Steps
- If app fails as non-root, check file permissions.
- If read-only breaks app, mount writable tmp or data path.
- If scan finds vulnerability, update base/dependencies and rebuild.
10. Student Practice
- Review a Dockerfile for secrets.
- Add .dockerignore.
- Run as non-root.
- Scan image.
- Write a security checklist.
11. Interview Answer
Docker security means protecting the image, container runtime, host, registry, secrets, network exposure, and CI/CD supply chain.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Secrets: What Not to Put in Docker Images
1. Clear Definition
Secrets: What Not to Put in Docker Images: Secrets are sensitive values like passwords, API keys, tokens, certificates, and private keys that must not be baked into Docker images.
2. Explanation for New People
If you put a password in a Dockerfile, it may remain in image history. If you copy .env into the image, anyone with image access may read it. This is one of the most serious beginner mistakes.
3. Detailed Study Explanation
Build-time secrets and runtime secrets are different. If a build needs private package access, use BuildKit secret mounts instead of ARG or ENV. Build arguments and environment variables can persist in metadata or image layers depending on use, so they are not appropriate for sensitive build secrets.
For runtime, production systems should use secret managers or orchestrator secret features. For local practice, .env is common, but real secrets must not be committed to Git or copied into images.
The safe principle is: an image should be shareable without exposing credentials.
4. Business Use Case
A CI pipeline needs a token to download a private dependency. The team uses BuildKit secret mounts so the token is temporarily available during build but not saved in final image layers.
5. Mental Model / Diagram
Bad:
Dockerfile contains API_KEY
Better:
Build secret mount for build
Runtime secret manager for running container6. Commands / Configuration
# Bad idea:
# ENV API_KEY=my-secret
# BuildKit secret example
docker build --secret id=npmrc,src=$HOME/.npmrc -t myapp:dev .
# Dockerfile example line:
# RUN --mount=type=secret,id=npmrc,target=/root/.npmrc npm ci
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| --secret | Passes secret to build safely. |
| id=npmrc | Secret identifier. |
| target=/root/.npmrc | Where secret appears temporarily during build. |
| Do not use ENV for secrets | Avoid baking secret into image metadata/layers. |
8. Common Mistakes
- Using ENV for passwords in Dockerfile.
- Committing .env.
- Copying SSH keys.
- Printing secrets in logs.
- Using ARG for sensitive values.
9. Troubleshooting Steps
- If secret leaked, rotate it immediately.
- Check docker history.
- Check .dockerignore and Git history.
- Move secret to proper secret manager.
10. Student Practice
- Create .dockerignore excluding .env.
- Inspect image history.
- Write safe secret handling rules.
- Explain build secret vs runtime secret.
11. Interview Answer
Secrets are sensitive values like passwords, API keys, tokens, certificates, and private keys that must not be baked into Docker images.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker Scout, SBOM, and Image Scanning
1. Clear Definition
Docker Scout, SBOM, and Image Scanning: Docker Scout analyzes images, extracts or uses SBOM information, and compares packages against vulnerability data.
2. Explanation for New People
A Docker image contains many things: base image packages, OS libraries, language dependencies, and your application files. You may not know every package manually. An SBOM helps list what is inside.
3. Detailed Study Explanation
SBOM means Software Bill of Materials. It is like an ingredient list for software. Docker Scout can analyze images and show known vulnerabilities. This helps teams find risky packages before production.
A scan result is not the final answer by itself. Teams must review severity, exploitability, base image updates, package updates, and exceptions. Some vulnerabilities are fixed by updating base images. Some require application dependency updates.
Scanning should happen in CI/CD and after release too, because new vulnerabilities can be discovered after an image was built.
4. Business Use Case
A company requires no critical vulnerabilities before production. CI runs Docker Scout. If a critical issue appears, the release is blocked or requires approval and remediation plan.
5. Mental Model / Diagram
Image -> SBOM/package inventory -> vulnerability database -> scan report -> fix/approve decision6. Commands / Configuration
docker scout cves myapp:dev
docker scout sbom myapp:dev
docker scout sbom --output myapp-sbom.json myapp:dev
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker scout cves | Shows vulnerability information. |
| docker scout sbom | Shows software bill of materials. |
| --output | Writes SBOM to a file. |
8. Common Mistakes
- Ignoring scan results.
- Not updating base images.
- No policy for vulnerabilities.
- Thinking one clean scan is permanent.
- Not tracking dependencies.
9. Troubleshooting Steps
- If scan finds old OS packages, update base image.
- If app dependency vulnerable, update dependency lock file.
- If false positive suspected, document exception.
10. Student Practice
- Scan one image.
- Generate SBOM.
- Identify base image packages.
- Write remediation plan for one vulnerability.
11. Interview Answer
Docker Scout analyzes images, extracts or uses SBOM information, and compares packages against vulnerability data.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker Troubleshooting Playbook
1. Clear Definition
Docker Troubleshooting Playbook: A troubleshooting playbook is a structured process for diagnosing Docker problems using evidence.
2. Explanation for New People
When something fails, do not randomly delete containers or run prune. First collect evidence. Docker gives you commands to see state, logs, configuration, ports, networks, volumes, and disk usage.
3. Detailed Study Explanation
Start by classifying the problem. Is it build failure, image pull failure, container exit, app unreachable, database connection issue, permission issue, volume issue, registry issue, or security scan issue?
For runtime issues, check docker ps -a, logs, exit code, inspect, port mapping, environment variables, networks, and volumes. For build issues, check Dockerfile step, build context, .dockerignore, package install logs, and internet/proxy. For registry issues, check login, image name, tag, permissions, and platform.
A professional troubleshooting note includes symptom, scope, command, expected result, actual result, root cause, fix, and prevention.
4. Business Use Case
A release is blocked because API container exits. Logs show DATABASE_URL missing. The team updates Compose environment and README. The issue is fixed and documented.
5. Mental Model / Diagram
Symptom -> category -> evidence -> root cause -> fix -> prevention
Evidence:
ps -a, logs, inspect, port, network, volume, env6. Commands / Configuration
docker ps -a
docker logs <container>
docker inspect <container>
docker port <container>
docker network inspect <network>
docker volume inspect <volume>
docker exec -it <container> sh
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| ps -a | Find stopped containers. |
| logs | Read application output. |
| inspect | See configuration metadata. |
| port | Check published ports. |
| network inspect | Check network membership. |
| volume inspect | Check volume details. |
8. Common Mistakes
- Deleting evidence before reading logs.
- Not checking stopped containers.
- Confusing build and runtime problems.
- Ignoring environment variables.
- No root cause note.
9. Troubleshooting Steps
- Always start with exact error and command.
- Check state and logs before changes.
- Change one thing at a time.
- Document final fix.
10. Student Practice
- Create a missing env variable failure.
- Create a wrong port mapping issue.
- Create a wrong network issue.
- Write root cause notes.
11. Interview Answer
A troubleshooting playbook is a structured process for diagnosing Docker problems using evidence.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Build Failures: How to Read Docker Build Errors
1. Clear Definition
Build Failures: How to Read Docker Build Errors: A Docker build failure occurs when one Dockerfile instruction cannot complete successfully.
2. Explanation for New People
When docker build fails, read the exact step that failed. Docker builds line by line. The failing line usually tells you what to fix: missing file, package install error, wrong command, permission problem, network problem, or syntax issue.
3. Detailed Study Explanation
Use --progress=plain to see detailed output. If COPY fails, check build context, file path, and .dockerignore. If RUN pip install or npm ci fails, read dependency errors. If apt-get fails, check package name and network access. If command not found, check base image and installed tools.
Do not fix build errors by copying random commands from internet. Understand which layer failed and why. A Docker build should be reproducible.
4. Business Use Case
A CI build fails because requirements.txt was excluded by .dockerignore. Developers cannot deploy. Reading build output shows COPY requirements.txt failed. The team fixes .dockerignore.
5. Mental Model / Diagram
Build error flow:
Find failed step -> read error -> check files/context -> check command -> rebuild -> document fix6. Commands / Configuration
docker build --progress=plain -t myapp:dev .
# Build without cache only for verification
# Do not use as permanent solution for every issue
docker build --no-cache -t myapp:dev .
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| --progress=plain | Shows detailed logs. |
| --no-cache | Forces all steps to rebuild; useful for verification but not normal fix. |
| failed step | The Dockerfile instruction that failed. |
8. Common Mistakes
- Not reading the failed step.
- Using --no-cache always.
- Ignoring .dockerignore.
- Changing many things at once.
- Not committing fixed Dockerfile.
9. Troubleshooting Steps
- COPY fails: check path/context/.dockerignore.
- RUN install fails: check package/dependency/network.
- Permission fails: check USER and file ownership.
10. Student Practice
- Create a wrong COPY path and fix it.
- Create wrong package name and read error.
- Use --progress=plain.
- Write a build failure checklist.
11. Interview Answer
A Docker build failure occurs when one Dockerfile instruction cannot complete successfully.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Container Keeps Restarting or Exiting
1. Clear Definition
Container Keeps Restarting or Exiting: A restarting or exited container usually means the main process failed, finished, or is being restarted by a restart policy.
2. Explanation for New People
If a container is not visible in docker ps, it may not be gone. It may be stopped. Use docker ps -a. Then read logs. A container exits when its main process exits.
3. Detailed Study Explanation
Common reasons for exiting: wrong command, missing environment variable, application crash, missing file, port already in use inside the container, permission error, or dependency unavailable. If a restart policy is set, Docker may restart it repeatedly.
Check exit code with inspect. Exit code 0 usually means the process finished normally. Non-zero means error. But the logs are usually the best first source.
Do not assume restart loops are Docker daemon problems. Most restart loops are application/configuration problems.
4. Business Use Case
A worker container restarts every few seconds. Logs show it cannot connect to Redis because REDIS_HOST is wrong. Updating the environment fixes it.
5. Mental Model / Diagram
docker ps -a -> container state
docker logs -> application message
docker inspect -> exit code/restart count
fix config/command/dependency6. Commands / Configuration
docker ps -a
docker logs mycontainer
docker inspect mycontainer --format '{{.State.ExitCode}}'
docker inspect mycontainer --format '{{.RestartCount}}'
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| ExitCode | Shows process exit status. |
| RestartCount | Shows restart loop count. |
| logs | Shows why app failed. |
8. Common Mistakes
- Only checking docker ps.
- Ignoring logs.
- Blaming Docker before app config.
- Deleting container immediately.
- No restart policy understanding.
9. Troubleshooting Steps
- Check docker ps -a.
- Read logs.
- Check missing env variables.
- Check command/CMD/ENTRYPOINT.
- Check dependency services.
10. Student Practice
- Run a container with a bad command.
- Check exit code.
- Add restart policy and observe restarts.
- Fix command.
11. Interview Answer
A restarting or exited container usually means the main process failed, finished, or is being restarted by a restart policy.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Application Running but Not Reachable
1. Clear Definition
Application Running but Not Reachable: An app can run inside a container but be unreachable because of port mapping, bind address, network, firewall, or service readiness problems.
2. Explanation for New People
The container running does not automatically mean your browser can access the app. You need the app listening inside the container, the correct container port, published host port, and sometimes correct bind address.
3. Detailed Study Explanation
Check docker ps for port mapping. If no host port is shown, the host cannot access the app. Check app logs for the port it listens on. If the app listens on 127.0.0.1 inside the container, traffic from Docker port mapping may not reach it; use 0.0.0.0 for many web apps.
If port is correct, test curl from host. Then exec into the container and test from inside. This separates app issue from Docker networking issue.
Also check host firewall, VPN, corporate proxy, and port conflicts.
4. Business Use Case
A demo fails because API is running but browser cannot access it. docker ps shows no port mapping. The container is restarted with -p 8000:8000 and the demo works.
5. Mental Model / Diagram
Need all:
container running
app listening
correct container port
host port published
app binds 0.0.0.0
host firewall allows access6. Commands / Configuration
docker ps
docker port app
docker logs app
curl -I http://localhost:8000
docker exec -it app sh
# inside container:
# curl http://localhost:8000
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker port | Confirms port mapping. |
| curl from host | Tests host-to-container access. |
| curl inside container | Tests whether app itself responds. |
| logs | Shows app bind/port information. |
8. Common Mistakes
- Assuming running means reachable.
- Wrong port mapping.
- App binds to 127.0.0.1.
- Host port conflict.
- Not testing from inside container.
9. Troubleshooting Steps
- Check port mapping.
- Check app listen address.
- Check logs.
- Check host firewall/port conflict.
- Use curl from host and inside container.
10. Student Practice
- Run app without -p and observe failure.
- Run with correct port.
- Bind app to 127.0.0.1 and compare.
- Document fix.
11. Interview Answer
An app can run inside a container but be unreachable because of port mapping, bind address, network, firewall, or service readiness problems.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker Disk Usage and Cleanup
1. Clear Definition
Docker Disk Usage and Cleanup: Docker cleanup removes unused containers, images, networks, volumes, and build cache, but must be done carefully to avoid deleting needed data.
2. Explanation for New People
Docker can use disk space because images, stopped containers, volumes, and build cache accumulate. Cleanup is useful, but dangerous if you remove volumes containing data.
3. Detailed Study Explanation
docker system df shows disk usage. docker container prune removes stopped containers. docker image prune removes dangling/unused images depending on flags. docker builder prune removes build cache. docker volume prune removes unused volumes and can delete important data if you are careless.
Never run prune commands blindly on a machine with important data. First inspect what exists. For learning machines, cleanup is common. For business or production systems, cleanup should be planned and documented.
Understand the difference between deleting containers and deleting volumes. Removing a Compose stack with down does not remove named volumes unless you add -v.
4. Business Use Case
A shared development server runs out of disk space due to old images and build cache. The team creates a cleanup policy that removes unused images and cache but protects named database volumes.
5. Mental Model / Diagram
Docker disk users:
images
containers
volumes
build cache
networks
Clean carefully:
containers/images/cache safer
volumes require caution6. Commands / Configuration
docker system df
docker container prune
docker image prune
docker builder prune
# Dangerous if important data exists:
# docker volume prune
# Compose removes volumes only with -v:
docker compose down -v
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker system df | Shows disk usage. |
| container prune | Removes stopped containers. |
| image prune | Removes unused/dangling images. |
| builder prune | Removes build cache. |
| volume prune | Removes unused volumes; dangerous for data. |
8. Common Mistakes
- Running volume prune without checking.
- Not knowing which volumes contain data.
- Deleting evidence during troubleshooting.
- No backup before cleanup.
- Using prune as first troubleshooting step.
9. Troubleshooting Steps
- If disk full, run docker system df.
- Identify large images/cache.
- Back up volumes before deleting.
- Clean one category at a time.
10. Student Practice
- Check disk usage.
- Create and remove stopped containers.
- Run safe cleanup in lab.
- Explain why volume prune is dangerous.
11. Interview Answer
Docker cleanup removes unused containers, images, networks, volumes, and build cache, but must be done carefully to avoid deleting needed data.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker for Production: What Changes
1. Clear Definition
Docker for Production: What Changes: Production Docker requires versioned images, security, configuration management, health checks, logs, monitoring, backups, resource limits, and rollback.
2. Explanation for New People
Running Docker on your laptop is learning. Running Docker for users is operations. In production, people depend on the app. You need monitoring, logs, backups, security, and recovery steps.
3. Detailed Study Explanation
A production image should be built in CI, tagged clearly, scanned, and stored in a registry. Containers should run with least privilege. Secrets should come from a secret manager. Ports should be limited. Logs should go to a central system. Health checks should exist. Persistent data should have backups.
Resource limits protect the host from one container using all CPU or memory. Restart policies help recover from simple failures, but they do not replace monitoring. Rollback should be planned before deployment.
For larger systems, Docker images often run on orchestration platforms such as Kubernetes, ECS, Cloud Run, or Azure Container Apps. Docker skills still matter because the image is the package.
4. Business Use Case
An internal dashboard starts with Docker Compose on one VM. As users grow, the team adds image tags, scan policy, backups, logs, health checks, and rollback steps. Later it moves to managed container orchestration.
5. Mental Model / Diagram
Production checklist:
image version
registry
scan
secrets
ports
health check
logs
metrics
backups
resource limits
rollback
runbook6. Commands / Configuration
docker run -d \
--name app \
--restart unless-stopped \
--memory 512m \
--cpus 1.0 \
-p 8080:8080 \
myrepo/myapp:1.0.0
docker logs -f app
docker stats app
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| --restart unless-stopped | Basic restart policy. |
| --memory 512m | Memory limit. |
| --cpus 1.0 | CPU limit. |
| versioned image tag | Avoids unclear latest deployments. |
8. Common Mistakes
- Using latest in production.
- No backups.
- No logs/monitoring.
- No health checks.
- No rollback plan.
- Running privileged containers unnecessarily.
9. Troubleshooting Steps
- Check image tag/digest.
- Check health endpoint.
- Check logs and metrics.
- Check resource limits.
- Check rollback image.
10. Student Practice
- Create a production checklist.
- Add health check to app.
- Add resource limits.
- Write backup and rollback steps.
- Write a runbook.
11. Interview Answer
Production Docker requires versioned images, security, configuration management, health checks, logs, monitoring, backups, resource limits, and rollback.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker vs Compose vs Kubernetes
1. Clear Definition
Docker vs Compose vs Kubernetes: Docker builds and runs containers, Compose defines multi-container applications, and Kubernetes orchestrates containers across clusters.
2. Explanation for New People
Students often ask: if Kubernetes exists, do I still need Docker? Yes. Kubernetes runs container images. If you do not understand Docker images, containers, ports, volumes, logs, and networking, Kubernetes will be confusing.
3. Detailed Study Explanation
Docker is the base skill. It teaches image building and container running. Compose is the next step. It teaches how multiple services work together in one local stack. Kubernetes is orchestration. It runs containers across many machines, manages scaling, rollout, self-healing, service discovery, and configuration.
A practical learning path is Docker -> Compose -> Kubernetes. Many businesses use Compose for local development and Kubernetes or managed container platforms for production.
Do not compare them as if only one should exist. They solve different layers of the application lifecycle.
4. Business Use Case
A SaaS team uses Compose locally, CI builds Docker images, and production runs the images in Kubernetes. Developers get simple local setup and production gets scalable orchestration.
5. Mental Model / Diagram
Docker:
build and run containers
Compose:
run multi-container app locally
Kubernetes:
orchestrate containers across a cluster6. Commands / Configuration
docker build -t myapp:dev .
docker compose up -d
# Kubernetes later references the image:
# myrepo/myapp:1.0.0
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| Docker build | Creates image. |
| Compose up | Runs local service stack. |
| Kubernetes image reference | Uses built image in production orchestration. |
8. Common Mistakes
- Learning Kubernetes before Docker basics.
- Thinking Compose is always production orchestration.
- Thinking Docker is useless because Kubernetes exists.
- Not understanding registry flow.
9. Troubleshooting Steps
- If Kubernetes pod fails image pull, check registry/tag.
- If local Compose differs, compare env/network/volumes.
- If image fails everywhere, debug Dockerfile/container first.
10. Student Practice
- Explain each tool in one sentence.
- Build image with Docker.
- Run stack with Compose.
- Describe how Kubernetes would use the image.
11. Interview Answer
Docker builds and runs containers, Compose defines multi-container applications, and Kubernetes orchestrates containers across clusters.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Project 1: Containerize a Python API
1. Clear Definition
Project 1: Containerize a Python API: This project proves you can write a Dockerfile, build a Python API image, run it, publish a port, read logs, and document the setup.
2. Explanation for New People
A project is where Docker becomes real. A Python API is a good first project because it teaches base image, dependency installation, source copy, port publishing, and logs.
3. Detailed Study Explanation
Your project folder should include app.py, requirements.txt, Dockerfile, .dockerignore, and README.md. The README should explain the business scenario, build command, run command, test command, stop command, and troubleshooting.
The app must listen on 0.0.0.0 so it can receive traffic through Docker port mapping. If it listens only on 127.0.0.1, your browser may not reach it.
4. Business Use Case
Business scenario: A training company needs a simple student registration API. Docker lets every developer run it without installing Python globally.
5. Mental Model / Diagram
app.py + requirements.txt + Dockerfile
|
docker build
|
python-api image
|
docker run -p 8000:8000
|
API available on localhost6. Commands / Configuration
# Dockerfile
FROM python:3.12-slim
WORKDIR /app
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
EXPOSE 8000
CMD ["python", "app.py"]
# Commands
docker build -t python-api:dev .
docker run --name python-api -p 8000:8000 python-api:dev
docker logs -f python-api
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| requirements.txt | Dependency list. |
| Dockerfile | Image build recipe. |
| docker build | Creates image. |
| docker run -p | Runs API and exposes port. |
| docker logs | Shows app output. |
8. Common Mistakes
- App listens on 127.0.0.1.
- No README.
- No .dockerignore.
- No logs section.
- No business explanation.
9. Troubleshooting Steps
- If build fails, check requirements.txt.
- If app unreachable, check bind address and port.
- If container exits, read logs.
10. Student Practice
- Build the API.
- Run it.
- Test endpoint.
- Add README.
- Add screenshot and troubleshooting notes.
11. Interview Answer
This project proves you can write a Dockerfile, build a Python API image, run it, publish a port, read logs, and document the setup.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Project 2: Full App with Compose and Database
1. Clear Definition
Project 2: Full App with Compose and Database: This project proves you can run an application and database together using Compose, service names, networks, and volumes.
2. Explanation for New People
Most real apps need a database. If your API and database run in separate containers, they need to communicate. Compose makes this easier by creating a network and allowing service names.
3. Detailed Study Explanation
The API service should use DB_HOST=db, not localhost. The database service should use a named volume for data. The Compose file should include environment variables. Only the API needs to publish a port for host access. The database can remain internal.
Your README should include run, stop, logs, reset database, common errors, and screenshots. This is a strong beginner-to-intermediate portfolio project.
4. Business Use Case
Business scenario: A student management API stores records in PostgreSQL. Developers need to run API and DB locally with one command.
5. Mental Model / Diagram
Host/Postman -> API service -> Docker network -> DB service -> pgdata volume6. Commands / Configuration
services:
api:
build: .
ports:
- "8000:8000"
environment:
DB_HOST: db
DB_PASSWORD: pass
depends_on:
- db
db:
image: postgres:16
environment:
POSTGRES_PASSWORD: pass
volumes:
- pgdata:/var/lib/postgresql/data
volumes:
pgdata:
# Run
docker compose up --build
# Logs
docker compose logs -f api
# Reset only when needed
docker compose down -v
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| api service | Builds your app image. |
| db service | Runs PostgreSQL. |
| DB_HOST: db | Uses Compose service name. |
| pgdata | Persists DB data. |
| down -v | Removes volume; use carefully. |
8. Common Mistakes
- DB_HOST=localhost.
- No database volume.
- Publishing DB port unnecessarily.
- No README reset instructions.
- Hard-coded secrets in source code.
9. Troubleshooting Steps
- If API cannot connect DB, check service name and network.
- If DB data disappears, check volume.
- If app starts too early, add health checks/retry.
10. Student Practice
- Build Compose stack.
- Create data.
- Restart stack.
- Verify data persists.
- Break DB_HOST and fix it.
11. Interview Answer
This project proves you can run an application and database together using Compose, service names, networks, and volumes.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Project 3: Secure Image and CI/CD Style Release
1. Clear Definition
Project 3: Secure Image and CI/CD Style Release: This project proves you can build a cleaner image, avoid secrets, scan vulnerabilities, tag images, and describe a release flow.
2. Explanation for New People
A basic Docker project shows that you can run an app. A stronger project shows that you can think like a real engineer: security, scanning, tagging, pushing, and rollback.
3. Detailed Study Explanation
Improve the Dockerfile with .dockerignore, trusted base image, non-root user, clean dependency installation, and no secrets. Scan the image using Docker Scout if available. Tag the image with a version and a commit-like tag. Write a README section explaining CI/CD steps even if you do not have a real pipeline.
The project should include screenshots or command outputs: build success, test success, scan command, image tag, and run result.
4. Business Use Case
Business scenario: A company wants safer Docker releases. The CI pipeline builds the image, runs tests, scans vulnerabilities, tags the image, pushes it, and supports rollback.
5. Mental Model / Diagram
Code -> Build image -> Test -> Scan -> Tag -> Push -> Deploy -> Rollback if needed6. Commands / Configuration
docker build -t secure-api:dev .
docker run --rm secure-api:dev pytest
docker scout cves secure-api:dev
docker tag secure-api:dev myrepo/secure-api:git-abc123
docker push myrepo/secure-api:git-abc123
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| Build | Creates image. |
| Test | Validates app behavior. |
| Scan | Checks vulnerabilities. |
| Tag | Creates traceable version. |
| Push | Publishes image to registry. |
8. Common Mistakes
- No scan step.
- No tag strategy.
- No rollback plan.
- Secrets in image.
- No README explanation.
9. Troubleshooting Steps
- If scan finds vulnerabilities, update base/dependencies.
- If push fails, check login.
- If test fails in container, debug environment/config.
10. Student Practice
- Add non-root user.
- Add .dockerignore.
- Run scan.
- Tag image with version and Git-like tag.
- Write CI/CD README.
11. Interview Answer
This project proves you can build a cleaner image, avoid secrets, scan vulnerabilities, tag images, and describe a release flow.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |
13. Official Docker Links for This Chapter
Docker Interview Preparation for Freshers
1. Clear Definition
Docker Interview Preparation for Freshers: Docker interview preparation means explaining concepts, commands, project decisions, business use cases, and troubleshooting clearly.
2. Explanation for New People
Interviewers do not only ask commands. They may ask: Why Docker? What is image vs container? What is Dockerfile? Why use Compose? How do containers communicate? How do you persist data? How do you troubleshoot? What mistakes did you make in your project?
3. Detailed Study Explanation
A good answer has four parts: definition, reason, example, and troubleshooting. For example, do not only say “volume stores data.” Say: A volume is Docker-managed persistent storage. It matters because container writable data can disappear after container removal. Example: PostgreSQL uses pgdata volume. Troubleshooting: inspect mounts and check the correct data path.
Use your projects as proof. Talk about your Python API, Compose app with database, and secure image CI/CD flow. Explain decisions like .dockerignore, non-root user, DB_HOST=db, named volumes, port mapping, and health checks.
4. Business Use Case
A business-focused Docker answer shows you understand why teams use Docker: faster onboarding, consistency, CI/CD, safer releases, rollback, and reduced environment issues.
5. Mental Model / Diagram
Interview answer format:
1. Definition
2. Why it matters
3. Real example
4. Command or config
5. Troubleshooting / mistake6. Commands / Configuration
docker run hello-world
docker build -t app:dev .
docker run -p 8000:8000 app:dev
docker compose up --build
docker logs app
docker inspect app
7. Command Breakdown
| Command / Part | Meaning for beginners |
|---|---|
| docker run | Run containers. |
| docker build | Build images. |
| docker compose up | Run multi-container apps. |
| docker logs/inspect | Troubleshoot containers. |
8. Common Mistakes
- Memorizing definitions without projects.
- Not explaining business use.
- No troubleshooting examples.
- No understanding of Dockerfile lines.
- No clarity on volume/network/Compose.
9. Troubleshooting Steps
- Prepare one example of build failure.
- Prepare one example of app unreachable.
- Prepare one example of DB connection issue.
- Prepare one example of volume persistence.
10. Student Practice
- Answer: image vs container.
- Answer: Dockerfile instructions.
- Answer: volume vs bind mount.
- Answer: Compose service names.
- Explain your Docker project in two minutes.
11. Interview Answer
Docker interview preparation means explaining concepts, commands, project decisions, business use cases, and troubleshooting clearly.
Good answer: Explain the definition, why it matters, one project example, one command, and one troubleshooting step.
12. Notebook Notes to Write
| Definition | Rewrite this chapter definition in your own words. |
|---|---|
| Why it matters | Write the business or project problem this solves. |
| Command proof | Paste your terminal output or screenshot. |
| Failure example | Write one mistake and how you fixed it. |
| Portfolio proof | Add README notes, Dockerfile/Compose snippets, and screenshots. |