Docker CLI
The commands you actually type every day. Following the official Docker CLI reference (as of 2026-06). For the concept basics, see Core concepts.
Container lifecycle
| Command | Purpose | Example |
|---|
docker run | Create and start a new container from an image | docker run -d --name web nginx:alpine |
docker start | Start a stopped container | docker start web |
docker stop | Graceful stop via SIGTERM (10s grace by default) | docker stop web |
docker restart | Stop then start again | docker restart web |
docker pause / unpause | Freeze / unfreeze all processes | docker pause web |
docker rm | Remove a stopped container (-f forces running) | docker rm web |
docker run -d --name web nginx:alpine # create and start detached
docker stop -t 0 web # stop without waiting for SIGTERM
docker rm -f web # force-remove a running container
Key docker run flags
Flags decide how a container runs; these are the most used:
| Flag | Purpose | Example |
|---|
-d | Run detached (background), prints only the container ID | docker run -d nginx:alpine |
-it | Interactive shell (-i keeps STDIN, -t allocates a TTY) | docker run -it ubuntu bash |
--name | Name the container (unique per host) | docker run --name web nginx |
--rm | Auto-remove on exit (and its anonymous volumes) | docker run --rm alpine echo hi |
-p | Publish a port, HOST:CONTAINER | docker run -p 8080:80 nginx |
--network | Connect to a network | docker run --network mynet app |
-v / --mount | Mount a volume or bind mount | docker run -v data:/app/data app |
-e / --env-file | Set env vars / load from a file | docker run -e TZ=Asia/Taipei app |
--restart | Restart policy (see below) | docker run --restart=always nginx |
--gpus | Pass GPUs (needs the NVIDIA Container Toolkit) | docker run --gpus all app nvidia-smi |
-w / -u | Working dir / run identity | docker run -w /app -u 1000:1000 app |
--memory / --cpus | Resource caps | docker run -m 512m --cpus 1.5 app |
--restart policies:
| Value | Behavior |
|---|
no (default) | No auto-restart |
on-failure[:N] | Restart only on a non-zero exit code, up to N retries |
always | Always restart; also comes back after the daemon restarts |
unless-stopped | Same as always, but if you docker stop it manually, a daemon restart will not bring it back |
The direction of -p is HOST:CONTAINER: left is your machine, right is inside the container. -p 8080:80 means “host 8080 into container 80”; reversed, you cannot connect. To bind only to localhost: -p 127.0.0.1:8080:80.
Inspect and debug
| Command | Purpose |
|---|
docker ps | List running containers (-a includes stopped, -q IDs only) |
docker logs | View logs (-f follow, --tail N, --since) |
docker exec | Run a command in a running container (-it for a shell) |
docker inspect | Full JSON of a container / image (IP, mounts, env) |
docker stats | Live CPU / memory / network / block I/O |
docker top | Processes running inside a container |
docker cp | Copy files between container and host |
docker ps -a -q --filter status=exited # IDs of all stopped containers
docker logs -f --tail 100 web # follow the last 100 lines
docker exec -it -u root web bash # interactive shell as root
docker inspect --format='{{.NetworkSettings.IPAddress}}' web # get the IP
docker stats --no-stream # one snapshot, no streaming
docker cp web:/app/logs/app.log ./app.log # copy a file out
Image commands
| Command | Purpose |
|---|
docker images | List local images (-a includes intermediate layers) |
docker pull | Pull an image from a registry |
docker build | Build an image from a Dockerfile (-t to name, -f for the file) |
docker tag | Add a new tag |
docker rmi | Remove an image (-f forces) |
docker history | Each layer’s build instruction and size |
docker save / load | Export to tar / import (offline transfer) |
docker pull nginx:1.27-alpine
docker build -f docker/Dockerfile.prod -t myapp:prod .
docker tag myapp:1.0 user/myapp:1.0
docker save myapp:1.0 | gzip > myapp.tar.gz # compressed export
docker load < myapp.tar.gz # import
docker build usage is in Building a Dockerfile from scratch.
Cleanup commands
Images, containers, and volumes pile up. These are destructive, so be clear what each removes:
docker system df # disk usage and reclaimable space first
docker system df -v # per-object detail
docker container prune # all stopped containers
docker image prune # only dangling images
docker image prune -a # every image not referenced by a container (incl. tagged)
docker volume prune # only anonymous volumes
docker network prune # unused custom networks
docker system prune # stopped containers + unused networks + dangling images + build cache
docker system prune -a # images expand to "every unreferenced image"
docker system prune -a --volumes # plus anonymous volumes, the most destructive
Cleanup is irreversible. Run docker system df first:
docker image prune -a / system prune -a removes all images not used by a container, including versions you may still want, forcing a re-pull.--volumes clears only anonymous volumes; to clear named volumes (where database data often lives) you need docker volume prune -a, and the data cannot be recovered.- The built-in
bridge / host / none networks are never pruned.
Multiple daemons and diagnostics
docker context ls # list reachable Docker daemons
docker context create remote --docker "host=ssh://user@10.0.0.5"
docker --context remote ps # run one command against a remote daemon
docker version # client and daemon versions, API version
docker info # system info for the whole install
Deprecated items (as of 2026-06)
| Old usage | Status | Replacement |
|---|
docker-compose (v1, Python) | EOL, no longer maintained | docker compose (v2, built-in CLI plugin) |
docker run --link | Deprecated | user-defined network + DNS name resolution |
DOCKER_BUILDKIT=0 | Can disable BuildKit but not recommended | Use BuildKit (default in Docker 23+) |
Next
Reference: docs.docker.com/reference/cli/docker
