This content is part of the Essential Guide: An introduction to containers and orchestration for IT admins

Master the Docker command line for container ops

Docker's command-line interface offers admins granular control over their containers. Keep this list of Docker commands nearby to swiftly navigate containerized environments.

Developers are most often the ones to bring Docker into an organization, but once containers deploy into production, IT ops and admins need to manage the stack with effective commands.

Systems administrators use the Docker command line to control containers and the resources they use. This command-line interface (CLI) is included in Docker Engine.

Getting to know the most useful and common Docker commands is a good way to ensure that containers become a good fit in the organization. We took nominations from a wide range of IT pros for this Docker command list, which ranges from simple to more complex. It includes a bonus at number 20: the least helpful command.

Editor's note: Other vendors in the Docker ecosystem have created alternatives to the official Docker command line, such as Dry, but these CLIs are not within the scope of this article.

1. docker exec -it [container-id] bash or docker exec -it $(docker ps -l -q) bash

Neel Somani, founder of web and mobile development startup Apptic LLC and a computer science student at the University of California, Berkeley, likes to use these two commands to enter into a Docker container that is already running. From there, an engineer or admin can execute arbitrary bash commands, he said.

2. docker system prune

The docker system prune command rescues systems low on disk space because of frequent image updates, said Benjamin Waldher, DevOps department head at Wildebeest Design & Development, a web and software studio located in Marina del Rey, Calif. Zombie containers, while more lightweight than VMs, can starve active containers of resources and contribute to virtual sprawl. The Docker command prune cleans up images and containers that are no longer in use -- if you're on a newer version of the platform.

For the many people and organizations running older versions of Docker, prune won't work, according to Alex Ough, senior software engineer at Sungard Availability Services of Wayne, Pa. They need granular commands to clean up unused resources; numbers three through six show Ough's recommendations to address this.

3. docker rmi $(docker images -f dangling=true -q)

This Docker command removes untagged and dangling (<none>) images, as Ough recommends for users that run a version of Docker older than 1.13. The command rmi is shorthand for remove images.

4. docker rm $(docker ps -a -f status=exited -q)

This command removes all exited containers. Similar to rmi, rm removes one or more containers.

5. docker volume rm $(docker volume ls -f dangling=true -q)

Need to remove dangling volumes? This is how. The rm command returns for another example, referencing volumes rather than containers in this instance.

6. docker network ls | awk '$3 == "bridge" && $2 != "bridge" { print $1 }

An administrator can remove nondefault bridge networks with this command, which also applies to those using versions prior to Docker 1.13. Here, the acronym ls represents the action list containers. The command awk appears in many Linux systems administration scripts, performing a pattern match function with text files.

​7. docker cp container_name:/var/log/file.log /tmp/file.log

This command, which relies on the Unix-like cp, is useful to pull out log files with contents that, Waldher explained, "for some reason you aren't sending to stdout." The cp command copies files and folders between a container and the local file system, and this is only one example of its usefulness.

8. docker exec -ti container_name sh

IT operations and DevOps teams often need to "poke around" in a running container, whether for troubleshooting or optimization plans. This command is a way to temporarily access the Docker container as if it were its own machine, Waldher said.

9. An immutable servicename trio: rm, pull and run

Three Docker commands -- docker rm servicename and docker pull servicename, as well as docker run --restart=always servicename -- control any service files, according to Waldher.

"Running these commands will ensure that your container's behavior is immutable," he said. Every restart of the service running this Docker container will remove old containers, preventing a state from building up with a container that is reused over a long period of time, and ensure that containers are up-to-date, he explained.

In addition, he noted, using --restart=always will cause the Docker daemon to handle any container crashes itself, rather than relying on the init script. Waldher recommends it as a faster way to restart a service when it crashes, minimizing downtime.

10. docker ps

This Docker command lists the running containers in a given deployment.

"It's my go-to when I log onto a machine, [and] I want to know exactly what's running," said Maryum Styles, a back-end engineer working with containers at New Relic in San Francisco, Calif., which uses Docker in its platform. The docker ps command is just the start to troubleshoot a production container environment, as seen in the next three commands.

11. docker ps -a

This variant on docker ps lists all containers, not just the ones that are running.

"Right after I see what containers are running, I want to know what containers have recently failed and why," Styles said.

12. docker logs

Once you know which container failed, you need clues about the cause of death -- or worse, thrashing, wherein the container restarts and fails constantly. This docker logs command shows the administrator all the logs for a given container, tracking what's happened and when.

13. docker rm <container_id>

If you see something that indicates that a particular container is not acting as it should or if that container should not run anymore for some reason, return to the rm command described above to take it down.

14. docker images

This is a great way to see the names and versions of containers on the infrastructure, according to Styles. Container-based IT organizations often also follow DevOps objectives, which encourage collaboration and sharing.

"I build a lot of Docker images to share with other people, so seeing the images I have is very helpful," Styles said. Also, docker images displays the size of each image, a useful resource planning stat. For a small host machine, operations must keep track of hosted images and balance them for performance.

15. docker rmi <image_name>

Once you have a list of the images in use, implement the rmi command, this time to remove unneeded images by name.

16. docker tag

Styles recommends docker tag -- it gives administrators a way to categorize images, essentially creating a versioning scheme for containers. When a wider audience works with images, IT teams should represent bug fixes and new features for images in the most clear possible format. Thanks to this structure, "users know what version they're using and whether it's the latest [one]," she explained. In production, organizations will test newer image versions to ensure nothing in the update breaks the existing app or workflow, causing an outage, Styles said.

A semantic number version scheme -- i.e., x.y.z -- avoids the easily misunderstood latest tag that Docker assigns to any untagged images, whether they're the latest or not.

17. docker start

The team at WhiteSource, an Israeli company that helps developers identify known vulnerabilities in open source components, shared three essential Docker commands. The list starts with start, a command that gets one or more stopped containers going.

18. docker stop

This command stops one or more running containers, gracefully. When everything executes correctly, the stop command allows processes time to clean up and exit.

19. docker kill

This command stops one or more running containers, forcefully. The kill command is immediate and can disrupt processes rather than allowing them time to exit.

These last two commands, docker stop and docker kill, are similar but can have differing effects on the production deployment. Take time to analyze the intent and desired effects before you fire off any of these common Docker commands -- then you'll get the results you want.

20. A useless command

Sure, this long command is pointless to actually control a Docker container -- but disguises its true helpfulness:

docker run -ti


    --net=host --pid=host --ipc=host

    --volume /:/host


    chroot /host

The command's instruction to bypass the network and other namespaces, privilege status for the user and other attributes creates a Docker container that runs as root in the host's file system, network, process table and so on. Creator Ian Miell, lead OpenShift architect at Barclays in London, says this command, while having no purpose as written, is an instructive starting point from which to make your own network or process checkers for given namespaces.

Next Steps

Containers in production need a strong network setup

Build applications on Docker hosts without a headache

Organizations are making database containers work

Dig Deeper on Managing Virtual Containers