Beginner–Intermediate 15 terms

Docker & Containerisation

Docker fundamentals: images, containers, Dockerfiles, multi-stage builds, networking, and best practices.

  • image /ˈɪmɪdʒ/

    Immutable filesystem snapshot built from a Dockerfile; the template from which containers are created.

    "We tag every image with the Git commit SHA so we can always identify exactly which code is running in production."
  • container /kənˈteɪnər/

    A running instance of an image; an isolated process with its own filesystem, network, and process namespace.

    "Ten containers from the same image run on the same host — each is fully isolated but shares the host OS kernel."
  • Dockerfile /ˈdɒkərfaɪl/

    Text file with sequential instructions to build an image: FROM sets the base image, RUN executes commands, COPY adds files, CMD sets the default command.

    "Our Dockerfile starts FROM node:20-alpine, installs dependencies, copies the built artefact, and sets CMD to start the server."
  • layer /ˈleɪər/

    Each Dockerfile instruction creates a cacheable layer in the image; unchanged layers are reused on rebuild, speeding up the process.

    "We copy package.json and run npm install before copying source code so the dependency layer is cached and only invalidated when package.json changes."
  • registry /ˈredʒɪstri/

    Server that stores and distributes Docker images; Docker Hub is the default public registry. Private registries include ECR, GCR, and GitHub Packages.

    "GitHub Actions pushes the built image to our private ECR registry, then the deployment job pulls it onto the production servers."
  • Docker Compose /ˈdɒkər kəmˈpəʊz/

    Tool for defining and running multi-container applications using a docker-compose.yml file; manages networking and volumes between services.

    "Our docker-compose.yml starts the API, Postgres, and Redis together with one command — perfect for local development without installing anything natively."
  • volume /ˈvɒljuːm/

    Persistent storage that survives container restarts; bind mounts attach a host directory directly into the container filesystem.

    "We use a named volume for the Postgres data directory so the database persists when we recreate the container during upgrades."
  • bridge network /brɪdʒ ˈnetwɜːk/

    Default Docker network where containers on the same bridge can communicate with each other by container name as a DNS hostname.

    "In Docker Compose the API container reaches the database using the hostname db — Docker's built-in DNS resolves it to the container's IP on the bridge network."
  • multi-stage build /ˈmʌlti steɪdʒ bɪld/

    Dockerfile pattern using multiple FROM instructions; an early stage compiles code and a later stage copies only the artefact, producing a minimal final image.

    "Our multi-stage build uses a golang:1.22 stage to compile the binary and a scratch stage to ship it — the final image is 8MB instead of 800MB."
  • distroless image /dɪˈstrəʊles ˈɪmɪdʒ/

    Minimal base image containing only the application runtime and its dependencies; no shell or package manager, reducing the attack surface.

    "Switching to a distroless base image reduced our critical CVE count to zero because there is no shell or system utilities for an attacker to exploit."
  • build context /bɪld ˈkɒntekst/

    The directory sent to the Docker daemon when docker build runs; a .dockerignore file excludes files that should not be sent, keeping the context small.

    "Adding node_modules and .git to .dockerignore reduced the build context from 400MB to 2MB and cut the time to start the build significantly."
  • tag /tæɡ/

    Human-readable label attached to a specific image version; format is registry/repository:tag. The latest tag is a convention, not a guarantee of recency.

    "We never use the latest tag in production — every deployment pins an exact image tag like myapp:a3f8c12 so rollbacks are deterministic."
  • healthcheck /ˈhelθtʃek/

    Dockerfile instruction that defines a command Docker uses to test whether a running container is healthy; Docker marks it healthy, unhealthy, or starting.

    "The HEALTHCHECK instruction runs curl localhost:3000/health every 30 seconds — unhealthy containers are reported so orchestrators can restart them."
  • ENTRYPOINT /ˈentripɔɪnt/

    The executable that always runs in a container; CMD provides default arguments to ENTRYPOINT and can be overridden at runtime.

    "We set ENTRYPOINT ["/app/server"] so the binary always runs, and use CMD ["--port", "8080"] as the default argument that operators can override."
  • CMD /siː em diː/

    Default command and arguments run when a container starts; can be overridden at runtime by appending a command to docker run.

    "CMD ["npm", "start"] is the default, but we override it with docker run myapp npm test to run the test suite in the same image."

Ready to practice?

Test your knowledge of these terms in the interactive exercise.

Start exercise →