Welcome

About This Course

Docker has a reputation for being quick to start and deceptively deep to run well. You can write a Dockerfile and have a container running in an afternoon. Building an image that is small, secure, reproducible, and signed — and running it with the right limits, networking, and persistence on a real host — is where the actual craft lives, and where most introductions stop.

This course covers both ends. It explains Docker from first principles, in the order that makes the model click: what a container actually is and why it is not a virtual machine, then images and how they are layered, running containers, authoring Dockerfiles, building them well, storage, networking, and Compose — before the parts of shipping containers that bite you: registries, security hardening, operations, and where Docker hands off to an orchestrator.

Every topic follows a consistent shape: what it is, how it works, when to use it, when not to, the mistakes that cost real outages, and the practices that prevent them. Where two approaches compete — CMD versus ENTRYPOINT, a volume versus a bind mount, alpine versus distroless — the course compares them and says when each fits, instead of leaving that judgment to you.

Who This Is For

Engineers who build or run applications, and those moving into that work. A beginner can read it in order and build a mental model from zero — no prior Docker is assumed, only basic comfort on the Linux command line. An experienced engineer can jump to a chapter to settle a decision or close a gap, including someone who already runs containers under Kubernetes and wants the build-and-run half of the picture done properly.

A Note on Docker, the OCI Standard, and Kubernetes

The course teaches Docker — the Engine, the CLI, BuildKit, and Compose — because it is how most people build and run containers. The open standard underneath (OCI), the lower-level runtimes (containerd and runc), and the daemonless alternative (Podman) are real and worth knowing, so they get a dedicated chapter at the end rather than being assumed throughout. What you learn about images and Dockerfiles carries over identically to Podman or a Kubernetes node — they all run the same OCI images — and the core runtime concepts transfer too; the orchestration around them (networking, volumes, secrets, health checks, security controls) is where Docker, Podman, and Kubernetes diverge, which is exactly what the final chapter maps out.

This book stays on one host. Building, running, Compose, networking, storage, security, and operations are all done well on a single machine, because that is where containers are built and where the fundamentals live. Where multi-host orchestration begins — self-healing across nodes, fleet-scale scheduling, rolling deploys at scale — the course names the boundary and hands off to the sibling Kubernetes Deep Dive rather than half-teaching orchestration. Docker builds and runs containers on one host; Kubernetes orchestrates them across many.

What You Should Already Know

• Command-line comfort on Linux — running commands, editing files, environment variables, and pipes
• A basic feel for how processes and the filesystem work — what a process is, what a port is, what a path is
• Enough of one programming stack to recognize an app's dependencies — an interpreter, libraries, a build step
• Version control with Git at a basic level — commits, branches, and pull requests
• No prior Docker or container experience required

How the Course Is Built

The twelve chapters are ordered so the early ones teach the core and the later ones build on it. Foundations and images come first, because nothing else makes sense until you can tell an image from a container. Then running containers, authoring and building Dockerfiles, storage, networking, and Compose — the craft of one host — before the chapters on distribution through a registry, security hardening, operations, and the ecosystem boundary where Kubernetes takes over.

A running example threads through the whole book: a small bookmark-sharing app called Driftwood. It starts as code a developer is trying to containerize on a laptop — an app, a PostgreSQL database, and an nginx reverse proxy — wired together locally with Compose. By the later chapters it has become a hardened, slim, multi-architecture image, signed and scanned, shipped to a private registry by a CI pipeline, and run with the limits and isolation production demands. A few principles run through every chapter and explain why the course is shaped the way it is.

Chapter Map

Chapter 1

Foundations — What a Container Is

What a container actually is — a process the kernel fenced off, not a small machine. Containers versus virtual machines, the namespaces and cgroups that make them work, the image-versus-container distinction, the architecture under the docker command, and your first running container.

Chapter 2

Images — The Build Artifact

What an image is made of and how to read one. Layers and the union filesystem, manifests and digests, tags versus digests, pulling and the local store, inspecting an image for what it runs and what it hides, and choosing a base.

Chapter 3

Running Containers

Driving a container by hand. The lifecycle, the anatomy of docker run, the PID 1 and signal traps that break clean shutdown, exec and attach and logs, restart policies and exit codes, resource limits, and runtime configuration.

Chapter 4

Dockerfiles — Authoring Images

Turning an app into an image. The Dockerfile model and build context, the layer cache and why instruction order decides build speed, RUN forms, COPY versus ADD, the CMD-versus-ENTRYPOINT confusion, ARG versus ENV, and metadata.

Chapter 5

Building Well — BuildKit & Multi-stage

From a naive image to a production one. BuildKit, multi-stage builds that leave the toolchain behind, .dockerignore, cache mounts and build secrets, shrinking images by hundreds of megabytes, and reproducible builds.

Chapter 6

Storage — Data and the Filesystem

Where data lives and why it disappears. The writable layer and copy-on-write, volumes versus bind mounts versus tmpfs, the named-volume lifecycle, bind mounts in development, volume drivers, and backup and migration patterns.

Chapter 7

Networking

How containers reach each other and the world. The network model, the default bridge versus a user-defined one, embedded DNS and service discovery, publishing ports, the host and none modes, network isolation, and a first look at overlay networks.

Chapter 8

Docker Compose

Declaring a multi-container stack in one file. Why Compose, the file model, service dependencies and the startup-order trap, environment and .env interpolation, profiles, override files for dev versus prod, and the Compose development loop.

Chapter 9

Registries & Distribution

Shipping the image off the laptop. How registries work, Docker Hub and private and self-hosted options, a tagging strategy for releases, multi-architecture images with buildx, signing and provenance, and vulnerability scanning.

Chapter 10

Security

Hardening a container for production. The threat model of a shared kernel, running as non-root, Linux capabilities, seccomp and AppArmor/SELinux, read-only filesystems, secrets done right, and rootless Docker with user namespaces.

Chapter 11

Observability & Operations

Keeping a container healthy on a real host. Logging drivers and the disk they fill, healthchecks, stats and events and inspection, pruning and disk management, the daemon and its storage driver, and debugging a crash-looping container.

Chapter 12

From One Host to Many — The Ecosystem

Where Docker sits and where it ends. The OCI standard, containerd and runc under the hood, Podman and Buildah, a brief look at Swarm, the boundary where you outgrow one host and reach for Kubernetes, and the production workflow assembled end to end.

Disclaimer

This course is an independent educational project created and maintained by Sergey Okinchuk. It is provided for learning and reference purposes only.

No affiliation. This course is not affiliated with, sponsored by, endorsed by, or officially connected to Docker, Inc., the Open Container Initiative, the Cloud Native Computing Foundation, or any other company or project mentioned. All opinions, interpretations, and recommendations expressed are those of the author.

Trademarks. "Docker" and the Docker logo are trademarks of Docker, Inc. "Kubernetes", "Podman", "containerd", and all other product names, logos, and brands are the property of their respective owners. Use of these names and marks is for identification and educational purposes only and does not imply any endorsement.

Accuracy and currency. Docker evolves quickly — the Engine, BuildKit, Compose, defaults, and command-line flags drift between versions. Facts in this course reflect the author's understanding at the time of writing and may not be current. Always consult the official Docker documentation as the authoritative source before making operational decisions.

No warranty. This material is provided "as is" without warranty of any kind. Dockerfiles, commands, and Compose files are illustrative, not production-ready, and may cause disruption if run against real systems. The author accepts no liability for any loss or damage arising from reliance on the content.