Docker for Beginners: Full Setup & Deployment Tutorial (2026 Edition)

Introduction: Why Docker in 2026?

The Containerization Revolution Has Only Just Begun

In 2026, Docker is no longer just a DevOps tool—it’s become a fundamental competency for virtually every software developer, data scientist, and IT professional. With 94% of organizations now running containers in production (up from 84% in 2023) and the global container market projected to reach $8.2 billion, Docker proficiency has transformed from a “nice-to-have” resume bullet into an expected baseline skill.

Yet despite its ubiquity, Docker remains intimidating for beginners. The terminology (containers, images, volumes, registries) feels abstract. The command-line interface appears cryptic. The conceptual shift from traditional deployment to containerization requires rethinking how applications are built, shipped, and run.

This comprehensive 3,000-word tutorial eliminates that intimidation completely. Whether you’re a web developer tired of “works on my machine” frustrations, a data scientist seeking reproducible analysis environments, or an IT professional modernizing legacy infrastructure, this guide takes you from absolute zero to confident Docker practitioner. We’ll cover installation, core concepts, practical command-line usage, Dockerfile creation, data persistence, multi-container applications with Docker Compose, and production deployment strategies—all with hands-on examples you can follow on your own machine.

What Makes This 2026 Edition Different:

Updated for Docker Desktop 4.30+ with enhanced WSL2 and macOS virtualization
Modern security practices including rootless containers and image signing
Current best practices for multi-stage builds and layer optimization
Integration with 2026 cloud platforms (Sevalla, Railway, modern AWS services)
AI/ML containerization examples using PyTorch and TensorFlow
ARM64 support for Apple Silicon and Raspberry Pi deployments

Chapter 1: Understanding Docker Fundamentals

What Actually IS Docker?

Before typing a single command, we must establish mental models. Docker is frequently misunderstood, and this misunderstanding leads to frustration.

The Common Misconception: “Docker is a lightweight virtual machine.”

The Reality: Docker is a containerization platform that packages applications and their dependencies into isolated environments called containers. Unlike virtual machines, containers share the host operating system’s kernel rather than virtualizing hardware. This makes them dramatically more efficient—lighter weight, faster starting, and less resource-intensive.

Analogy That Sticks:

Virtual Machines are like separate houses: each has its own foundation, plumbing, electrical systems, and structure. They’re completely isolated but resource-heavy.
Containers are like apartments in a single building: they share the same foundation, water supply, and electrical grid (the host kernel) but have their own walls, furnishings, and modifications (dependencies, configurations).

This architectural distinction explains everything: why containers start in milliseconds, why you can run dozens on a laptop, and why they’re consistent across environments.

Images vs. Containers: The Source of Endless Confusion

Beginners invariably confuse images and containers. Here’s the definitive distinction:

Docker Image: A read-only template containing instructions for creating a container. Think of it as a recipe, a blueprint, or a class definition. Images are built, stored in registries (like Docker Hub), and versioned.

Docker Container: A runnable instance of an image. Think of it as the actual dish prepared from the recipe, a house built from the blueprint, or an object instantiated from a class. Containers have state, can be started, stopped, moved, and deleted.

The Relationship: One image → many containers. Just as one recipe can produce countless meals.

The Docker Architecture: Three Critical Components

Docker Client: The command-line tool you interact with (docker run, docker build, docker pull). It communicates with the Docker daemon via REST API.
Docker Daemon (dockerd): The background service that actually builds, runs, and manages containers. It listens for API requests from the client.
Docker Registry: Storage for Docker images. Docker Hub is the default public registry, but private registries (AWS ECR, Google Artifact Registry, self-hosted) are common in production.

Key Insight for Beginners: The client and daemon don’t need to be on the same machine. You can control a remote Docker daemon from your local client—crucial for CI/CD pipelines and remote development.

Chapter 2: Installation and Setup (2026 Edition)

System Requirements and Preparation

Windows 11/10:

WSL2 (Windows Subsystem for Linux 2) with Ubuntu 24.04+ or default distribution
64-bit processor with SLAT capabilities
8GB RAM minimum (16GB recommended)
BIOS-level hardware virtualization enabled

macOS:

macOS Ventura (13.0) or newer (Sonoma 14.x recommended)
Apple Silicon (M1/M2/M3) or Intel chip
8GB RAM minimum (16GB recommended)
Rosetta 2 for Apple Silicon users (automatic installation)

Linux (Ubuntu 26.04 LTS):

64-bit architecture
Kernel version 5.15 or higher
iptables and cgroups support
4GB RAM minimum (8GB recommended)

Step-by-Step Installation Guide

Windows Installation with WSL2

Step 1: Enable WSL2

# Open PowerShell as Administrator
wsl --install
# Restart your computer

Step 2: Install Docker Desktop for Windows

Download Docker Desktop 4.30+ from docker.com
Run installer with default settings
CRITICAL: Select “Use WSL 2 instead of Hyper-V” during installation
After installation, ensure WSL2 integration is enabled:

Open Docker Desktop → Settings → Resources → WSL Integration
Enable integration with your default WSL distribution

Step 3: Verify Installation

# In your WSL terminal
docker --version
# Should show: Docker version 26.0.0+, build xxxxxx

docker run hello-world
# Should display successful installation message

macOS Installation (Apple Silicon & Intel)

Step 1: Download Docker Desktop for Mac

Visit docker.com/products/docker-desktop
Download the Apple Silicon version (M1/M2/M3) or Intel version accordingly

Step 2: Install and Configure

# Drag Docker.app to Applications folder
# Launch Docker from Applications
# Wait for whale icon to show "Docker Desktop is running"

Step 3: Performance Optimization for Apple Silicon

# Enable VirtioFS for significantly faster file sharing
# Docker Desktop → Settings → General → Enable VirtioFS

# Configure resource allocation
# Settings → Resources → Advanced
# CPUs: 4+ (recommended)
# Memory: 8GB+ (recommended)
# Swap: 2GB
# Disk image size: 64GB+

Step 4: Verification

docker --version
docker run hello-world

Ubuntu 26.04 LTS Installation

# 1. Update package index
sudo apt update

# 2. Install prerequisites
sudo apt install -y \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg \
    lsb-release

# 3. Add Docker's official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
    sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

# 4. Add stable repository
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \
  https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# 5. Install Docker Engine
sudo apt update
sudo apt install -y docker-ce docker-ce-cli containerd.io

# 6. Add user to docker group (avoid sudo requirement)
sudo usermod -aG docker $USER
newgrp docker  # Activate group changes

# 7. Enable and start Docker
sudo systemctl enable docker
sudo systemctl start docker

# 8. Verify
docker --version
docker run hello-world

Post-Installation Verification Checklist

✅ Docker version command works without sudo (Linux) or admin (Windows/Mac)
✅ docker run hello-world executes successfully
✅ Docker Desktop dashboard shows running containers (GUI users)
✅ WSL2 integration functioning (Windows)
✅ VirtioFS enabled (Apple Silicon Mac)
✅ Resource allocation appropriate for your system

Chapter 3: Docker Essentials – 20 Commands You’ll Actually Use

Container Lifecycle Management

1. `docker run` – Create and Start Containers

# Basic syntax
docker run [OPTIONS] IMAGE [COMMAND]

# Examples
docker run nginx                     # Run nginx in foreground
docker run -d nginx                 # Run nginx in background (detached)
docker run -it ubuntu bash          # Interactive terminal session
docker run --name my-nginx nginx    # Assign custom name
docker run -p 8080:80 nginx         # Port mapping (host:container)
docker run -v /host/data:/app/data  # Volume mounting

2. `docker ps` – List Containers

docker ps          # Show running containers
docker ps -a       # Show all containers (including stopped)
docker ps -q       # Show only container IDs (useful for scripting)
docker ps --format "table {{.Names}}\t{{.Status}}"  # Custom formatting

3. `docker stop` & `docker start`

docker stop container_id_or_name
docker start container_id_or_name
docker restart container_id_or_name   # Stop then start

4. `docker rm` – Remove Containers

docker rm container_id          # Remove stopped container
docker rm -f container_id       # Force remove running container
docker container prune         # Remove all stopped containers
docker rm $(docker ps -aq)     # Remove ALL containers (DANGER)

5. `docker logs` – View Container Output

docker logs container_id
docker logs -f container_id    # Follow (tail -f equivalent)
docker logs --tail 50 container_id  # Last 50 lines
docker logs --since 5m container_id # Last 5 minutes

Image Management

6. `docker pull` – Download Images

docker pull nginx:latest           # Specific tag
docker pull python:3.12-slim       # Slim variant (smaller)
docker pull postgres:16-alpine     # Alpine Linux variant (tiny)

7. `docker images` – List Local Images

docker images
docker image ls
docker images | grep python

8. `docker rmi` – Remove Images

docker rmi image_id               # Remove image
docker image prune               # Remove dangling images
docker rmi $(docker images -q)   # Remove ALL images (DANGER)

9. `docker build` – Create Images from Dockerfile

docker build -t my-app:1.0 .     # Tag with name:version
docker build --no-cache -t my-app .  # Build without cache

10. `docker tag` & `docker push` – Registry Operations

docker tag my-app:1.0 username/my-app:1.0  # Tag for registry
docker push username/my-app:1.0            # Upload to Docker Hub

Inspection and Debugging

11. `docker exec` – Run Commands in Running Containers

docker exec -it container_id bash          # Shell access
docker exec container_id cat /etc/hosts    # Run single command
docker exec -it postgres_container psql -U postgres  # DB access

12. `docker inspect` – Detailed Container/Image Info

docker inspect container_id               # Full JSON output
docker inspect --format='{{.NetworkSettings.IPAddress}}' container_id
docker inspect --format='{{.Config.Env}}' container_id

13. `docker stats` – Live Resource Usage

docker stats                    # All containers
docker stats container_id       # Specific container
docker stats --no-stream        # Single snapshot

14. `docker cp` – Copy Files Between Host and Container

docker cp /host/file.txt container_id:/container/path
docker cp container_id:/container/file.txt /host/path

Network Management

15. `docker network` – Container Networking

docker network ls                      # List networks
docker network create my-network      # Create network
docker network connect my-network container_id  # Connect container
docker network disconnect my-network container_id  # Disconnect

Volume Management

16. `docker volume` – Persistent Storage

docker volume create my-volume        # Create volume
docker volume ls                      # List volumes
docker volume inspect my-volume       # Volume details
docker volume rm my-volume           # Remove volume

System Management

17. `docker system` – Docker System Operations

docker system df                     # Disk usage
docker system prune                 # Clean unused data
docker system prune -a             # Aggressive cleanup (remove all unused)

Utility Commands

18. `docker search` – Find Images on Docker Hub

docker search nginx                 # Search for nginx images
docker search --limit 10 python    # Limit results

19. `docker commit` – Create Image from Container (Advanced)

docker commit container_id my-custom-image  # Usually avoid - use Dockerfile

20. `docker save` & `docker load` – Offline Transfer

docker save -o my-image.tar my-image:tag    # Save to file
docker load -i my-image.tar                 # Load from file

Essential Command Cheat Sheet (Save This!)

Command	Purpose	Example
`docker run -d -p 8080:80 --name web nginx`	Run nginx in background	Web server
`docker exec -it web bash`	Shell into container	Debugging
`docker logs -f web`	Follow container logs	Monitoring
`docker stop web && docker rm web`	Stop and remove	Cleanup
`docker build -t myapp .`	Build image	Deployment
`docker compose up -d`	Start multi-container app	Full stack

Chapter 4: Your First Dockerfile – Building Custom Images

What is a Dockerfile?

A Dockerfile is a text document containing instructions for building a Docker image. It’s the recipe for your containerized application. Dockerfiles enable version-controlled, reproducible, and automated image creation.

Dockerfile Fundamentals: The Layer Model

Critical Concept: Each instruction in a Dockerfile creates a layer. Layers are cached and reused across builds. This makes subsequent builds faster and saves disk space.

FROM python:3.12-slim    # Layer 1: Base image
WORKDIR /app             # Layer 2: Working directory
COPY requirements.txt .  # Layer 3: Copy file
RUN pip install -r requirements.txt  # Layer 4: Install dependencies
COPY . .                # Layer 5: Copy application code
CMD ["python", "app.py"] # Layer 6: Default command

Layer Optimization Principle: Instructions that change frequently (application code) should come AFTER instructions that change rarely (dependencies, base images). This maximizes cache utilization.

Example 1: Containerizing a Python Flask Application

Project Structure:

flask-docker-app/
├── app.py
├── requirements.txt
└── Dockerfile

app.py:

from flask import Flask, jsonify
import os
import datetime

app = Flask(__name__)

@app.route('/')
def home():
    return jsonify({
        "message": "Hello from Dockerized Flask!",
        "timestamp": datetime.datetime.now().isoformat(),
        "hostname": os.environ.get('HOSTNAME', 'unknown')
    })

@app.route('/health')
def health():
    return jsonify({"status": "healthy"})

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

requirements.txt:

flask==3.0.0

Dockerfile (Production-Ready, Optimized):

# 1. Use specific, slim base image
FROM python:3.12-slim AS builder

# 2. Set working directory
WORKDIR /app

# 3. Set environment variables
ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1 \
    PIP_DISABLE_PIP_VERSION_CHECK=1

# 4. Copy requirements first (leverage caching)
COPY requirements.txt .

# 5. Install dependencies
RUN pip install --no-cache-dir -r requirements.txt

# 6. Second stage: smaller production image
FROM python:3.12-slim

WORKDIR /app

# 7. Copy Python and dependencies from builder
COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin

# 8. Copy application code
COPY app.py .

# 9. Create non-root user (security best practice)
RUN addgroup --system --gid 1001 appgroup && \
    adduser --system --uid 1001 --gid 1001 appuser
USER appuser

# 10. Expose port
EXPOSE 5000

# 11. Define startup command
CMD ["python", "app.py"]

Build and Run:

# Build the image
docker build -t flask-app:2026 .

# Run the container
docker run -d -p 5000:5000 --name flask-demo flask-app:2026

# Test the application
curl http://localhost:5000

# View logs
docker logs flask-demo

Example 2: Containerizing a Node.js Application

Dockerfile:

FROM node:20-alpine AS builder

WORKDIR /app

# Copy package files
COPY package*.json ./

# Install dependencies
RUN npm ci --only=production

# Second stage
FROM node:20-alpine

WORKDIR /app

# Copy from builder
COPY --from=builder /app/node_modules ./node_modules
COPY . .

# Create non-root user
RUN addgroup -g 1001 -S nodejs && \
    adduser -S nodejs -u 1001
USER nodejs

EXPOSE 3000

CMD ["node", "server.js"]

Example 3: Containerizing a Data Science Environment

Dockerfile for Jupyter with PyTorch:

FROM pytorch/pytorch:2.2.0-cuda12.1-cudnn8-runtime

WORKDIR /workspace

# Install Jupyter and common data science libraries
RUN pip install --no-cache-dir \
    jupyterlab==4.1.0 \
    pandas==2.2.0 \
    numpy==1.26.3 \
    matplotlib==3.8.2 \
    seaborn==0.13.2 \
    scikit-learn==1.4.0 \
    transformers==4.37.0

# Create workspace directory
RUN mkdir -p /workspace/notebooks

# Expose Jupyter port
EXPOSE 8888

# Launch Jupyter
CMD ["jupyter", "lab", "--ip=0.0.0.0", "--port=8888", "--no-browser", "--allow-root"]

Run Command:

docker run -d -p 8888:8888 \
  -v $(pwd):/workspace/notebooks \
  --name pytorch-lab \
  pytorch-data-science:2026

Dockerfile Best Practices (2026 Edition)

Use specific base image tags – Never latest; use python:3.12-slim, not python:latest
Multi-stage builds – Separate build environment from runtime environment
Minimize layers – Combine related RUN commands with &&
Sort multi-line arguments – Alphabetical ordering improves maintainability
Leverage build cache – Copy dependency files BEFORE application code
Use .dockerignore – Prevent sending unnecessary files to daemon
Run as non-root user – Security imperative in 2026
Set environment variables – PYTHONDONTWRITEBYTECODE=1, NODE_ENV=production
Scan for vulnerabilities – Use docker scout (integrated in Docker Desktop)
Label your images – maintainer, version, description metadata

.dockerignore Example:

.git
__pycache__
*.pyc
.env
.vscode
.idea
Dockerfile
README.md
.gitignore
*.log

Chapter 5: Data Persistence – Volumes and Bind Mounts

The Stateless Container Problem

Containers are ephemeral by design. When a container is removed, all data written to its writable layer disappears. This is intentional—it enables immutability, reproducibility, and horizontal scaling. But what about databases, user uploads, and application state?

Solution: Docker provides two mechanisms for persistent data storage.

Docker Volumes (Preferred for Production)

Volumes are completely managed by Docker, stored in /var/lib/docker/volumes/ (Linux) or the Docker VM (macOS/Windows). They’re the recommended approach for production.

Volume Commands:

# Create a named volume
docker volume create postgres_data

# Inspect volume
docker volume inspect postgres_data

# Run PostgreSQL with volume
docker run -d \
  --name postgres-db \
  -e POSTGRES_PASSWORD=secretpassword \
  -e POSTGRES_USER=appuser \
  -e POSTGRES_DB=myapp \
  -v postgres_data:/var/lib/postgresql/data \
  -p 5432:5432 \
  postgres:16-alpine

# Remove volume (when data is no longer needed)
docker volume rm postgres_data

Bind Mounts (Preferred for Development)

Bind mounts map a host directory directly into the container. Changes are immediately visible both directions. Perfect for development with hot-reloading.

Bind Mount Examples:

# Development: Mount source code for live updates
docker run -d \
  -p 5000:5000 \
  -v $(pwd):/app \
  -e FLASK_ENV=development \
  flask-app:dev

# Share configuration files
docker run -d \
  -v /etc/localtime:/etc/localtime:ro \
  -v /home/user/configs/nginx.conf:/etc/nginx/nginx.conf:ro \
  -p 80:80 \
  nginx:alpine

Volumes vs Bind Mounts: Decision Matrix

Feature	Volumes	Bind Mounts
Performance	Excellent	Excellent (native)
Portability	High (Docker managed)	Low (path-dependent)
Backup/Restore	Easy (`docker run --volumes-from`)	Manual file copy
Host filesystem access	Restricted (sandboxed)	Full access
Use case	Production databases, persistent state	Development, config files
CLI management	Full (`docker volume` commands)	None (OS-level)

Volume Backup and Restore Pattern

# Backup volume to host
docker run --rm \
  -v postgres_data:/source \
  -v /host/backup:/backup \
  alpine \
  tar czf /backup/postgres_backup_$(date +%Y%m%d).tar.gz -C /source .

# Restore volume from backup
docker run --rm \
  -v postgres_data:/target \
  -v /host/backup:/backup \
  alpine \
  tar xzf /backup/postgres_backup_20260211.tar.gz -C /target

Chapter 6: Multi-Container Applications with Docker Compose

Why Docker Compose?

Real-world applications rarely consist of a single container. Modern stacks include:

Web server (Node.js, Python, Ruby, Go)
Database (PostgreSQL, MySQL, MongoDB)
Cache (Redis, Memcached)
Queue (RabbitMQ, Redis)
Reverse proxy (Nginx, Traefik)

Docker Compose solves the orchestration problem through declarative YAML configuration. One command (docker compose up) starts your entire application stack.

Docker Compose Version 3.8+ (2026 Best Practices)

Example 1: Full-Stack Web Application

docker-compose.yml:

version: '3.8'

services:
  # Frontend React application
  frontend:
    build: ./frontend
    ports:
      - "3000:3000"
    environment:
      - REACT_APP_API_URL=http://localhost:8000
      - NODE_ENV=production
    depends_on:
      - backend
    networks:
      - app-network

  # Backend FastAPI application
  backend:
    build: 
      context: ./backend
      dockerfile: Dockerfile.prod
    ports:
      - "8000:8000"
    environment:
      - DATABASE_URL=postgresql://postgres:${DB_PASSWORD}@db:5432/appdb
      - REDIS_URL=redis://cache:6379
      - SECRET_KEY=${SECRET_KEY}
    depends_on:
      db:
        condition: service_healthy
      cache:
        condition: service_started
    volumes:
      - uploads:/app/uploads
    networks:
      - app-network
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

  # PostgreSQL database
  db:
    image: postgres:16-alpine
    ports:
      - "5432:5432"  # Only expose if needed externally
    environment:
      - POSTGRES_DB=appdb
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=${DB_PASSWORD}
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./init-db.sql:/docker-entrypoint-initdb.d/init.sql
    networks:
      - app-network
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres"]
      interval: 10s
      timeout: 5s
      retries: 5

  # Redis cache
  cache:
    image: redis:7-alpine
    ports:
      - "6379:6379"
    volumes:
      - redis_data:/data
    networks:
      - app-network
    command: redis-server --appendonly yes --requirepass ${REDIS_PASSWORD}

  # Nginx reverse proxy
  nginx:
    image: nginx:alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - ./ssl:/etc/nginx/ssl:ro
      - static:/usr/share/nginx/html/static
    depends_on:
      - backend
      - frontend
    networks:
      - app-network

networks:
  app-network:
    driver: bridge

volumes:
  postgres_data:
  redis_data:
  uploads:
  static:

.env file (NEVER commit to Git):

DB_PASSWORD=SecurePassword123!
SECRET_KEY=your-256-bit-secret-key-here
REDIS_PASSWORD=RedisSecure456@

Essential Docker Compose Commands

# Start all services in background
docker compose up -d

# View logs from all services
docker compose logs -f

# View logs from specific service
docker compose logs -f backend

# Rebuild and start
docker compose up -d --build

# Scale a service
docker compose up -d --scale backend=3

# Stop all services
docker compose down

# Stop and remove volumes (CAUTION: deletes data!)
docker compose down -v

# Execute command in running service
docker compose exec backend python manage.py migrate

# List running services
docker compose ps

# View resource usage
docker compose top

Development vs Production Compose Files

Common Pattern: Separate compose files for different environments

# Development (with bind mounts, debug mode)
docker compose -f docker-compose.yml -f docker-compose.dev.yml up

# Production (with resource limits, replicas)
docker compose -f docker-compose.yml -f docker-compose.prod.yml up

docker-compose.override.yml (automatically loaded for development):

version: '3.8'
services:
  backend:
    build: 
      context: ./backend
      dockerfile: Dockerfile.dev
    volumes:
      - ./backend:/app  # Bind mount for hot reload
    environment:
      - DEBUG=true
      - LOG_LEVEL=debug

  frontend:
    volumes:
      - ./frontend:/app
      - /app/node_modules
    environment:
      - CHOKIDAR_USEPOLLING=true  # Hot reload in Docker

Chapter 7: Production Deployment (2026 Edition)

Cloud-Native Deployment Strategies

Option 1: Modern PaaS Platforms (Recommended for Beginners)

Sevalla (2026 Leader):

# Install Sevalla CLI
brew install sevalla-cli  # macOS
curl -sSL https://sevalla.com/install.sh | sh  # Linux

# Authenticate
svla auth login

# Deploy from Dockerfile or Compose
svla deploy --file docker-compose.yml --name my-app-2026

Railway:

# Install Railway CLI
curl -fsSL https://railway.app/install.sh | sh

# Deploy
railway login
railway init
railway up

Option 2: Traditional Cloud Providers

AWS ECS with Fargate (Serverless Containers):

# Create ECR repository
aws ecr create-repository --repository-name my-app

# Authenticate Docker to ECR
aws ecr get-login-password | docker login --username AWS --password-stdin $ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com

# Tag and push image
docker tag my-app:latest $ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/my-app:latest
docker push $ACCOUNT_ID.dkr.ecr.us-east-1.amazonaws.com/my-app:latest

# Deploy with ECS CLI or CloudFormation

Google Cloud Run:

# Build and push to Google Container Registry
gcloud builds submit --tag gcr.io/PROJECT_ID/my-app

# Deploy to Cloud Run
gcloud run deploy my-app \
  --image gcr.io/PROJECT_ID/my-app \
  --platform managed \
  --region us-central1 \
  --allow-unauthenticated

Option 3: Self-Hosted (VPS with Docker Machine)

# Provision Ubuntu 26.04 VPS (DigitalOcean, Linode, Hetzner)

# SSH into server
ssh root@your-server-ip

# Install Docker (as shown in Chapter 2)

# Deploy using Docker Compose
git clone https://github.com/yourusername/your-app.git
cd your-app
docker compose -f docker-compose.prod.yml up -d

# Set up reverse proxy with automatic SSL
docker run -d \
  -p 80:80 -p 443:443 \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  -v $PWD/traefik.yml:/traefik.yml \
  -v $PWD/acme.json:/acme.json \
  traefik:v3.0

Production Readiness Checklist

✅ Security:

[ ] Scan images with docker scout or Trivy
[ ] Run containers as non-root user
[ ] Use secrets management (never hardcode credentials)
[ ] Implement least-privilege networking
[ ] Enable Docker Content Trust (image signing)

✅ Reliability:

[ ] Configure healthchecks for all services
[ ] Implement log aggregation
[ ] Set resource limits (CPU, memory)
[ ] Use restart policies: restart: unless-stopped
[ ] Implement graceful shutdown handling

✅ Performance:

[ ] Optimize images (multi-stage, Alpine/slim variants)
[ ] Use read-only root filesystem where possible
[ ] Implement caching strategies (Redis, CDN)
[ ] Configure container orchestration auto-scaling

✅ Observability:

[ ] Structured JSON logging
[ ] Metrics export (Prometheus format)
[ ] Distributed tracing
[ ] Centralized log management (ELK, Loki)

Chapter 8: Docker Security in 2026

Essential Security Practices

1. Rootless Mode (Default in Docker Engine 24+)

# Check if rootless is enabled
docker info --format '{{.SecurityOptions}}'

# Enable rootless mode
dockerd-rootless-setuptool.sh install

2. Image Signing with Docker Content Trust

export DOCKER_CONTENT_TRUST=1
docker pull alpine:latest  # Only signed images
docker push myimage:latest # Automatically signs

3. Vulnerability Scanning

# Integrated in Docker Desktop
docker scout quickview my-app:latest

# Deep CVSS analysis
docker scout cves my-app:latest

# Compare with base image
docker scout compare my-app:latest --to alpine:latest

4. Runtime Security

# Drop all capabilities, add only needed ones
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE my-app

# Read-only root filesystem
docker run --read-only --tmpfs /tmp my-app

# Security profiles
docker run --security-opt=no-new-privileges:true \
           --security-opt=seccomp=/path/to/seccomp-profile.json \
           my-app

5. Secrets Management (Never in Images!)

# Docker Swarm secrets (or use HashiCorp Vault)
echo "MySecretPassword123" | docker secret create db_password -

# Use in compose
secrets:
  db_password:
    external: true

services:
  app:
    secrets:
      - db_password

Chapter 9: Troubleshooting – 20 Common Problems Solved

Problem 1: “Port is already allocated”

# Find what's using port 8080
docker ps --format "table {{.Names}}\t{{.Ports}}" | grep 8080

# Solution: Stop conflicting container or change host port
docker run -p 8081:80 nginx

Problem 2: “No space left on device”

# Cleanup commands
docker system prune -a -f --volumes
docker rmi $(docker images -f "dangling=true" -q)

# Check disk usage
docker system df

Problem 3: Container exits immediately

# Check logs
docker logs container_id

# Run interactively to see error
docker run -it my-image sh

# Common causes: Missing CMD, application error, port conflict

Problem 4: Slow Docker Desktop on Mac

# Enable VirtioFS
# Settings → General → Enable VirtioFS

# Increase resources
# Settings → Resources → Advanced → CPUs: 6+, Memory: 8GB+

# Reset to factory defaults (last resort)

Problem 5: WSL2 integration issues (Windows)

# In PowerShell (Admin)
wsl --shutdown
# Restart Docker Desktop

# Check WSL2 version
wsl -l -v
# Convert to WSL2 if needed: wsl --set-version <distro> 2

Problem 6: Permission denied (Linux)

# Add user to docker group
sudo usermod -aG docker $USER
newgrp docker

# Or fix volume permissions
docker run -u $(id -u):$(id -g) -v $(pwd):/app my-image

Problem 7: Network connectivity between containers

# Ensure same network
docker network create app-network
docker run --network app-network --name app1 my-image
docker run --network app-network --name app2 my-image

# Use service name, not localhost
# app2 can reach app1 at http://app1:port

Problem 8: Environment variables not passing

# Pass via command line
docker run -e MY_VAR=value -e ANOTHER_VAR my-image

# Use env file
docker run --env-file .env my-image

Problem 9: Buildx “no matching manifest”

# Usually ARM64/AMD64 mismatch
docker buildx build --platform linux/amd64,linux/arm64 -t myapp .

Problem 10: Docker daemon not responding

# Linux
sudo systemctl restart docker

# Mac/Windows: Restart Docker Desktop application
# Or reset to factory defaults

Chapter 10: Next Steps – Your Docker Learning Roadmap

Immediate Next Steps (Days 1-7)

✅ Practice daily with these projects:

Containerize a personal blog (WordPress + MySQL)
Build a Redis-backed URL shortener
Deploy a static site with Nginx
Create development environment for your current project

✅ Master these advanced topics:

Docker networks: bridge, host, overlay, macvlan
Docker Swarm for container orchestration
Healthchecks and graceful shutdown
Resource constraints (CPU, memory, IO)

Career Development Paths

Path 1: DevOps Engineer

Kubernetes (K8s) certification (CKA, CKAD)
Infrastructure as Code: Terraform, Ansible
CI/CD: GitHub Actions, GitLab CI, Jenkins
Monitoring: Prometheus, Grafana, ELK

Path 2: Platform Engineer

Service mesh: Istio, Linkerd
GitOps: ArgoCD, Flux
Policy as Code: OPA, Kyverno
Internal Developer Platforms: Backstage, Humanitec

Path 3: Cloud Architect

Multi-cloud container strategies
Hybrid cloud networking
Compliance and governance
Cost optimization at scale

Certification Roadmap (2026)

Docker Certified Associate (DCA) – Foundational
CKA (Certified Kubernetes Administrator) – Operations focus
CKAD (Certified Kubernetes Application Developer) – Development focus
AWS Certified DevOps Engineer or Google Professional Cloud DevOps Engineer

Community and Resources

Official Resources:

docs.docker.com – Always current
Docker Captain program – Community leaders
Docker Blog – Latest features

Community:

r/docker (Reddit) – 500,000+ members
Docker Community Slack – 100,000+ members
Local Docker Meetups (300+ cities worldwide)

Books (2026 Editions):

“Docker Deep Dive” – Nigel Poulton
“The Docker Book” – James Turnbull
“Kubernetes Up and Running” – Brendan Burns

Conclusion: Your Container Journey Begins

You’ve progressed from complete beginner to confident Docker practitioner. You understand the architectural principles, can install and configure Docker across platforms, write optimized Dockerfiles, manage persistent data, orchestrate multi-container applications with Docker Compose, deploy to production, and troubleshoot common issues.

But this tutorial isn’t the end—it’s the beginning. Containerization has fundamentally changed how software is built, shipped, and run. The patterns you’ve learned here apply whether you’re deploying a simple blog, a machine learning pipeline, or a global-scale microservices architecture.

Remember these principles:

Containers are not virtual machines — embrace ephemeral, immutable infrastructure
Images are recipes, containers are meals — understand the distinction
Cache is your friend — optimize layer ordering
Security is non-negotiable — rootless, signed, scanned
Declarative > imperative — Docker Compose over shell scripts

The industry’s shift toward containers isn’t slowing—it’s accelerating. With serverless containers, WebAssembly integration, and edge computing, the next five years will bring even more innovation. Your Docker foundation positions you to not just participate in this evolution but to lead it.

Your mission, should you choose to accept it: Containerize one application this week that you previously deployed traditionally. Experience the difference. Feel the confidence of knowing your application will run identically on your laptop, your team’s machines, your staging environment, and in production.