DevOpsBeginnerv27Updated 2026-07

Docker

Develop, ship, and run anywhere

ContainersDevOpsCI/CDKubernetesCompose

Overview

  • 1Docker 27 (mid 2024) ships as part of Docker Desktop 4.30+ with major developer experience improvements.
  • 2Build Cloud offloads docker build to Docker-managed multi-platform builders in the cloud.
  • 3Docker Model Runner lets developers run Llama, Phi, and other LLMs locally via Docker Desktop.
  • 4Compose Watch replaces manual `--watch` flags — declare file sync rules in compose.yaml.
  • 5docker init now supports Go, Python, Node.js, Java, ASP.NET, PHP, and Rust scaffolding.

Key Features in 27

Build Cloud — offload slow multi-platform builds to Docker-hosted remote builders
Docker Model Runner — run GGUF AI models locally with OpenAI-compatible API
Compose Watch — live-sync and rebuild on file changes declared in compose.yaml
docker init — generates Dockerfile, compose.yaml, and .dockerignore for 8 languages
docker build --secret — mount secrets during build without baking into layers
Multi-stage builds — reduce final image size by separating build and runtime stages
BuildKit cache mounts — cache package manager directories between builds

Use Cases

  • Consistent development environments across team members
  • CI/CD pipelines — reproducible builds in GitHub Actions, GitLab CI
  • Microservices development with Compose for multi-service orchestration
  • Production container runtime (alongside Kubernetes)

2026 Updates

  • Docker Model Runner: `docker model pull llama3.2` then `docker model run llama3.2`
  • Build Cloud: `docker buildx use cloud-<org>/default` — remote builder with 16 vCPU
  • Compose Watch: `develop: watch: - path: ./src action: sync` in service definition
  • docker init: interactive wizard generates production-ready Dockerfile for 8 runtimes
  • docker scout: vulnerability scanning and SBOM generation integrated into Docker CLI
  • Docker Desktop 4.30+: Resource Saver mode, VirtioFS for macOS (faster file I/O)

Dockerfile Best Practices

  • Use official slim/alpine base images (node:22-alpine, python:3.13-slim) to minimise size
  • Multi-stage builds: `FROM node:22 AS builder` then `FROM node:22-alpine AS runner`
  • Layer caching: copy package.json and install dependencies BEFORE copying source code
  • COPY --chown=node:node: set file ownership in the same layer as the copy
  • Use .dockerignore to exclude node_modules, .git, .env, and build artifacts
  • RUN --mount=type=cache,target=/root/.npm: cache npm packages between builds
  • USER: run the process as a non-root user for security

Docker Compose

  • compose.yaml defines services, networks, and volumes for multi-container apps
  • depends_on with condition: service_healthy waits for health check before starting
  • environment and env_file: inject environment variables from file or inline
  • volumes: named volumes persist data; bind mounts mirror host paths into container
  • profiles: group services into profiles to start subsets of the stack
  • Compose Watch: `action: sync` mirrors src files; `action: rebuild` re-builds on Dockerfile change
  • docker compose up --build --watch: starts with file watching enabled

Security & Registries

  • docker scan / docker scout: Snyk-powered vulnerability scanning of images
  • Secrets: `docker run --secret id=mysecret,src=./secret.txt` mounts at /run/secrets/mysecret
  • Docker Content Trust (DCT): sign and verify image integrity with Notary
  • distroless images (gcr.io/distroless): no shell, no package manager — minimal attack surface
  • Docker Hub, GitHub Container Registry (ghcr.io), AWS ECR, Google Artifact Registry
  • image digest pinning: `FROM node@sha256:abc...` for reproducible, tamper-proof pulls

Frequently Asked Questions

What is the difference between a Docker image and a container?

A Docker image is a read-only layered filesystem snapshot containing your application code, runtime, and dependencies. A container is a running instance of an image — an isolated process with its own filesystem, network, and PID namespace derived from the image. Multiple containers can run from the same image simultaneously.

What is Docker Compose Watch and how does it work?

Compose Watch (Docker 2.22+) monitors your source files and automatically syncs changes into running containers or rebuilds them. Declare watch rules in compose.yaml under `develop.watch`. `action: sync` copies changed files into the container for live-reload. `action: rebuild` stops and rebuilds the service when critical files (Dockerfile, package.json) change.

Docker vs Kubernetes — what is the difference?

Docker is a container runtime and build tool — it creates and runs individual containers. Kubernetes is a container orchestrator — it manages clusters of containers across multiple machines, handling scheduling, scaling, self-healing, service discovery, and rolling updates. In production, you typically build with Docker and deploy with Kubernetes.