Containers Cheatsheet

Last Updated: 2024-01-27

Check out Docker Cheatsheet for more docker commands.

Container Lifecycle

  • Build (OCI Image spec): code => images
    • docker build: based on Dockerfile
    • buildah: can build with or without a Dockerfile
  • Run (OCI Runtime spec): images => containers
    • Runtime: containerd / dockerd / CRI-O
    • docker run
  • Distribute (OCI Distribution spec): Images <=> Registries
    • Registries: docker registry / Harbor
    • docker pull / docker push

High level comparison

docker crictl podman
Build images Yes No Yes
Run / Inspect Yes Yes Yes
Talk to daemon Yes (dockerd) Yes No
Privilege root / rootless rootless
Run Pods No Yes Yes
Used by k8s kind


  • All compatible with OCI specs.
  • "Talk to daemon": docker talks to dockerd; crictl talks to any CRI-compatible runtime; podman is daemonless.
  • podman build uses code sourced from the Buildah project to build container images. Both podman and Buildah are from RedHat.
  • Other tools:
    • buildx is a Docker CLI plugin for extended build capabilities with BuildKit.
    • runc: the low-level runtime, usually we do not need to work with directly.


Inpect Images / Containers:

docker crictl
List images docker images crictl images
List containers docker ps crictl ps
Attach to a running container docker attach crictl attach
Run a command in a container docker exec crictl exec
Show system-wide info docker info crictl info
Show container, image info docker inspect crictl inspect
Get logs of a container docker logs crictl logs
Show resource usage stats docker stats crictl stats
Show rutime version docker version crictl version

Image / Container Lifecycle:

docker crictl
Pull an image docker pull crictl pull
Create a container docker create crictl create
Run commands docker run crictl run
Start containers docker start crictl start
Stop containers docker stop crictl stop
Update configs docker update crictl update
Remove containers docker rm crictl rm
Remove images docker rmi crictl rmi
Kill containers docker kill crictl stop

Pod Lifecycle:

List pods crictl pods
Run a pod crictl runp
Remove pods crictl rmp
Stop pods crictl stopp
Show status of the pods crictl inspectp
Forward local port to a pod crictl port-forward

skopeo inspect = docker inspect


Choose image format

# Build OCI images (default for podman)
$ podman build --format=oci

# Build Docker images instead
$ podman build --format=docker

# Similarly in `docker buildx`
$ docker buildx build --output type=oci
$ docker buildx build --output type=docker


High-level container runtime: containerd / CRI-O

Responsibilities: pull container images from registries; manage images on disk; launche a lower-level runtime to run container processes.

  • containerd: born from parts of the original Docker project.
    • has its own CLI (ctr) in addition to crictl.
    • config: /etc/containerd
  • CRI-O: created by RedHat
    • CRI-O stands for "Container Runtime Interface - OpenShift".
    • depend on other RedHat container tools: podman, buildah, skopeo.
    • no separate CLI.
    • config:
      • /etc/containers
      • /etc/crio/crio.conf
      • /etc/containers/registries.conf
    • images stored in /var/lib/containers
    • https://github.com/containers

Low-level container runtime: runc, crun

  • runc: the "reference implementation" of OCI. Written in Go. Both containerd and CRI-O use runc by default.
  • runsc: gVisor from Google, which creates containers that have their own kernel. Also compliant with OCI spec.
  • crun: written in C.

Most likely you do not need to use runc directly, but you can get more info about the running containers:

$ runc list

$ ls /run/runc

$ cat /run/runc/$NAME/state.json


buildah run vs podman run

  • buildah run command emulates the RUN command in a Dockerfile
  • podman run command emulates the docker run command in functionality.

podman vs docker

  • Podman containers are rootless; docker supports both root and rootless mode.
    • Podman uses systemd to make updates and keep containers running in the background. By integrating systemd and Podman, you can generate control units for your containers and run them with systemd automatically enabled.
  • Docker is all-in-one; podman work with buildah, skopeo, etc.