Which Dockerfile instructions create a new image layer?

RUN, COPY and ADD each commit a new filesystem layer. FROM starts a stage without adding a layer, and metadata instructions like ENV, CMD, ENTRYPOINT, LABEL and EXPOSE change image configuration without creating a filesystem layer.

What is the difference between CMD and ENTRYPOINT?

ENTRYPOINT defines the fixed executable a container always runs, while CMD supplies default arguments that are easily overridden at docker run time. They are often combined: ENTRYPOINT for the binary, CMD for default flags.

Should I use COPY or ADD?

Prefer COPY for plain files and directories because its behaviour is explicit. Use ADD only when you specifically want its extra features: automatic local tar extraction. Avoid ADD for remote URLs since it skips caching and checksums.

Why does EXPOSE not publish a port?

EXPOSE is documentation metadata that records which ports the application listens on. To actually map a port to the host you must run the container with docker run -p host:container, or use -P to auto-publish all EXPOSEd ports.

Is it safe to put secrets in ENV or ARG?

No. Both ENV and ARG values are stored in the image history and can be read with docker history. Use build secrets (--mount=type=secret) or inject runtime configuration through orchestrators instead of baking credentials into the image.

Dockerfile Instructions Reference

Dockerfile instructions at a glance

A Dockerfile is an ordered list of instructions that the Docker builder turns into an image. This reference lists every instruction with its exact syntax, whether it creates a new filesystem layer, and a best-practice note. Search the table to jump straight to the instruction you need.

How it works

Docker images are built as a stack of read-only layers. The builder reads your Dockerfile top to bottom and, for layer-creating instructions, runs the step inside a temporary container and commits the resulting filesystem diff as a new layer. Three instructions create layers — RUN, COPY and ADD — so the order and grouping of those lines directly controls image size and cache reuse.

Other instructions only change image configuration (metadata) rather than the filesystem: ENV, ARG, CMD, ENTRYPOINT, EXPOSE, LABEL, WORKDIR, USER, VOLUME, HEALTHCHECK, STOPSIGNAL, SHELL and ONBUILD. FROM is special — it begins a build stage by selecting a base image without adding a layer of its own.

Each instruction is also a cache key. If nothing above a line changed, Docker reuses the cached layer. That is why you copy and install dependencies before copying application source: dependency layers stay cached across code edits.

Tips and examples

Combine related shell steps in a single RUN with && and clean package caches in the same line so the cleanup lands in the same layer:

RUN apt-get update \
 && apt-get install -y --no-install-recommends curl \
 && rm -rf /var/lib/apt/lists/*

Pair ENTRYPOINT with CMD for a sensible default that callers can override:

ENTRYPOINT ["python", "app.py"]
CMD ["--port", "8080"]

Use multi-stage builds and COPY --from=builder to ship only compiled artifacts, keeping the runtime image small.
Run as a non-root USER, add a HEALTHCHECK, and label images with the org.opencontainers.image.* convention for traceability.

Dockerfile Instructions Reference

Email me this result

Dockerfile instructions at a glance

How it works

Tips and examples