Commit de57e1bde8aa
Changed files (16)
dots
dots/.config/claude/skills/Docker/workflows/Build.md
@@ -0,0 +1,979 @@
+# Build Workflow
+
+Build container images with Docker/Podman, supporting multi-architecture builds and optimization techniques.
+
+## Quick Start
+
+**Detect runtime:**
+```bash
+# Auto-detect (prefers Podman)
+../tools/DetectRuntime.sh
+
+# Specify runtime
+../tools/DetectRuntime.sh --runtime docker
+../tools/DetectRuntime.sh --runtime podman
+```
+
+**Basic build:**
+```bash
+docker build -t myapp:latest .
+podman build -t myapp:latest .
+```
+
+**Multi-architecture:**
+```bash
+# Docker buildx
+docker buildx build --platform linux/amd64,linux/arm64 -t myapp:latest --push .
+
+# Podman manifest
+podman build --platform linux/amd64 -t myapp:amd64 .
+podman build --platform linux/arm64 -t myapp:arm64 .
+podman manifest create myapp:latest
+podman manifest add myapp:latest myapp:amd64
+podman manifest add myapp:latest myapp:arm64
+```
+
+**Optimize with multi-stage:**
+```dockerfile
+FROM golang:1.21-alpine AS builder
+WORKDIR /app
+COPY . .
+RUN go build -o myapp
+
+FROM alpine:3.19
+COPY --from=builder /app/myapp /
+CMD ["/myapp"]
+```
+
+## Runtime Detection
+
+### Detect Container Runtime
+
+**Auto-detect:**
+```bash
+../tools/DetectRuntime.sh
+# Prefers Podman, falls back to Docker
+```
+
+**Specify runtime:**
+```bash
+../tools/DetectRuntime.sh --runtime docker
+../tools/DetectRuntime.sh --runtime podman
+```
+
+**Check available builders:**
+```bash
+# Docker buildx
+docker buildx ls
+
+# Podman buildah
+buildah version
+```
+
+### Process Integration
+
+1. **Parse user prompt** for explicit runtime mention
+2. **Run DetectRuntime.sh** with appropriate flags
+3. **Identify build tools** (buildx, buildah)
+4. **Use detected runtime** for all commands
+
+## Building Images
+
+### Basic Build Process
+
+**Docker:**
+```bash
+# Basic build
+docker build -t myapp:latest .
+
+# With build arguments
+docker build --build-arg VERSION=1.0 -t myapp:1.0 .
+
+# With specific target
+docker build --target production -t myapp:prod .
+
+# Build without cache
+docker build --no-cache -t myapp:latest .
+
+# Build with custom context
+docker build -t myapp:latest -f path/to/Dockerfile context/
+```
+
+**Podman:**
+```bash
+# Basic build
+podman build -t myapp:latest .
+
+# With build arguments
+podman build --build-arg VERSION=1.0 -t myapp:1.0 .
+
+# With specific target
+podman build --target production -t myapp:prod .
+
+# Build without cache
+podman build --no-cache -t myapp:latest .
+
+# Build with custom context
+podman build -t myapp:latest -f path/to/Dockerfile context/
+```
+
+### Build Arguments and Tags
+
+**Multiple tags:**
+```bash
+docker build -t myapp:latest -t myapp:1.0 -t myregistry/myapp:1.0 .
+podman build -t myapp:latest -t myapp:1.0 -t myregistry/myapp:1.0 .
+```
+
+**Build arguments:**
+```dockerfile
+ARG VERSION=1.0
+ARG BUILD_DATE
+ENV APP_VERSION=${VERSION}
+
+RUN echo "Building version ${VERSION} on ${BUILD_DATE}"
+```
+
+```bash
+docker build --build-arg VERSION=2.0 --build-arg BUILD_DATE=$(date -u +%Y-%m-%d) .
+podman build --build-arg VERSION=2.0 --build-arg BUILD_DATE=$(date -u +%Y-%m-%d) .
+```
+
+### Dockerfile Best Practices
+
+**Base image selection:**
+```dockerfile
+# Use specific tags, never :latest
+FROM alpine:3.19
+FROM python:3.11-slim
+FROM node:20-alpine
+
+# For static binaries
+FROM scratch
+FROM gcr.io/distroless/static-debian12
+```
+
+**Layer ordering (cache optimization):**
+```dockerfile
+# Good: dependencies cached separately
+FROM node:20-alpine
+WORKDIR /app
+# Copy dependency files first (changes less frequently)
+COPY package*.json ./
+RUN npm ci
+# Copy code last (changes most frequently)
+COPY . .
+RUN npm run build
+```
+
+**Non-root user:**
+```dockerfile
+RUN addgroup -S appgroup && adduser -S appuser -G appgroup
+USER appuser
+WORKDIR /app
+COPY --chown=appuser:appgroup . .
+```
+
+**Minimal layers:**
+```dockerfile
+# Bad: creates multiple layers
+RUN apt-get update
+RUN apt-get install -y curl
+RUN apt-get clean
+
+# Good: single layer with cleanup
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends curl && \
+ rm -rf /var/lib/apt/lists/*
+```
+
+### Using .dockerignore
+
+Create `.dockerignore` to exclude unnecessary files:
+
+```dockerignore
+# Version control
+.git
+.gitignore
+
+# Dependencies
+node_modules
+vendor
+
+# Build artifacts
+dist
+build
+*.o
+
+# Documentation
+*.md
+docs/
+
+# Tests
+*_test.go
+test/
+__tests__
+
+# CI/CD
+.github
+.gitlab-ci.yml
+
+# Development
+.env
+.vscode
+*.log
+
+# OS files
+.DS_Store
+```
+
+## Multi-Architecture Builds
+
+### Docker with Buildx
+
+**Setup QEMU:**
+```bash
+docker run --privileged --rm tonistiigi/binfmt --install all
+```
+
+**Create builder:**
+```bash
+docker buildx create --name multiarch --driver docker-container --use
+docker buildx inspect --bootstrap
+```
+
+**List available platforms:**
+```bash
+docker buildx inspect --bootstrap | grep Platforms
+```
+
+**Build multi-arch image:**
+```bash
+# Build and push
+docker buildx build \
+ --platform linux/amd64,linux/arm64,linux/arm/v7 \
+ -t myregistry/myapp:latest \
+ --push \
+ .
+
+# Build single platform locally
+docker buildx build \
+ --platform linux/arm64 \
+ -t myapp:arm64 \
+ --load \
+ .
+```
+
+**Build with cache:**
+```bash
+docker buildx build \
+ --platform linux/amd64,linux/arm64 \
+ --cache-from type=registry,ref=myregistry/myapp:buildcache \
+ --cache-to type=registry,ref=myregistry/myapp:buildcache,mode=max \
+ -t myregistry/myapp:latest \
+ --push \
+ .
+```
+
+**Manage builders:**
+```bash
+# List builders
+docker buildx ls
+
+# Remove builder
+docker buildx rm multiarch
+
+# Use default builder
+docker buildx use default
+```
+
+### Podman with Buildah
+
+**Install QEMU:**
+```bash
+# On host system
+sudo dnf install qemu-user-static # Fedora/RHEL
+sudo apt install qemu-user-static # Debian/Ubuntu
+
+# Or with Podman
+podman run --rm --privileged multiarch/qemu-user-static --reset -p yes
+```
+
+**Build for specific platform:**
+```bash
+podman build --platform linux/arm64 -t myapp:arm64 .
+```
+
+**Build multi-arch with manifest:**
+```bash
+# Build for each platform
+podman build --platform linux/amd64 -t myapp:amd64 .
+podman build --platform linux/arm64 -t myapp:arm64 .
+podman build --platform linux/arm/v7 -t myapp:armv7 .
+
+# Create manifest
+podman manifest create myapp:latest
+
+# Add images to manifest
+podman manifest add myapp:latest myapp:amd64
+podman manifest add myapp:latest myapp:arm64
+podman manifest add myapp:latest myapp:armv7
+
+# Push manifest
+podman manifest push myapp:latest docker://myregistry/myapp:latest
+```
+
+**Using buildah directly:**
+```bash
+buildah bud --arch arm64 -t myapp:arm64 .
+buildah bud --arch amd64 -t myapp:amd64 .
+```
+
+### Platform Targeting
+
+**Common platforms:**
+
+| Platform | Description | Use Case |
+|----------|-------------|----------|
+| linux/amd64 | 64-bit x86 | Standard servers, desktops |
+| linux/arm64 | 64-bit ARM | Raspberry Pi 4, Apple Silicon, AWS Graviton |
+| linux/arm/v7 | 32-bit ARM v7 | Raspberry Pi 2/3 |
+| linux/arm/v6 | 32-bit ARM v6 | Raspberry Pi Zero/1 |
+| linux/386 | 32-bit x86 | Legacy systems |
+
+**Platform-aware Dockerfile:**
+```dockerfile
+FROM --platform=$BUILDPLATFORM golang:1.21-alpine AS builder
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+ARG TARGETOS
+ARG TARGETARCH
+
+WORKDIR /app
+COPY . .
+
+# Build for target platform
+RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o app .
+
+FROM --platform=$TARGETPLATFORM alpine:latest
+COPY --from=builder /app/app /app
+ENTRYPOINT ["/app"]
+```
+
+**Conditional platform logic:**
+```dockerfile
+ARG TARGETARCH
+
+RUN if [ "$TARGETARCH" = "arm64" ]; then \
+ echo "Installing ARM64 packages"; \
+ elif [ "$TARGETARCH" = "amd64" ]; then \
+ echo "Installing AMD64 packages"; \
+ fi
+```
+
+### Verify Multi-Arch Images
+
+**Inspect manifest (Docker):**
+```bash
+docker buildx imagetools inspect myregistry/myapp:latest
+docker manifest inspect myregistry/myapp:latest
+```
+
+**Inspect manifest (Podman):**
+```bash
+podman manifest inspect myapp:latest
+skopeo inspect docker://myregistry/myapp:latest
+```
+
+**Test platform-specific images:**
+```bash
+# Force ARM64 on AMD64 host
+docker run --platform linux/arm64 myregistry/myapp:latest
+
+# Verify architecture
+docker run --rm myregistry/myapp:latest uname -m
+# Output: x86_64, aarch64, armv7l, etc.
+```
+
+## Image Optimization
+
+### Multi-Stage Builds
+
+**Basic pattern:**
+```dockerfile
+# Build stage
+FROM golang:1.21-alpine AS builder
+WORKDIR /app
+COPY go.* ./
+RUN go mod download
+COPY . .
+RUN go build -o myapp
+
+# Runtime stage
+FROM alpine:3.19
+WORKDIR /app
+COPY --from=builder /app/myapp .
+CMD ["/app/myapp"]
+# Result: ~20 MB vs ~1 GB
+```
+
+**Multiple build stages:**
+```dockerfile
+# Stage 1: Dependencies
+FROM node:20-alpine AS deps
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci --only=production
+
+# Stage 2: Build
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN npm run build
+
+# Stage 3: Runtime
+FROM node:20-alpine
+WORKDIR /app
+ENV NODE_ENV=production
+COPY --from=deps /app/node_modules ./node_modules
+COPY --from=builder /app/dist ./dist
+CMD ["node", "dist/index.js"]
+```
+
+### Base Image Selection
+
+**Size comparison:**
+```dockerfile
+# Large (1.1 GB)
+FROM ubuntu:latest
+
+# Medium (130 MB)
+FROM ubuntu:22.04
+
+# Small (77 MB)
+FROM debian:bookworm-slim
+
+# Smaller (7 MB)
+FROM alpine:3.19
+
+# Smallest (< 2 MB)
+FROM scratch
+FROM gcr.io/distroless/static-debian12
+```
+
+**Language-specific minimal images:**
+```dockerfile
+# Python
+FROM python:3.11-slim # 50 MB vs 900 MB
+FROM python:3.11-alpine # 45 MB
+
+# Node.js
+FROM node:20-slim # 240 MB vs 1 GB
+FROM node:20-alpine # 180 MB
+
+# Go
+FROM golang:1.21-alpine # Build stage
+FROM scratch # Runtime (static binary)
+```
+
+### Layer Optimization
+
+**Combine RUN commands:**
+```dockerfile
+# Bad: creates 4 layers
+RUN apt-get update
+RUN apt-get install -y curl
+RUN apt-get install -y git
+RUN apt-get clean
+
+# Good: single layer
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends \
+ curl \
+ git && \
+ rm -rf /var/lib/apt/lists/*
+```
+
+**Clean up in same layer:**
+```dockerfile
+# Bad: file remains in layer
+RUN wget https://example.com/large-file.tar.gz
+RUN tar -xzf large-file.tar.gz
+RUN rm large-file.tar.gz
+
+# Good: cleanup in same layer
+RUN wget https://example.com/large-file.tar.gz && \
+ tar -xzf large-file.tar.gz && \
+ rm large-file.tar.gz
+```
+
+### Size Reduction Techniques
+
+**Remove package manager cache:**
+```dockerfile
+# APT (Debian/Ubuntu)
+RUN apt-get update && \
+ apt-get install -y package && \
+ rm -rf /var/lib/apt/lists/*
+
+# APK (Alpine)
+RUN apk add --no-cache package
+
+# DNF (Fedora/RHEL)
+RUN dnf install -y package && \
+ dnf clean all
+
+# npm
+RUN npm ci --only=production && \
+ npm cache clean --force
+
+# pip
+RUN pip install --no-cache-dir -r requirements.txt
+```
+
+**Minimize installed packages:**
+```dockerfile
+# Bad: installs many unnecessary packages
+RUN apt-get update && \
+ apt-get install -y build-essential
+
+# Good: minimal installation
+RUN apt-get update && \
+ apt-get install -y --no-install-recommends \
+ gcc \
+ make && \
+ rm -rf /var/lib/apt/lists/*
+```
+
+**Remove build dependencies:**
+```dockerfile
+RUN apk add --no-cache --virtual .build-deps \
+ gcc \
+ musl-dev \
+ postgresql-dev && \
+ pip install psycopg2 && \
+ apk del .build-deps
+```
+
+### Static Binaries
+
+**Go static binary:**
+```dockerfile
+FROM golang:1.21-alpine AS builder
+WORKDIR /app
+COPY . .
+RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o myapp .
+
+FROM scratch
+COPY --from=builder /app/myapp /myapp
+ENTRYPOINT ["/myapp"]
+# Result: ~10 MB (just the binary)
+```
+
+**Rust static binary:**
+```dockerfile
+FROM rust:1.75-alpine AS builder
+WORKDIR /app
+COPY . .
+RUN cargo build --release
+
+FROM scratch
+COPY --from=builder /app/target/release/myapp /myapp
+ENTRYPOINT ["/myapp"]
+```
+
+### Distroless Images
+
+**Language-specific distroless:**
+```dockerfile
+# Java
+FROM gcr.io/distroless/java17-debian12
+COPY target/app.jar /app.jar
+CMD ["app.jar"]
+
+# Python
+FROM gcr.io/distroless/python3-debian12
+COPY --from=builder /app /app
+WORKDIR /app
+CMD ["app.py"]
+
+# Node.js
+FROM gcr.io/distroless/nodejs20-debian12
+COPY --from=builder /app /app
+WORKDIR /app
+CMD ["index.js"]
+
+# Static binaries
+FROM gcr.io/distroless/static-debian12
+COPY --from=builder /app/myapp /
+CMD ["/myapp"]
+```
+
+### Build Cache Strategies
+
+**BuildKit cache mounts:**
+```dockerfile
+# syntax=docker/dockerfile:1
+FROM golang:1.21-alpine
+WORKDIR /app
+COPY go.* ./
+RUN --mount=type=cache,target=/go/pkg/mod \
+ go mod download
+COPY . .
+RUN --mount=type=cache,target=/go/pkg/mod \
+ --mount=type=cache,target=/root/.cache/go-build \
+ go build -o myapp
+```
+
+**Remote cache:**
+```bash
+docker buildx build \
+ --cache-from type=registry,ref=myregistry/myapp:buildcache \
+ --cache-to type=registry,ref=myregistry/myapp:buildcache,mode=max \
+ -t myapp:latest .
+```
+
+### Optimization Examples
+
+**Python Flask app (500 MB → 50 MB):**
+```dockerfile
+# Before
+FROM python:3.11
+WORKDIR /app
+COPY . .
+RUN pip install -r requirements.txt
+CMD ["python", "app.py"]
+
+# After
+FROM python:3.11-slim AS builder
+WORKDIR /app
+COPY requirements.txt .
+RUN pip install --user --no-cache-dir -r requirements.txt
+
+FROM python:3.11-slim
+WORKDIR /app
+COPY --from=builder /root/.local /root/.local
+COPY app.py .
+ENV PATH=/root/.local/bin:$PATH
+CMD ["python", "app.py"]
+```
+
+**Node.js React app (1.2 GB → 100 MB):**
+```dockerfile
+# Before
+FROM node:20
+WORKDIR /app
+COPY . .
+RUN npm install
+RUN npm run build
+CMD ["npm", "start"]
+
+# After
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN npm run build
+
+FROM nginx:alpine
+COPY --from=builder /app/build /usr/share/nginx/html
+EXPOSE 80
+CMD ["nginx", "-g", "daemon off;"]
+```
+
+**Go microservice (800 MB → 10 MB):**
+```dockerfile
+# Before
+FROM golang:1.21
+WORKDIR /app
+COPY . .
+RUN go build -o myapp
+CMD ["/app/myapp"]
+
+# After
+FROM golang:1.21-alpine AS builder
+WORKDIR /app
+COPY go.* ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 go build -ldflags="-w -s" -o myapp
+
+FROM scratch
+COPY --from=builder /app/myapp /
+CMD ["/myapp"]
+```
+
+### Analysis Tools
+
+**Check image size:**
+```bash
+docker images myapp
+podman images myapp
+```
+
+**View image history:**
+```bash
+docker history myapp:latest
+docker history --no-trunc myapp:latest # Full commands
+
+podman history myapp:latest
+```
+
+**Analyze with dive:**
+```bash
+# Install dive
+brew install dive
+
+# Analyze image
+dive myapp:latest
+```
+
+**Find large layers:**
+```bash
+docker history myapp:latest --format "{{.Size}}\t{{.CreatedBy}}" | sort -h
+```
+
+## Best Practices
+
+### Dockerfile Quality Checklist
+
+- [ ] Use specific base image tags (not `latest`)
+- [ ] Minimize number of layers
+- [ ] Use multi-stage builds where appropriate
+- [ ] Run as non-root user
+- [ ] Have .dockerignore file
+- [ ] No secrets embedded
+- [ ] Proper layer ordering (least to most frequently changed)
+- [ ] Install only required packages
+- [ ] Clean up in same layer
+- [ ] Use minimal base images
+
+### Build Optimization Checklist
+
+- [ ] Leverage build cache effectively
+- [ ] Combine RUN commands where appropriate
+- [ ] Remove package manager cache
+- [ ] Use `--no-install-recommends` (apt)
+- [ ] Use `--no-cache` (apk)
+- [ ] Remove build dependencies after use
+- [ ] Exclude development files via .dockerignore
+- [ ] Order layers by change frequency
+
+### Security Best Practices
+
+- [ ] Use specific version tags
+- [ ] Update packages during build
+- [ ] Run as non-root user
+- [ ] Don't include secrets in image
+- [ ] Scan for vulnerabilities
+- [ ] Use minimal base images (smaller attack surface)
+- [ ] Consider distroless for production
+
+### Multi-Arch Best Practices
+
+1. **Use multi-stage builds** for smaller final images
+2. **Leverage build cache** with remote cache
+3. **Test on actual hardware** when possible
+4. **Use QEMU** for cross-platform testing
+5. **Build platform-specific optimizations** with TARGETARCH
+6. **Verify critical functionality** on each platform
+
+### CI/CD Integration
+
+**GitHub Actions:**
+```yaml
+- name: Set up QEMU
+ uses: docker/setup-qemu-action@v2
+
+- name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v2
+
+- name: Build and push
+ uses: docker/build-push-action@v4
+ with:
+ platforms: linux/amd64,linux/arm64
+ push: true
+ tags: myregistry/myapp:latest
+```
+
+**GitLab CI:**
+```yaml
+build-multiarch:
+ image: docker:latest
+ services:
+ - docker:dind
+ before_script:
+ - docker buildx create --use
+ - docker buildx install
+ script:
+ - docker buildx build
+ --platform linux/amd64,linux/arm64
+ -t myregistry/myapp:latest
+ --push .
+```
+
+## Troubleshooting
+
+### Build Failures
+
+**Issue:** Build fails with permission denied
+
+**Docker:**
+- User not in docker group: `sudo usermod -aG docker $USER`
+- Daemon not running: `sudo systemctl start docker`
+
+**Podman:**
+- Check rootless permissions: `podman system migrate`
+- Check user namespace: `cat /etc/subuid /etc/subgid`
+
+**Issue:** Build cache not working
+- Check layer ordering (copy dependencies before code)
+- Verify .dockerignore excludes frequently changing files
+- Use `--no-cache` to force rebuild if needed
+
+**Issue:** Large image size
+- Review Dockerfile layer ordering
+- Implement multi-stage builds
+- Use smaller base images
+- Clean up in same layer
+
+### Multi-Arch Issues
+
+**Issue:** Build very slow for non-native platforms
+- **Cause:** QEMU emulation overhead
+- **Solution:** Use native builders or accept slower builds
+
+**Issue:** Build fails with "exec format error"
+- **Cause:** QEMU not configured
+- **Solution:** `docker run --privileged --rm tonistiigi/binfmt --install all`
+
+**Issue:** Cannot load multi-platform image locally
+- **Cause:** Local load only supports single platform
+- **Solution:** Use `--platform` to specify one, or push to registry
+
+**Issue:** Different behavior on different platforms
+- **Cause:** Platform-specific dependencies
+- **Solution:** Review Dockerfile for cross-platform compatibility
+
+**Issue:** Manifest push fails
+- **Cause:** Authentication or registry doesn't support manifests
+- **Solution:** Verify registry supports manifest lists, check credentials
+
+### Optimization Issues
+
+**Issue:** Removing files doesn't reduce image size
+- **Cause:** Files removed in different layer
+- **Solution:** Clean up in same RUN command
+
+**Issue:** Dependencies installed but not needed
+- **Cause:** Installing dev dependencies in production
+- **Solution:** Use `npm ci --only=production`, `pip install --no-cache-dir`
+
+**Issue:** .dockerignore not working
+- **Cause:** File in wrong location or syntax error
+- **Solution:** Place in build context root, verify syntax
+
+## Output Examples
+
+**After successful build:**
+```
+✓ Image built successfully
+ Runtime: docker
+ Image: myapp:latest
+ Size: 125 MB
+ Build time: 45s
+
+Next steps:
+ - Run the image: docker run myapp:latest
+ - Scan for vulnerabilities: [trigger SecurityScan]
+ - Push to registry: [trigger RegistryManage]
+```
+
+**After multi-arch build:**
+```
+✓ Multi-architecture image built successfully
+ Runtime: docker buildx
+ Image: myregistry/myapp:latest
+
+ Platforms built:
+ - linux/amd64 (152 MB)
+ - linux/arm64 (148 MB)
+ - linux/arm/v7 (145 MB)
+
+ Total build time: 8m 32s
+
+ Verify:
+ docker buildx imagetools inspect myregistry/myapp:latest
+
+ Test platforms:
+ docker run --platform linux/arm64 myregistry/myapp:latest
+```
+
+**After optimization:**
+```
+✓ Image optimized successfully
+ Image: myapp:latest
+
+ Size reduction:
+ Before: 850 MB
+ After: 45 MB
+ Savings: 805 MB (94.7%)
+
+ Layers:
+ Before: 15 layers
+ After: 5 layers
+
+ Optimizations applied:
+ - Changed base image: python:3.11 → python:3.11-slim
+ - Added multi-stage build
+ - Combined RUN commands (4 → 1)
+ - Removed package cache
+ - Added .dockerignore (excluded 250 MB)
+
+ Build time:
+ Before: 3m 45s
+ After: 1m 20s (faster caching)
+```
+
+## Quick Reference
+
+**Basic builds:**
+```bash
+docker build -t myapp:latest .
+podman build -t myapp:latest .
+```
+
+**Multi-architecture:**
+```bash
+# Docker
+docker buildx build --platform linux/amd64,linux/arm64 -t myapp:latest --push .
+
+# Podman
+podman build --platform linux/amd64 -t myapp:amd64 .
+podman manifest create myapp:latest
+podman manifest add myapp:latest myapp:amd64
+```
+
+**Analyze image:**
+```bash
+docker history myapp:latest
+dive myapp:latest
+```
+
+**Multi-stage pattern:**
+```dockerfile
+FROM golang:1.21-alpine AS builder
+# ... build ...
+FROM alpine:3.19
+COPY --from=builder /app/binary /
+```
+
+**Optimize layers:**
+```dockerfile
+RUN apk add --no-cache package && \
+ # work && \
+ cleanup
+```
dots/.config/claude/skills/Docker/workflows/BuildImage.md
@@ -1,113 +0,0 @@
-# BuildImage Workflow
-
-Build container images with best practices for Docker or Podman.
-
-## Process
-
-1. **Detect Runtime**
- - Parse user prompt for explicit runtime mention ("use Docker", "with Podman")
- - If explicit runtime mentioned: Use `DetectRuntime.sh --runtime <docker|podman>`
- - If auto-detect: Run `DetectRuntime.sh` (prefers Podman, falls back to Docker)
- - Identify available build tools (buildx, buildah)
-
-2. **Analyze Context**
- - Check for existing Dockerfile
- - If no Dockerfile exists, ask user if they want to create one
- - Review Dockerfile for best practices
-
-3. **Determine Build Strategy**
- - Single-stage vs multi-stage build
- - Build arguments needed
- - Target platform(s)
- - Tags to apply
-
-4. **Build Image**
- - Use detected runtime (docker/podman)
- - Apply appropriate tags
- - Show build progress
- - Handle build errors
-
-5. **Post-Build Actions**
- - Display image size
- - Show image layers (if requested)
- - Suggest optimizations if image is large
- - Offer to run security scan
-
-## Best Practices to Check
-
-### Dockerfile Quality
-- [ ] Uses specific base image tags (not `latest`)
-- [ ] Minimizes number of layers
-- [ ] Uses multi-stage builds where appropriate
-- [ ] Runs as non-root user
-- [ ] Has .dockerignore file
-- [ ] No secrets embedded
-- [ ] Proper layer ordering (least to most frequently changed)
-
-### Build Optimization
-- [ ] Leverages build cache effectively
-- [ ] Combines RUN commands where appropriate
-- [ ] Cleans up in the same layer
-- [ ] Uses minimal base images
-
-## Example Commands
-
-### Docker
-```bash
-# Basic build
-docker build -t myapp:latest .
-
-# Build with arguments
-docker build --build-arg VERSION=1.0 -t myapp:1.0 .
-
-# Build with specific target
-docker build --target production -t myapp:prod .
-
-# Build with no cache
-docker build --no-cache -t myapp:latest .
-```
-
-### Podman
-```bash
-# Basic build
-podman build -t myapp:latest .
-
-# Build with arguments
-podman build --build-arg VERSION=1.0 -t myapp:1.0 .
-
-# Build with specific target
-podman build --target production -t myapp:prod .
-
-# Build with no cache
-podman build --no-cache -t myapp:latest .
-```
-
-## Common Issues
-
-**Issue**: Build fails with permission denied
-- **Docker**: User not in docker group or daemon not running
-- **Podman**: Check rootless permissions, may need `podman system migrate`
-
-**Issue**: Large image size
-- Suggest multi-stage builds
-- Recommend OptimizeImage workflow
-
-**Issue**: Build cache not working
-- Check layer ordering
-- Verify .dockerignore excludes changing files
-
-## Output Format
-
-After successful build:
-```
-✓ Image built successfully
- Runtime: docker/podman
- Image: myapp:latest
- Size: 125 MB
- Build time: 45s
-
-Next steps:
- - Run the image: docker run myapp:latest
- - Scan for vulnerabilities: [trigger SecurityScan]
- - Push to registry: [trigger RegistryManage]
-```
dots/.config/claude/skills/Docker/workflows/BuildMultiArch.md
@@ -1,416 +0,0 @@
-# BuildMultiArch Workflow
-
-Build container images for multiple CPU architectures (AMD64, ARM64, ARM/v7, etc.).
-
-## Process
-
-1. **Detect Runtime and Builder**
- - Run `DetectRuntime.sh` to determine Docker/Podman
- - Check for buildx (Docker) or buildah (Podman)
-
-2. **Determine Target Platforms**
- - Common: linux/amd64, linux/arm64, linux/arm/v7
- - User-specified platforms
-
-3. **Setup Multi-Arch Builder**
- - Create/use buildx builder (Docker)
- - Configure QEMU for cross-compilation
-
-4. **Build for Multiple Platforms**
- - Build image for each platform
- - Create manifest list
- - Optionally push to registry
-
-5. **Verify Build**
- - Check manifest
- - Verify platforms
-
-## Docker with Buildx
-
-### Setup
-
-**Install QEMU (if not present):**
-```bash
-docker run --privileged --rm tonistiigi/binfmt --install all
-```
-
-**Create builder:**
-```bash
-docker buildx create --name multiarch --driver docker-container --use
-docker buildx inspect --bootstrap
-```
-
-**List available platforms:**
-```bash
-docker buildx inspect --bootstrap | grep Platforms
-```
-
-### Build Multi-Arch Image
-
-**Build for multiple platforms:**
-```bash
-docker buildx build \
- --platform linux/amd64,linux/arm64,linux/arm/v7 \
- -t myregistry/myapp:latest \
- --push \
- .
-```
-
-**Build and load locally (single platform):**
-```bash
-docker buildx build \
- --platform linux/arm64 \
- -t myapp:arm64 \
- --load \
- .
-```
-
-**Build without pushing:**
-```bash
-docker buildx build \
- --platform linux/amd64,linux/arm64 \
- -t myregistry/myapp:latest \
- .
-```
-
-**Build with output to registry:**
-```bash
-docker buildx build \
- --platform linux/amd64,linux/arm64,linux/arm/v7 \
- -t myregistry/myapp:latest \
- --push \
- .
-```
-
-### Advanced Buildx
-
-**Use specific builder:**
-```bash
-docker buildx build \
- --builder multiarch \
- --platform linux/amd64,linux/arm64 \
- -t myapp:latest \
- .
-```
-
-**Build with cache:**
-```bash
-docker buildx build \
- --platform linux/amd64,linux/arm64 \
- --cache-from type=registry,ref=myregistry/myapp:buildcache \
- --cache-to type=registry,ref=myregistry/myapp:buildcache,mode=max \
- -t myregistry/myapp:latest \
- --push \
- .
-```
-
-**Build different tags per platform:**
-```bash
-docker buildx build \
- --platform linux/amd64 \
- -t myregistry/myapp:amd64 \
- --push \
- .
-
-docker buildx build \
- --platform linux/arm64 \
- -t myregistry/myapp:arm64 \
- --push \
- .
-```
-
-### Manage Builders
-
-**List builders:**
-```bash
-docker buildx ls
-```
-
-**Remove builder:**
-```bash
-docker buildx rm multiarch
-```
-
-**Use default builder:**
-```bash
-docker buildx use default
-```
-
-## Podman with Buildah
-
-### Setup
-
-**Install QEMU:**
-```bash
-# On host system (requires root/sudo)
-sudo dnf install qemu-user-static # Fedora/RHEL
-sudo apt install qemu-user-static # Debian/Ubuntu
-
-# Or with Podman
-podman run --rm --privileged multiarch/qemu-user-static --reset -p yes
-```
-
-### Build Multi-Arch Image
-
-**Build for specific platform:**
-```bash
-podman build \
- --platform linux/arm64 \
- -t myapp:arm64 \
- .
-```
-
-**Build for multiple platforms (requires manifest):**
-```bash
-# Build for each platform separately
-podman build --platform linux/amd64 -t myapp:amd64 .
-podman build --platform linux/arm64 -t myapp:arm64 .
-podman build --platform linux/arm/v7 -t myapp:armv7 .
-
-# Create manifest
-podman manifest create myapp:latest
-
-# Add images to manifest
-podman manifest add myapp:latest myapp:amd64
-podman manifest add myapp:latest myapp:arm64
-podman manifest add myapp:latest myapp:armv7
-
-# Push manifest
-podman manifest push myapp:latest docker://myregistry/myapp:latest
-```
-
-**Using buildah directly:**
-```bash
-# Build for ARM64
-buildah bud --arch arm64 -t myapp:arm64 .
-
-# Build for AMD64
-buildah bud --arch amd64 -t myapp:amd64 .
-```
-
-## Common Platforms
-
-| Platform | Description | Use Case |
-|----------|-------------|----------|
-| linux/amd64 | 64-bit x86 | Standard servers, desktops |
-| linux/arm64 | 64-bit ARM | Raspberry Pi 4, Apple Silicon, AWS Graviton |
-| linux/arm/v7 | 32-bit ARM v7 | Raspberry Pi 2/3, older ARM devices |
-| linux/arm/v6 | 32-bit ARM v6 | Raspberry Pi Zero/1 |
-| linux/386 | 32-bit x86 | Legacy systems |
-| linux/ppc64le | PowerPC 64-bit LE | IBM POWER systems |
-| linux/s390x | IBM Z | Mainframes |
-
-## Dockerfile Considerations
-
-### Platform-Specific Build
-
-**Using build arguments:**
-```dockerfile
-FROM --platform=$BUILDPLATFORM golang:1.21-alpine AS builder
-ARG TARGETPLATFORM
-ARG BUILDPLATFORM
-ARG TARGETOS
-ARG TARGETARCH
-
-WORKDIR /app
-COPY . .
-
-# Build for target platform
-RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o app .
-
-FROM --platform=$TARGETPLATFORM alpine:latest
-COPY --from=builder /app/app /app
-ENTRYPOINT ["/app"]
-```
-
-**Platform-specific base images:**
-```dockerfile
-# Multi-stage with platform awareness
-FROM --platform=$BUILDPLATFORM golang:1.21 AS builder
-ARG TARGETARCH
-
-WORKDIR /src
-COPY . .
-RUN CGO_ENABLED=0 GOARCH=$TARGETARCH go build -o app
-
-FROM alpine:latest
-COPY --from=builder /src/app /app
-CMD ["/app"]
-```
-
-**Conditional platform logic:**
-```dockerfile
-FROM alpine:latest
-
-ARG TARGETARCH
-
-# Install platform-specific packages
-RUN if [ "$TARGETARCH" = "arm64" ]; then \
- echo "Installing ARM64 packages"; \
- elif [ "$TARGETARCH" = "amd64" ]; then \
- echo "Installing AMD64 packages"; \
- fi
-
-COPY app /app
-CMD ["/app"]
-```
-
-## Verify Multi-Arch Images
-
-### Inspect Manifest
-
-**Docker:**
-```bash
-# Inspect manifest list
-docker buildx imagetools inspect myregistry/myapp:latest
-
-# Should show multiple platforms
-docker manifest inspect myregistry/myapp:latest
-```
-
-**Podman:**
-```bash
-# Inspect manifest
-podman manifest inspect myapp:latest
-
-# Show manifest details with skopeo
-skopeo inspect docker://myregistry/myapp:latest
-```
-
-### Test Platform-Specific Images
-
-**Run specific platform:**
-```bash
-# Force ARM64 on AMD64 host
-docker run --platform linux/arm64 myregistry/myapp:latest
-
-# Force AMD64 on ARM64 host
-docker run --platform linux/amd64 myregistry/myapp:latest
-```
-
-**Verify architecture inside container:**
-```bash
-docker run --rm myregistry/myapp:latest uname -m
-# Should show: x86_64, aarch64, armv7l, etc.
-```
-
-## Best Practices
-
-### Optimization
-
-1. **Use multi-stage builds:**
- - Separate build and runtime stages
- - Smaller final images
-
-2. **Leverage build cache:**
- - Use remote cache for faster builds
- - Order layers appropriately
-
-3. **Platform-specific optimizations:**
- - Different base images for different architectures
- - Conditional compilation flags
-
-### CI/CD Integration
-
-**GitHub Actions:**
-```yaml
-- name: Set up QEMU
- uses: docker/setup-qemu-action@v2
-
-- name: Set up Docker Buildx
- uses: docker/setup-buildx-action@v2
-
-- name: Build and push
- uses: docker/build-push-action@v4
- with:
- platforms: linux/amd64,linux/arm64,linux/arm/v7
- push: true
- tags: myregistry/myapp:latest
-```
-
-**GitLab CI:**
-```yaml
-build-multiarch:
- image: docker:latest
- services:
- - docker:dind
- before_script:
- - docker buildx create --use
- - docker buildx install
- script:
- - docker buildx build
- --platform linux/amd64,linux/arm64
- -t myregistry/myapp:latest
- --push .
-```
-
-### Testing
-
-- Test on actual hardware when possible
-- Use QEMU for cross-platform testing
-- Verify critical functionality on each platform
-- Check performance characteristics
-
-## Common Issues
-
-**Issue**: Build very slow for non-native platforms
-- **Cause**: QEMU emulation overhead
-- **Solution**: Use native builders (build on ARM for ARM), or accept slower builds
-
-**Issue**: Build fails with "exec format error"
-- **Cause**: QEMU not configured
-- **Solution**: Run `docker run --privileged --rm tonistiigi/binfmt --install all`
-
-**Issue**: Cannot load multi-platform image locally
-- **Cause**: Local load only supports single platform
-- **Solution**: Use `--platform` to specify one platform, or push to registry
-
-**Issue**: Different behavior on different platforms
-- **Cause**: Platform-specific dependencies or binaries
-- **Solution**: Review Dockerfile, ensure cross-platform compatibility
-
-**Issue**: Manifest push fails
-- **Cause**: Authentication or manifest format issues
-- **Solution**: Verify registry supports manifest lists, check credentials
-
-## Output Format
-
-After multi-arch build:
-```
-✓ Multi-architecture image built successfully
- Runtime: docker buildx / podman
- Image: myregistry/myapp:latest
-
- Platforms built:
- - linux/amd64 (152 MB)
- - linux/arm64 (148 MB)
- - linux/arm/v7 (145 MB)
-
- Total build time: 8m 32s
-
- Manifest pushed to: myregistry/myapp:latest
-
- Verify:
- docker buildx imagetools inspect myregistry/myapp:latest
-
- Test platforms:
- docker run --platform linux/amd64 myregistry/myapp:latest
- docker run --platform linux/arm64 myregistry/myapp:latest
-```
-
-## Quick Reference
-
-```bash
-# Docker Buildx
-docker buildx create --name multiarch --use
-docker buildx build --platform linux/amd64,linux/arm64 -t myapp:latest --push .
-docker buildx imagetools inspect myregistry/myapp:latest
-
-# Podman Manifest
-podman build --platform linux/amd64 -t myapp:amd64 .
-podman build --platform linux/arm64 -t myapp:arm64 .
-podman manifest create myapp:latest
-podman manifest add myapp:latest myapp:amd64
-podman manifest add myapp:latest myapp:arm64
-podman manifest push myapp:latest docker://myregistry/myapp:latest
-```
dots/.config/claude/skills/Docker/workflows/CleanupResources.md
@@ -1,335 +0,0 @@
-# CleanupResources Workflow
-
-Clean up unused containers, images, volumes, and networks to reclaim disk space.
-
-## Process
-
-1. **Detect Runtime**
- - Run `DetectRuntime.sh` to determine Docker/Podman
-
-2. **Assess Current Usage**
- - Show disk usage: `docker system df` / `podman system df`
- - Identify reclaimable space
-
-3. **Determine Cleanup Scope**
- - Containers (stopped)
- - Images (unused/dangling)
- - Volumes (unused)
- - Networks (unused)
- - Build cache
-
-4. **Preview What Will Be Removed**
- - Show items to be removed
- - Estimate space to be reclaimed
- - **Ask for user confirmation before proceeding**
-
-5. **Execute Cleanup**
- - Run appropriate prune commands
- - Show space reclaimed
-
-## Check Disk Usage
-
-**System-wide overview:**
-```bash
-docker system df
-podman system df
-```
-
-**Detailed view:**
-```bash
-docker system df -v
-podman system df -v
-```
-
-## Cleanup Operations
-
-### Containers
-
-**Remove all stopped containers:**
-```bash
-docker container prune
-podman container prune
-```
-
-**Remove specific container:**
-```bash
-docker rm container_name
-podman rm container_name
-```
-
-**Remove all containers (dangerous!):**
-```bash
-# Stop all first
-docker stop $(docker ps -aq)
-docker rm $(docker ps -aq)
-
-podman stop -a
-podman rm -a
-```
-
-### Images
-
-**Remove dangling images (untagged):**
-```bash
-docker image prune
-podman image prune
-```
-
-**Remove unused images:**
-```bash
-docker image prune -a
-podman image prune -a
-```
-
-**Remove specific image:**
-```bash
-docker rmi image_name:tag
-podman rmi image_name:tag
-```
-
-**Remove all images (dangerous!):**
-```bash
-docker rmi $(docker images -q)
-podman rmi -a
-```
-
-### Volumes
-
-**Remove unused volumes:**
-```bash
-docker volume prune
-podman volume prune
-```
-
-**Remove specific volume:**
-```bash
-docker volume rm volume_name
-podman volume rm volume_name
-```
-
-**Remove all volumes (dangerous!):**
-```bash
-docker volume rm $(docker volume ls -q)
-podman volume rm -a
-```
-
-### Networks
-
-**Remove unused networks:**
-```bash
-docker network prune
-podman network prune
-```
-
-**Remove specific network:**
-```bash
-docker network rm network_name
-podman network rm network_name
-```
-
-### Build Cache
-
-**Clear build cache:**
-```bash
-docker builder prune
-podman system prune --all --volumes
-```
-
-**Clear all build cache (more aggressive):**
-```bash
-docker builder prune -a
-```
-
-### Complete System Cleanup
-
-**Prune everything (containers, images, volumes, networks):**
-```bash
-docker system prune -a --volumes
-podman system prune -a --volumes
-```
-
-**With force (skip confirmation):**
-```bash
-docker system prune -a --volumes -f
-podman system prune -a --volumes -f
-```
-
-## Safe Cleanup Strategy
-
-### Step-by-Step Approach
-
-1. **Start conservative:**
- ```bash
- # Remove stopped containers
- docker container prune
-
- # Remove dangling images
- docker image prune
- ```
-
-2. **Then volumes:**
- ```bash
- # Review volumes first
- docker volume ls
-
- # Remove unused
- docker volume prune
- ```
-
-3. **Finally unused images:**
- ```bash
- # This removes images not used by any container
- docker image prune -a
- ```
-
-4. **Build cache (if needed):**
- ```bash
- docker builder prune
- ```
-
-### Filter by Age
-
-**Remove containers stopped more than 24 hours ago:**
-```bash
-docker container prune --filter "until=24h"
-podman container prune --filter "until=24h"
-```
-
-**Remove images created more than 7 days ago:**
-```bash
-docker image prune -a --filter "until=168h"
-podman image prune -a --filter "until=168h"
-```
-
-### Filter by Label
-
-**Remove containers with specific label:**
-```bash
-docker container prune --filter "label=project=myapp"
-podman container prune --filter "label=project=myapp"
-```
-
-## Best Practices
-
-### Regular Maintenance
-- Run cleanup weekly or monthly
-- Use automation (cron job)
-- Monitor disk usage
-
-### Safety Checks
-- **Always preview** what will be removed
-- **Never use `-f` (force)** without understanding impact
-- Keep tagged images you need
-- Backup important volumes before cleanup
-
-### Retention Strategy
-```bash
-# Keep images from last week
-docker image prune -a --filter "until=168h"
-
-# Keep containers stopped in last 24h
-docker container prune --filter "until=24h"
-```
-
-## Automated Cleanup
-
-### Docker System Prune with Cron
-
-```bash
-# Add to crontab (weekly cleanup)
-0 2 * * 0 docker system prune -a --volumes -f >> /var/log/docker-cleanup.log 2>&1
-```
-
-### Podman Auto-Prune
-
-```bash
-# Podman rootless with systemd timer
-systemctl --user enable --now podman-auto-update.timer
-```
-
-## Common Issues
-
-**Issue**: Important data deleted
-- **Prevention**: Always use named volumes for important data
-- **Recovery**: Check volume backups if available
-
-**Issue**: Still using too much space
-- Check for large log files: `/var/lib/docker/containers/*/*-json.log`
-- Configure log rotation:
- ```json
- {
- "log-driver": "json-file",
- "log-opts": {
- "max-size": "10m",
- "max-file": "3"
- }
- }
- ```
-
-**Issue**: Cannot remove image in use
-- Check which containers use it: `docker ps -a --filter ancestor=image_name`
-- Stop and remove containers first
-
-**Issue**: Permission denied (Docker)
-- Use sudo or add user to docker group
-- With Podman: run as regular user (rootless)
-
-## Output Format
-
-After cleanup:
-```
-✓ Cleanup completed successfully
- Runtime: docker/podman
-
- Removed:
- - Containers: 5
- - Images: 12
- - Volumes: 3
- - Networks: 2
-
- Space reclaimed: 2.5 GB
-
- Current usage:
- - Images: 5.2 GB
- - Containers: 150 MB
- - Volumes: 800 MB
- - Build cache: 1.1 GB
- - Total: 7.25 GB
-
-Next steps:
- - Check usage: docker system df
- - Schedule regular cleanup
- - Configure log rotation
-```
-
-## Advanced Cleanup
-
-### Clean Specific Image Tags
-
-```bash
-# Remove old versions of specific image
-docker images myapp --format "{{.Tag}}" | grep -v "latest\|v1.0" | xargs -I {} docker rmi myapp:{}
-```
-
-### Clean by Pattern
-
-```bash
-# Remove all development images
-docker images | grep "\-dev" | awk '{print $3}' | xargs docker rmi
-
-# Remove unnamed images
-docker images --filter "dangling=true" -q | xargs docker rmi
-```
-
-### Podman-Specific Cleanup
-
-```bash
-# Reset entire podman storage (nuclear option)
-podman system reset
-
-# Clean up pods
-podman pod prune
-
-# Clean up specific user's containers (rootless)
-podman system prune --all
-```
dots/.config/claude/skills/Docker/workflows/ComposeManage.md
@@ -1,377 +0,0 @@
-# ComposeManage Workflow
-
-Manage multi-container applications with Docker Compose or Podman Compose.
-
-## Process
-
-1. **Detect Runtime and Compose Tool**
- - Run `DetectRuntime.sh` to determine available compose tool
- - Check for `docker-compose`, `docker compose`, or `podman-compose`
-
-2. **Analyze Compose File**
- - Check for `docker-compose.yml` or `compose.yaml`
- - Validate compose file syntax
- - Review services, networks, volumes defined
-
-3. **Determine Action**
- - Start services (up)
- - Stop services (down)
- - Restart services
- - View logs
- - Scale services
- - Build services
-
-4. **Execute Compose Command**
- - Run appropriate compose command
- - Handle environment variables
- - Manage profiles if used
-
-5. **Verify State**
- - Check service status
- - Show running services
- - Display relevant logs
-
-## Common Operations
-
-### Start Services
-
-**Start all services:**
-```bash
-docker-compose up -d
-docker compose up -d
-podman-compose up -d
-```
-
-**Start specific service:**
-```bash
-docker-compose up -d web
-docker compose up -d web
-podman-compose up -d web
-```
-
-**Start with build:**
-```bash
-docker-compose up -d --build
-docker compose up -d --build
-podman-compose up -d --build
-```
-
-**Start with specific file:**
-```bash
-docker-compose -f docker-compose.prod.yml up -d
-docker compose -f docker-compose.prod.yml up -d
-podman-compose -f docker-compose.prod.yml up -d
-```
-
-### Stop Services
-
-**Stop all services:**
-```bash
-docker-compose down
-docker compose down
-podman-compose down
-```
-
-**Stop and remove volumes:**
-```bash
-docker-compose down -v
-docker compose down -v
-podman-compose down -v
-```
-
-**Stop specific service:**
-```bash
-docker-compose stop web
-docker compose stop web
-podman-compose stop web
-```
-
-### View Status and Logs
-
-**List running services:**
-```bash
-docker-compose ps
-docker compose ps
-podman-compose ps
-```
-
-**View logs:**
-```bash
-docker-compose logs
-docker compose logs
-podman-compose logs
-```
-
-**Follow logs:**
-```bash
-docker-compose logs -f
-docker compose logs -f
-podman-compose logs -f
-```
-
-**Logs for specific service:**
-```bash
-docker-compose logs web
-docker compose logs web
-podman-compose logs web
-```
-
-### Build and Rebuild
-
-**Build all services:**
-```bash
-docker-compose build
-docker compose build
-podman-compose build
-```
-
-**Build specific service:**
-```bash
-docker-compose build web
-docker compose build web
-podman-compose build web
-```
-
-**Build with no cache:**
-```bash
-docker-compose build --no-cache
-docker compose build --no-cache
-podman-compose build --no-cache
-```
-
-### Scale Services
-
-**Scale service to multiple instances:**
-```bash
-docker-compose up -d --scale web=3
-docker compose up -d --scale web=3
-podman-compose up -d --scale web=3
-```
-
-### Execute Commands
-
-**Run command in service:**
-```bash
-docker-compose exec web bash
-docker compose exec web bash
-podman-compose exec web bash
-```
-
-**Run one-off command:**
-```bash
-docker-compose run web python manage.py migrate
-docker compose run web python manage.py migrate
-podman-compose run web python manage.py migrate
-```
-
-## Compose File Best Practices
-
-### Structure
-```yaml
-version: '3.8'
-
-services:
- web:
- build:
- context: .
- dockerfile: Dockerfile
- ports:
- - "8080:80"
- environment:
- - DATABASE_URL=postgres://db/myapp
- depends_on:
- - db
- networks:
- - app-network
- volumes:
- - ./app:/app
- restart: unless-stopped
-
- db:
- image: postgres:16-alpine
- environment:
- - POSTGRES_DB=myapp
- - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- volumes:
- - db-data:/var/lib/postgresql/data
- networks:
- - app-network
- secrets:
- - db_password
-
-networks:
- app-network:
- driver: bridge
-
-volumes:
- db-data:
-
-secrets:
- db_password:
- file: ./secrets/db_password.txt
-```
-
-### Key Points
-- Use specific image tags (not `latest`)
-- Use `.env` files for environment variables
-- Define health checks
-- Use secrets for sensitive data
-- Specify restart policies
-- Define resource limits
-- Use named volumes for persistence
-
-### Environment Variables
-
-**Using .env file:**
-```bash
-# .env
-DATABASE_URL=postgres://localhost/myapp
-SECRET_KEY=mysecret
-```
-
-**In compose file:**
-```yaml
-services:
- web:
- env_file:
- - .env
- # Or specific variables
- environment:
- - DATABASE_URL=${DATABASE_URL}
-```
-
-### Profiles
-
-**Define profiles:**
-```yaml
-services:
- web:
- # Always runs
-
- debug:
- profiles: ["debug"]
- # Only runs with --profile debug
-```
-
-**Use profiles:**
-```bash
-docker-compose --profile debug up -d
-docker compose --profile debug up -d
-podman-compose --profile debug up -d
-```
-
-## Podman-Specific Considerations
-
-### Podman Compose vs Docker Compose
-
-**Podman Compose:**
-- Python-based implementation
-- Works with Podman daemon or rootless
-- May have slight syntax differences
-
-**Generate Kubernetes YAML from Compose:**
-```bash
-# Podman can generate K8s YAML
-podman-compose up
-podman generate kube mypod > pod.yaml
-```
-
-### Systemd Integration
-
-**Generate systemd unit from compose:**
-```bash
-# Start services
-podman-compose up -d
-
-# Get pod name
-podman pod ps
-
-# Generate systemd unit
-podman generate systemd --name mypod_pod --files
-
-# Move to systemd directory
-mv *.service ~/.config/systemd/user/
-
-# Enable
-systemctl --user enable --now mypod_pod.service
-```
-
-## Common Issues
-
-**Issue**: Compose file version not supported
-- Use version 3.8 or omit version (modern compose)
-- Check compose tool version
-
-**Issue**: Services can't communicate
-- Ensure services are on same network
-- Use service names as hostnames
-
-**Issue**: Port already in use
-- Check for conflicting services: `lsof -i :8080`
-- Change port mapping in compose file
-
-**Issue**: Volumes not persisting
-- Use named volumes instead of anonymous
-- Check volume definitions
-
-**Issue**: Environment variables not loading
-- Verify .env file location (same directory as compose file)
-- Check for quotes: `KEY=value` not `KEY="value"`
-
-## Output Format
-
-After compose operation:
-```
-✓ Services started successfully
- Runtime: docker-compose / podman-compose
- Services: 3 running
- - web (0.0.0.0:8080->80/tcp)
- - db (postgres:16-alpine)
- - redis (redis:7-alpine)
-
-Next steps:
- - View logs: docker-compose logs -f
- - Check status: docker-compose ps
- - Stop services: docker-compose down
-```
-
-## Advanced Features
-
-### Override Files
-
-**Use override for development:**
-```bash
-# docker-compose.override.yml automatically loaded
-docker-compose up -d
-
-# Or specify explicitly
-docker-compose -f docker-compose.yml -f docker-compose.dev.yml up -d
-```
-
-### Health Checks
-
-```yaml
-services:
- web:
- healthcheck:
- test: ["CMD", "curl", "-f", "http://localhost/health"]
- interval: 30s
- timeout: 10s
- retries: 3
- start_period: 40s
-```
-
-### Resource Limits
-
-```yaml
-services:
- web:
- deploy:
- resources:
- limits:
- cpus: '0.5'
- memory: 512M
- reservations:
- cpus: '0.25'
- memory: 256M
-```
dots/.config/claude/skills/Docker/workflows/DebugContainer.md
@@ -1,479 +0,0 @@
-# DebugContainer Workflow
-
-Debug and troubleshoot running or failed containers.
-
-## Process
-
-1. **Detect Runtime**
- - Run `DetectRuntime.sh` to determine Docker/Podman
-
-2. **Identify Container**
- - List containers to find the target
- - Get container name or ID
-
-3. **Determine Debug Approach**
- - View logs
- - Inspect container configuration
- - Execute commands inside container
- - Check resource usage
- - Examine network connectivity
- - Review filesystem
-
-4. **Execute Debug Commands**
- - Run appropriate diagnostic commands
- - Gather relevant information
-
-5. **Analyze and Report**
- - Identify potential issues
- - Suggest solutions
-
-## View Logs
-
-**Show container logs:**
-```bash
-docker logs container_name
-podman logs container_name
-```
-
-**Follow logs (real-time):**
-```bash
-docker logs -f container_name
-podman logs -f container_name
-```
-
-**Show last N lines:**
-```bash
-docker logs --tail 100 container_name
-podman logs --tail 100 container_name
-```
-
-**Show logs with timestamps:**
-```bash
-docker logs -t container_name
-podman logs -t container_name
-```
-
-**Show logs since specific time:**
-```bash
-docker logs --since 2024-01-01T10:00:00 container_name
-docker logs --since 1h container_name
-podman logs --since 1h container_name
-```
-
-**Search logs:**
-```bash
-docker logs container_name 2>&1 | grep ERROR
-podman logs container_name 2>&1 | grep ERROR
-```
-
-## Execute Commands
-
-**Open shell in running container:**
-```bash
-docker exec -it container_name /bin/bash
-docker exec -it container_name /bin/sh # if bash not available
-podman exec -it container_name /bin/bash
-```
-
-**Run specific command:**
-```bash
-docker exec container_name ls -la /app
-docker exec container_name ps aux
-podman exec container_name cat /etc/os-release
-```
-
-**Run as specific user:**
-```bash
-docker exec -u www-data -it container_name bash
-podman exec -u 1000 -it container_name bash
-```
-
-**Set environment variables:**
-```bash
-docker exec -e DEBUG=true container_name python script.py
-podman exec -e DEBUG=true container_name python script.py
-```
-
-## Inspect Container
-
-**Full container details:**
-```bash
-docker inspect container_name
-podman inspect container_name
-```
-
-**Specific field:**
-```bash
-# Get IP address
-docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' container_name
-
-# Get state
-docker inspect -f '{{.State.Status}}' container_name
-
-# Get exit code
-docker inspect -f '{{.State.ExitCode}}' container_name
-
-# Get environment variables
-docker inspect -f '{{.Config.Env}}' container_name
-```
-
-**Container configuration:**
-```bash
-# Mounts
-docker inspect -f '{{.Mounts}}' container_name
-
-# Ports
-docker inspect -f '{{.NetworkSettings.Ports}}' container_name
-
-# Command
-docker inspect -f '{{.Config.Cmd}}' container_name
-```
-
-## Monitor Resources
-
-**Real-time stats:**
-```bash
-docker stats container_name
-podman stats container_name
-```
-
-**All containers stats:**
-```bash
-docker stats
-podman stats
-```
-
-**Stats without streaming:**
-```bash
-docker stats --no-stream
-podman stats --no-stream
-```
-
-**Format output:**
-```bash
-docker stats --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}"
-```
-
-## Check Processes
-
-**List processes in container:**
-```bash
-docker top container_name
-podman top container_name
-```
-
-**Detailed process info:**
-```bash
-docker top container_name aux
-podman top container_name aux
-```
-
-## Network Debugging
-
-**Check container IP:**
-```bash
-docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' container_name
-```
-
-**List networks:**
-```bash
-docker network ls
-podman network ls
-```
-
-**Inspect network:**
-```bash
-docker network inspect bridge
-podman network inspect podman
-```
-
-**Test connectivity from container:**
-```bash
-docker exec container_name ping google.com
-docker exec container_name curl http://api.example.com
-docker exec container_name nc -zv database 5432
-```
-
-**Check DNS resolution:**
-```bash
-docker exec container_name nslookup database
-docker exec container_name cat /etc/resolv.conf
-```
-
-**Port mapping:**
-```bash
-docker port container_name
-podman port container_name
-```
-
-## Filesystem Debugging
-
-**Copy files from container:**
-```bash
-docker cp container_name:/path/to/file ./local/path
-podman cp container_name:/path/to/file ./local/path
-```
-
-**Copy files to container:**
-```bash
-docker cp ./local/file container_name:/path/to/destination
-podman cp ./local/file container_name:/path/to/destination
-```
-
-**Check disk usage in container:**
-```bash
-docker exec container_name df -h
-docker exec container_name du -sh /var/log
-```
-
-**View file contents:**
-```bash
-docker exec container_name cat /etc/config.yml
-docker exec container_name tail -f /var/log/app.log
-```
-
-## Container Events
-
-**Watch events:**
-```bash
-docker events
-podman events
-```
-
-**Filter events for specific container:**
-```bash
-docker events --filter container=container_name
-podman events --filter container=container_name
-```
-
-**Filter by event type:**
-```bash
-docker events --filter event=start
-docker events --filter event=die
-```
-
-## Check Health
-
-**If healthcheck configured:**
-```bash
-docker inspect -f '{{.State.Health.Status}}' container_name
-docker inspect -f '{{json .State.Health}}' container_name | jq
-```
-
-## Common Issues and Solutions
-
-### Container Exits Immediately
-
-**Check exit code:**
-```bash
-docker inspect -f '{{.State.ExitCode}}' container_name
-```
-
-**Common exit codes:**
-- 0: Success
-- 1: Application error
-- 126: Command cannot be invoked
-- 127: Command not found
-- 137: SIGKILL (killed by system, often OOM)
-- 139: SIGSEGV (segmentation fault)
-- 143: SIGTERM (graceful termination)
-
-**Check logs:**
-```bash
-docker logs container_name
-```
-
-**Run interactively to debug:**
-```bash
-docker run -it --entrypoint /bin/bash image_name
-```
-
-### Permission Issues
-
-**Check user:**
-```bash
-docker exec container_name whoami
-docker exec container_name id
-```
-
-**Check file permissions:**
-```bash
-docker exec container_name ls -la /app
-```
-
-**Run as root:**
-```bash
-docker exec -u 0 -it container_name bash
-```
-
-### Network Connectivity Issues
-
-**Test from host to container:**
-```bash
-# Get container IP
-IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' container_name)
-ping $IP
-curl http://$IP:8080
-```
-
-**Test from container to outside:**
-```bash
-docker exec container_name ping 8.8.8.8
-docker exec container_name curl https://google.com
-```
-
-**Check port bindings:**
-```bash
-docker port container_name
-netstat -tlnp | grep 8080
-```
-
-### Memory/CPU Issues
-
-**Check resources:**
-```bash
-docker stats container_name
-```
-
-**Check if OOM killed:**
-```bash
-docker inspect -f '{{.State.OOMKilled}}' container_name
-dmesg | grep -i oom
-```
-
-**Set resource limits:**
-```bash
-docker run --memory="512m" --cpus="1.0" image_name
-```
-
-### Volume/Mount Issues
-
-**Check mounts:**
-```bash
-docker inspect -f '{{json .Mounts}}' container_name | jq
-```
-
-**Verify volume exists:**
-```bash
-docker volume ls
-docker volume inspect volume_name
-```
-
-**Check permissions:**
-```bash
-docker exec container_name ls -la /mounted/path
-```
-
-## Advanced Debugging
-
-### Attach to Container
-
-**Attach to running container (see STDOUT/STDERR):**
-```bash
-docker attach container_name
-# Detach: Ctrl+P, Ctrl+Q
-```
-
-### Use nsenter (Advanced)
-
-**Enter container namespaces:**
-```bash
-# Get container PID
-PID=$(docker inspect -f '{{.State.Pid}}' container_name)
-
-# Enter namespaces
-nsenter -t $PID -n -u -i -p /bin/bash
-```
-
-### Strace Container Process
-
-**Trace system calls:**
-```bash
-docker exec container_name strace -p 1
-```
-
-### Export Container Filesystem
-
-**Export for offline analysis:**
-```bash
-docker export container_name > container.tar
-tar -xf container.tar
-```
-
-### Commit Container State
-
-**Save current state as image:**
-```bash
-docker commit container_name debug_snapshot:latest
-```
-
-## Podman-Specific Debugging
-
-### Check Rootless Mode
-
-```bash
-podman info --format '{{.Host.Security.Rootless}}'
-```
-
-### Troubleshoot Rootless
-
-```bash
-# Check subuid/subgid
-cat /etc/subuid
-cat /etc/subgid
-
-# Migrate storage if needed
-podman system migrate
-```
-
-### Pod Debugging
-
-```bash
-# List pods
-podman pod ps
-
-# Inspect pod
-podman pod inspect pod_name
-
-# Logs for all containers in pod
-podman pod logs pod_name
-```
-
-## Output Format
-
-After debugging session:
-```
-✓ Debug information gathered
- Runtime: docker/podman
- Container: myapp
- Status: running
- Uptime: 2h 15m
-
- Findings:
- - CPU Usage: 45%
- - Memory: 256MB / 512MB
- - Network: Connected to bridge
- - Recent errors: 3 in last hour
-
- Logs (last 10 lines):
- [2024-01-01 10:00:00] INFO: Application started
- [2024-01-01 10:05:30] WARN: Database connection slow
- [2024-01-01 10:10:15] ERROR: Failed to connect to Redis
-
- Recommendations:
- - Check Redis connectivity
- - Consider increasing database timeout
- - Monitor memory usage (50% utilized)
-```
-
-## Quick Reference
-
-```bash
-# Quick debug checklist
-docker logs container_name # Check logs
-docker inspect container_name # Full details
-docker exec -it container_name bash # Get shell
-docker stats container_name # Resource usage
-docker top container_name # Processes
-docker port container_name # Port mappings
-```
dots/.config/claude/skills/Docker/workflows/Infrastructure.md
@@ -0,0 +1,1382 @@
+# Infrastructure Workflow
+
+Manage Docker/Podman networking, storage (volumes), and container registries.
+
+## Quick Start
+
+Common infrastructure operations for container deployment:
+
+```bash
+# Network operations
+docker network create myapp-net
+docker network connect myapp-net container_name
+
+# Volume operations
+docker volume create myapp-data
+docker run -v myapp-data:/data myapp
+
+# Registry operations
+docker login ghcr.io
+docker tag myapp:latest ghcr.io/username/myapp:latest
+docker push ghcr.io/username/myapp:latest
+```
+
+**Quick commands reference:**
+```bash
+# List infrastructure
+docker network ls
+docker volume ls
+docker images
+
+# Inspect infrastructure
+docker network inspect myapp-net
+docker volume inspect myapp-data
+
+# Clean up
+docker network prune
+docker volume prune
+```
+
+**Detect runtime before operations:**
+```bash
+# Run DetectRuntime.sh to determine Docker/Podman
+# All commands shown support both runtimes
+```
+
+## Network Management
+
+Create and manage container networks for connectivity and isolation.
+
+### Creating Networks
+
+**Bridge network (default, most common):**
+```bash
+docker network create mynetwork
+podman network create mynetwork
+```
+
+**With subnet and gateway:**
+```bash
+docker network create \
+ --subnet=172.20.0.0/16 \
+ --gateway=172.20.0.1 \
+ mynetwork
+
+podman network create \
+ --subnet=172.20.0.0/16 \
+ --gateway=172.20.0.1 \
+ mynetwork
+```
+
+**With IP range restriction:**
+```bash
+docker network create \
+ --subnet=172.20.0.0/16 \
+ --ip-range=172.20.240.0/20 \
+ --gateway=172.20.0.1 \
+ mynetwork
+```
+
+**With driver options:**
+```bash
+docker network create \
+ --driver bridge \
+ --opt "com.docker.network.bridge.name=br-myapp" \
+ --opt "com.docker.network.bridge.enable_ip_masquerade=true" \
+ mynetwork
+```
+
+### Network Drivers
+
+**Bridge (Default):**
+- Best for: Single-host deployments, isolated container groups, development
+- Characteristics: Software bridge, NAT for external access, DNS between containers
+- Isolation: Isolated from host network
+
+**Host:**
+```bash
+docker run --network host myapp
+podman run --network host myapp
+```
+- Best for: Maximum performance, direct port binding, legacy apps
+- Characteristics: No isolation, uses host network stack, no port mapping needed
+- Trade-off: Higher performance, lower security
+
+**Overlay (Docker Swarm):**
+```bash
+docker network create --driver overlay myoverlay
+
+# With encryption
+docker network create --driver overlay --opt encrypted myoverlay
+```
+- Best for: Multi-host deployments, Docker Swarm, microservices across hosts
+- Characteristics: Spans multiple Docker hosts, requires swarm mode
+- Features: Optional encrypted traffic
+
+**Macvlan:**
+```bash
+docker network create \
+ --driver macvlan \
+ --subnet=192.168.1.0/24 \
+ --gateway=192.168.1.1 \
+ -o parent=eth0 \
+ mymacvlan
+```
+- Best for: Legacy applications, direct Layer 2 access, containers needing MAC address
+- Characteristics: Containers get own MAC, appear as physical devices
+
+**None (No networking):**
+```bash
+docker run --network none myapp
+podman run --network none myapp
+```
+- Best for: Maximum isolation, custom networking, security-critical containers
+- Characteristics: No network interface, complete isolation
+
+### Connecting and Disconnecting
+
+**Connect running container:**
+```bash
+docker network connect mynetwork container_name
+podman network connect mynetwork container_name
+```
+
+**Connect with specific IP:**
+```bash
+docker network connect --ip 172.20.0.100 mynetwork container_name
+podman network connect --ip 172.20.0.100 mynetwork container_name
+```
+
+**Connect with alias:**
+```bash
+docker network connect --alias db mynetwork container_name
+podman network connect --alias db mynetwork container_name
+```
+
+**Disconnect container:**
+```bash
+docker network disconnect mynetwork container_name
+podman network disconnect mynetwork container_name
+```
+
+**Start container on network:**
+```bash
+docker run --network mynetwork --name web nginx
+podman run --network mynetwork --name web nginx
+
+# With custom IP
+docker run --network mynetwork --ip 172.20.0.100 --name web nginx
+
+# With network alias
+docker run --network mynetwork --network-alias webapp --name web nginx
+```
+
+### Network Inspection
+
+**View network details:**
+```bash
+docker network inspect mynetwork
+podman network inspect mynetwork
+```
+
+**Get specific fields:**
+```bash
+# List connected containers
+docker network inspect -f '{{range .Containers}}{{.Name}} {{end}}' mynetwork
+
+# Get subnet
+docker network inspect -f '{{range .IPAM.Config}}{{.Subnet}}{{end}}' mynetwork
+
+# Get gateway
+docker network inspect -f '{{range .IPAM.Config}}{{.Gateway}}{{end}}' mynetwork
+```
+
+**JSON output with jq:**
+```bash
+docker network inspect mynetwork | jq '.[0].IPAM.Config'
+podman network inspect mynetwork | jq '.[0].subnets'
+```
+
+**List all containers on network:**
+```bash
+docker network inspect mynetwork -f '{{range .Containers}}{{.Name}} {{.IPv4Address}}{{"\n"}}{{end}}'
+```
+
+### DNS Resolution
+
+**Automatic DNS (user-defined networks):**
+```bash
+# Create network
+docker network create myapp
+
+# Start containers
+docker run -d --network myapp --name web nginx
+docker run -d --network myapp --name db postgres
+
+# Containers can resolve each other by name
+docker exec web ping db
+docker exec web curl http://db:5432
+```
+
+### Custom DNS
+
+**Set DNS servers:**
+```bash
+docker run --dns 8.8.8.8 --dns 8.8.4.4 myapp
+podman run --dns 8.8.8.8 myapp
+```
+
+**Set DNS search domain:**
+```bash
+docker run --dns-search example.com myapp
+podman run --dns-search example.com myapp
+```
+
+**Add multiple aliases:**
+```bash
+docker network connect --alias db --alias database mynetwork container_name
+```
+
+### Network Isolation
+
+Networks provide isolation between container groups:
+
+```bash
+# Frontend network
+docker network create frontend
+
+# Backend network (internal only)
+docker network create --internal backend
+
+# Web server on both networks
+docker run -d --network frontend --name web nginx
+docker network connect backend web
+
+# Database only on backend (isolated from external)
+docker run -d --network backend --name db postgres
+```
+
+### Port Mapping Strategies
+
+**Basic port mapping:**
+```bash
+docker run -p 8080:80 nginx # host:container
+podman run -p 8080:80 nginx
+```
+
+**Bind to specific interface:**
+```bash
+docker run -p 127.0.0.1:8080:80 nginx
+podman run -p 127.0.0.1:8080:80 nginx
+```
+
+**Map port range:**
+```bash
+docker run -p 8080-8090:8080-8090 myapp
+podman run -p 8080-8090:8080-8090 myapp
+```
+
+**UDP ports:**
+```bash
+docker run -p 53:53/udp dns-server
+podman run -p 53:53/udp dns-server
+```
+
+**Publish all exposed ports:**
+```bash
+docker run -P nginx # Maps to random host ports
+podman run -P nginx
+```
+
+**Check port mappings:**
+```bash
+docker port container_name
+podman port container_name
+```
+
+### Managing Networks
+
+**List networks:**
+```bash
+docker network ls
+podman network ls
+
+# Filter by driver
+docker network ls --filter driver=bridge
+
+# Filter by name
+docker network ls --filter name=myapp
+```
+
+**Remove network:**
+```bash
+docker network rm mynetwork
+podman network rm mynetwork
+```
+
+**Remove all unused networks:**
+```bash
+docker network prune
+podman network prune
+```
+
+### Podman-Specific Networking
+
+**CNI plugins (Podman uses CNI):**
+```bash
+# CNI config location
+/etc/cni/net.d/
+
+# List available plugins
+ls /usr/libexec/cni/
+```
+
+**Rootless networking:**
+```bash
+# Rootless uses slirp4netns by default
+podman network inspect podman
+
+# Create rootless network
+podman network create mynetwork
+```
+
+**Pod networking (containers in pod share network):**
+```bash
+# Create pod
+podman pod create --name mypod -p 8080:80
+
+# Add containers (share network via localhost)
+podman run -d --pod mypod --name web nginx
+podman run -d --pod mypod --name app myapp
+```
+
+## Volume Management
+
+Create and manage persistent storage for container data.
+
+### Volume Types
+
+**Named Volumes (Recommended):**
+- Managed by Docker/Podman
+- Easy to backup and migrate
+- Work across platforms
+- Best for most use cases
+
+**Bind Mounts:**
+- Direct host path mapping
+- Useful for development
+- Direct file access from host
+- Platform-specific paths
+
+**tmpfs Mounts (Linux only):**
+- Stored in host memory
+- Not persisted to disk
+- Fast but temporary
+- Good for sensitive data
+
+### Creating Volumes
+
+**Simple named volume:**
+```bash
+docker volume create myvolume
+podman volume create myvolume
+```
+
+**With driver options (NFS example):**
+```bash
+docker volume create \
+ --driver local \
+ --opt type=nfs \
+ --opt o=addr=192.168.1.1,rw \
+ --opt device=:/path/to/dir \
+ nfs-volume
+```
+
+**With labels:**
+```bash
+docker volume create \
+ --label project=myapp \
+ --label environment=production \
+ myvolume
+
+podman volume create \
+ --label project=myapp \
+ myvolume
+```
+
+### Volume Drivers
+
+**Local driver (default):**
+```bash
+docker volume create --driver local myvolume
+```
+
+**Local with bind mount options:**
+```bash
+docker volume create \
+ --driver local \
+ --opt type=none \
+ --opt device=/path/to/host/dir \
+ --opt o=bind \
+ myvolume
+```
+
+**NFS driver:**
+```bash
+docker volume create \
+ --driver local \
+ --opt type=nfs \
+ --opt o=addr=192.168.1.100,rw,nfsvers=4 \
+ --opt device=:/exported/path \
+ nfs-volume
+```
+
+### Bind Mounts vs Volumes
+
+**Named volume (preferred):**
+```bash
+docker run -v myvolume:/data myapp
+docker run --mount source=myvolume,target=/data myapp
+
+podman run -v myvolume:/data myapp
+```
+
+**Bind mount:**
+```bash
+docker run -v /host/path:/container/path myapp
+docker run --mount type=bind,source=/host/path,target=/container/path myapp
+
+podman run -v /host/path:/container/path myapp
+```
+
+**When to use volumes:**
+- Database data
+- Application state
+- Uploaded files
+- Configuration that persists
+
+**When to use bind mounts:**
+- Development (live code reload)
+- Configuration files from host
+- Log file access
+- Sharing files with host
+
+### Mounting Volumes in Containers
+
+**Mount named volume:**
+```bash
+docker run -v myvolume:/data myapp
+podman run -v myvolume:/data myapp
+```
+
+**Mount read-only:**
+```bash
+docker run -v myvolume:/data:ro myapp
+docker run --mount source=myvolume,target=/data,readonly myapp
+
+podman run -v myvolume:/data:ro myapp
+```
+
+**Mount with volume options:**
+```bash
+docker run --mount type=volume,source=myvolume,target=/data,volume-opt=o=size=100m myapp
+```
+
+**Bind mount with propagation:**
+```bash
+# Shared propagation
+docker run -v /host/path:/container/path:shared myapp
+
+# Private propagation (default)
+docker run -v /host/path:/container/path:private myapp
+
+# Slave propagation
+docker run -v /host/path:/container/path:slave myapp
+```
+
+**tmpfs mount:**
+```bash
+docker run --tmpfs /app/cache myapp
+docker run --mount type=tmpfs,target=/app/cache myapp
+
+podman run --tmpfs /app/cache myapp
+```
+
+**tmpfs with size limit:**
+```bash
+docker run --tmpfs /app/cache:size=100m myapp
+docker run --mount type=tmpfs,target=/app/cache,tmpfs-size=100m myapp
+```
+
+**When to use tmpfs:**
+- Temporary files
+- Cache
+- Sensitive data (not persisted)
+- Session storage
+
+### Volume Inspection
+
+**View volume details:**
+```bash
+docker volume inspect myvolume
+podman volume inspect myvolume
+```
+
+**Get specific fields:**
+```bash
+# Get mountpoint
+docker volume inspect -f '{{.Mountpoint}}' myvolume
+podman volume inspect -f '{{.Mountpoint}}' myvolume
+
+# Get driver
+docker volume inspect -f '{{.Driver}}' myvolume
+
+# Get labels
+docker volume inspect -f '{{.Labels}}' myvolume
+```
+
+**JSON output with jq:**
+```bash
+docker volume inspect myvolume | jq '.[0].Mountpoint'
+podman volume inspect myvolume | jq '.[] | .Mountpoint'
+```
+
+**Find containers using volume:**
+```bash
+docker ps -a --filter volume=myvolume
+podman ps -a --filter volume=myvolume
+```
+
+**List volumes used by container:**
+```bash
+docker inspect -f '{{range .Mounts}}{{.Name}} {{.Destination}}{{"\n"}}{{end}}' container_name
+podman inspect -f '{{range .Mounts}}{{.Name}} {{.Destination}}{{"\n"}}{{end}}' container_name
+```
+
+### Backup and Restore
+
+**Backup volume to tar archive:**
+```bash
+docker run --rm \
+ -v myvolume:/data \
+ -v $(pwd):/backup \
+ alpine \
+ tar czf /backup/myvolume-backup.tar.gz -C /data .
+
+podman run --rm \
+ -v myvolume:/data \
+ -v $(pwd):/backup \
+ alpine \
+ tar czf /backup/myvolume-backup.tar.gz -C /data .
+```
+
+**Backup with timestamp:**
+```bash
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+docker run --rm \
+ -v myvolume:/data \
+ -v $(pwd):/backup \
+ alpine \
+ tar czf /backup/myvolume-${TIMESTAMP}.tar.gz -C /data .
+```
+
+**Restore from tar archive:**
+```bash
+# Create volume if needed
+docker volume create myvolume
+
+# Restore data
+docker run --rm \
+ -v myvolume:/data \
+ -v $(pwd):/backup \
+ alpine \
+ tar xzf /backup/myvolume-backup.tar.gz -C /data
+
+podman run --rm \
+ -v myvolume:/data \
+ -v $(pwd):/backup \
+ alpine \
+ tar xzf /backup/myvolume-backup.tar.gz -C /data
+```
+
+**Copy between volumes:**
+```bash
+docker run --rm \
+ -v source-volume:/source:ro \
+ -v dest-volume:/dest \
+ alpine \
+ cp -av /source/. /dest/
+```
+
+**Export volume to host:**
+```bash
+docker run --rm \
+ -v myvolume:/data \
+ -v $(pwd)/export:/export \
+ alpine \
+ cp -av /data/. /export/
+```
+
+### Volume Plugins
+
+**Third-party drivers available:**
+- REX-Ray (cloud storage)
+- Convoy
+- Flocker
+- GlusterFS
+- NetApp
+
+### tmpfs Mounts
+
+**In-memory storage for temporary data:**
+```bash
+docker run --tmpfs /app/cache myapp
+
+# With size and mode options
+docker run --tmpfs /app/cache:rw,size=100m,mode=1777 myapp
+```
+
+### Managing Volumes
+
+**List volumes:**
+```bash
+docker volume ls
+podman volume ls
+
+# Filter by name
+docker volume ls --filter name=myapp
+
+# Filter by driver
+docker volume ls --filter driver=local
+
+# Show dangling volumes
+docker volume ls --filter dangling=true
+```
+
+**Access volume data directly:**
+```bash
+# Find volume location (Docker requires root)
+docker volume inspect -f '{{.Mountpoint}}' myvolume
+# Usually: /var/lib/docker/volumes/myvolume/_data
+
+# Podman (rootless)
+podman volume inspect -f '{{.Mountpoint}}' myvolume
+# Usually: ~/.local/share/containers/storage/volumes/myvolume/_data
+```
+
+**Browse volume with helper container:**
+```bash
+docker run -it --rm \
+ -v myvolume:/data \
+ alpine \
+ sh
+```
+
+**Remove volume:**
+```bash
+docker volume rm myvolume
+podman volume rm myvolume
+```
+
+**Remove all unused volumes:**
+```bash
+docker volume prune
+podman volume prune
+
+# Filter and remove
+docker volume prune --filter "label=project=old"
+```
+
+### Podman-Specific Volumes
+
+**Rootless volume location:**
+```bash
+~/.local/share/containers/storage/volumes/
+```
+
+**Import/Export (Podman):**
+```bash
+# Export volume
+podman volume export myvolume > myvolume.tar
+
+# Import volume
+podman volume import myvolume < myvolume.tar
+```
+
+## Registry Management
+
+Push, pull, and manage container images across registries.
+
+### Registry Types
+
+- Docker Hub (docker.io)
+- GitHub Container Registry (ghcr.io)
+- GitLab Container Registry (registry.gitlab.com)
+- Private/self-hosted registries
+- Cloud provider registries (AWS ECR, Google GCR, Azure ACR)
+
+### Authentication
+
+**Docker Hub:**
+```bash
+docker login
+docker login -u username -p password
+
+podman login docker.io
+podman login -u username -p password docker.io
+```
+
+**GitHub Container Registry:**
+```bash
+echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
+echo $GITHUB_TOKEN | podman login ghcr.io -u USERNAME --password-stdin
+
+# Interactive
+docker login ghcr.io
+podman login ghcr.io
+```
+
+**GitLab Container Registry:**
+```bash
+docker login registry.gitlab.com -u USERNAME -p $CI_JOB_TOKEN
+podman login registry.gitlab.com -u USERNAME -p $CI_JOB_TOKEN
+```
+
+**Private registry:**
+```bash
+docker login myregistry.example.com
+podman login myregistry.example.com
+```
+
+**AWS ECR:**
+```bash
+aws ecr get-login-password --region us-east-1 | \
+ docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
+
+aws ecr get-login-password --region us-east-1 | \
+ podman login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
+```
+
+**Google Container Registry:**
+```bash
+gcloud auth configure-docker
+
+# Or manually
+cat keyfile.json | docker login -u _json_key --password-stdin gcr.io
+```
+
+**Azure Container Registry:**
+```bash
+az acr login --name myregistry
+
+# Or with service principal
+docker login myregistry.azurecr.io -u $SP_ID -p $SP_PASSWORD
+```
+
+**Logout:**
+```bash
+docker logout
+docker logout ghcr.io
+
+podman logout docker.io
+podman logout ghcr.io
+```
+
+### Pushing Images
+
+**Tag for registry:**
+```bash
+docker tag myapp:latest myregistry/myapp:latest
+docker tag myapp:latest myregistry/myapp:v1.0.0
+
+podman tag myapp:latest myregistry/myapp:latest
+```
+
+**Tag for Docker Hub:**
+```bash
+docker tag myapp:latest username/myapp:latest
+podman tag myapp:latest docker.io/username/myapp:latest
+```
+
+**Tag for GHCR:**
+```bash
+docker tag myapp:latest ghcr.io/username/myapp:latest
+podman tag myapp:latest ghcr.io/username/myapp:latest
+```
+
+**Push image:**
+```bash
+docker push myregistry/myapp:latest
+podman push myregistry/myapp:latest
+```
+
+**Push all tags:**
+```bash
+docker push --all-tags myregistry/myapp
+podman push --all-tags myregistry/myapp
+```
+
+### Pulling Images
+
+**Pull latest tag:**
+```bash
+docker pull myregistry/myapp:latest
+podman pull myregistry/myapp:latest
+```
+
+**Pull specific tag:**
+```bash
+docker pull myregistry/myapp:v1.0.0
+podman pull myregistry/myapp:v1.0.0
+```
+
+**Pull by digest:**
+```bash
+docker pull myregistry/myapp@sha256:abc123...
+podman pull myregistry/myapp@sha256:abc123...
+```
+
+**Pull all tags:**
+```bash
+docker pull --all-tags myregistry/myapp
+podman pull --all-tags myregistry/myapp
+```
+
+**Pull for specific platform:**
+```bash
+docker pull --platform linux/arm64 myregistry/myapp:latest
+podman pull --arch arm64 myregistry/myapp:latest
+```
+
+### Tagging Strategies
+
+**Semantic versioning:**
+```bash
+docker tag myapp:latest ghcr.io/username/myapp:v1.2.3
+docker tag myapp:latest ghcr.io/username/myapp:v1.2
+docker tag myapp:latest ghcr.io/username/myapp:v1
+docker tag myapp:latest ghcr.io/username/myapp:latest
+```
+
+**Git commit SHA:**
+```bash
+docker tag myapp:latest ghcr.io/username/myapp:abc123
+```
+
+**Build date:**
+```bash
+docker tag myapp:latest ghcr.io/username/myapp:2024-01-15
+```
+
+**Naming convention:**
+```
+registry.example.com/project/app:version
+ghcr.io/username/myapp:v1.0.0
+docker.io/library/nginx:1.25-alpine
+```
+
+### Private Registries
+
+**Run local registry:**
+```bash
+docker run -d -p 5000:5000 --name registry registry:2
+
+# With persistence
+docker run -d -p 5000:5000 \
+ --name registry \
+ -v registry-data:/var/lib/registry \
+ registry:2
+
+# With authentication
+docker run -d -p 5000:5000 \
+ --name registry \
+ -v registry-data:/var/lib/registry \
+ -v $(pwd)/auth:/auth \
+ -e REGISTRY_AUTH=htpasswd \
+ -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
+ -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
+ registry:2
+```
+
+**Use local registry:**
+```bash
+docker tag myapp:latest localhost:5000/myapp:latest
+docker push localhost:5000/myapp:latest
+```
+
+**Configure insecure registry (Docker):**
+```json
+# /etc/docker/daemon.json
+{
+ "insecure-registries": ["myregistry.local:5000"]
+}
+```
+
+**Configure insecure registry (Podman):**
+```bash
+podman login --tls-verify=false myregistry.example.com
+```
+
+### Harbor/GitLab/GitHub Registries
+
+**Harbor (enterprise registry):**
+```bash
+# Login
+docker login harbor.example.com
+
+# Push to project
+docker tag myapp:latest harbor.example.com/myproject/myapp:latest
+docker push harbor.example.com/myproject/myapp:latest
+```
+
+**GitLab Container Registry:**
+```bash
+# Login
+docker login registry.gitlab.com
+
+# Push to project
+docker tag myapp:latest registry.gitlab.com/username/project/myapp:latest
+docker push registry.gitlab.com/username/project/myapp:latest
+```
+
+**GitHub Container Registry:**
+```bash
+# Login with token
+echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
+
+# Push to user/org
+docker tag myapp:latest ghcr.io/username/myapp:latest
+docker push ghcr.io/username/myapp:latest
+```
+
+### Multi-Registry Workflows
+
+**Copy between registries using skopeo:**
+```bash
+# Copy from Docker Hub to GHCR
+skopeo copy \
+ docker://docker.io/username/myapp:latest \
+ docker://ghcr.io/username/myapp:latest
+
+# Copy with authentication
+skopeo copy \
+ --src-creds username:password \
+ --dest-creds username:token \
+ docker://registry1.com/myapp:latest \
+ docker://registry2.com/myapp:latest
+```
+
+**Copy all tags with skopeo:**
+```bash
+skopeo sync \
+ --src docker --dest docker \
+ username/myapp \
+ ghcr.io/username/
+```
+
+**Copy using Docker/Podman:**
+```bash
+docker pull registry1.com/myapp:latest
+docker tag registry1.com/myapp:latest registry2.com/myapp:latest
+docker push registry2.com/myapp:latest
+```
+
+**Search images:**
+```bash
+docker search nginx
+docker search --filter "is-official=true" nginx
+docker search --filter "stars=100" nginx
+
+podman search nginx
+podman search --filter=stars=100 nginx
+```
+
+**List tags:**
+```bash
+# Using skopeo
+skopeo list-tags docker://docker.io/nginx
+skopeo list-tags docker://ghcr.io/username/myapp
+
+# Using podman
+podman search --list-tags docker.io/nginx
+```
+
+**Inspect remote images without pulling:**
+```bash
+# With skopeo
+skopeo inspect docker://myregistry/myapp:latest
+skopeo inspect docker://ghcr.io/username/myapp:latest
+
+# Show specific field
+skopeo inspect docker://myapp:latest | jq '.Layers'
+
+# Inspect manifest
+docker manifest inspect myregistry/myapp:latest
+podman manifest inspect myregistry/myapp:latest
+
+# Raw manifest
+skopeo inspect --raw docker://myregistry/myapp:latest
+```
+
+### Registry Mirrors
+
+**Configure Docker daemon mirrors:**
+```json
+# /etc/docker/daemon.json
+{
+ "registry-mirrors": ["https://mirror.example.com"],
+ "max-concurrent-downloads": 3,
+ "max-concurrent-uploads": 5
+}
+```
+
+**Configure Podman mirrors:**
+```toml
+# /etc/containers/registries.conf
+[registries.search]
+registries = ['docker.io', 'ghcr.io']
+
+[registries.insecure]
+registries = ['myregistry.local:5000']
+
+[[registry]]
+location = "docker.io"
+[[registry.mirror]]
+location = "mirror.example.com"
+```
+
+### Credential Management
+
+**Docker credentials stored in:**
+```bash
+~/.docker/config.json
+```
+
+**Use credential helper:**
+```bash
+# Configure in ~/.docker/config.json
+{
+ "credsStore": "secretservice"
+}
+# For Linux: docker-credential-secretservice
+# For macOS: docker-credential-osxkeychain
+# For Windows: docker-credential-wincred
+```
+
+**Podman credentials stored in:**
+```bash
+# Rootless
+$XDG_RUNTIME_DIR/containers/auth.json
+
+# Rootful
+/run/containers/0/auth.json
+```
+
+**View stored credentials:**
+```bash
+cat ${XDG_RUNTIME_DIR}/containers/auth.json | jq
+```
+
+## Best Practices
+
+### Network Best Practices
+
+**Security:**
+- Use user-defined networks, not default bridge
+- Isolate sensitive services on separate networks
+- Use internal networks for backend services
+- Limit external exposure with firewall rules
+
+**Organization:**
+- Name networks descriptively: `frontend`, `backend`, `data`
+- One network per application tier
+- Document network topology
+- Use labels for organization and filtering
+
+**Performance:**
+- Use host networking for high-throughput apps (with caution)
+- Keep containers on same network for inter-container communication
+- Use overlay networks sparingly (has overhead)
+
+### Volume Best Practices
+
+**Storage selection:**
+- Use named volumes for production data persistence
+- Use bind mounts for development and configuration
+- Use tmpfs for temporary, sensitive, or frequently accessed data
+
+**Naming:**
+- Use descriptive names: `postgres-data`, `app-uploads`
+- Include app name: `myapp-database`, `myapp-cache`
+- Use labels for organization
+- Maintain consistent naming convention
+
+**Security:**
+- Use read-only mounts when possible
+- Limit bind mount scope to minimum necessary
+- Don't mount sensitive host directories
+- Set appropriate permissions
+- Consider using secrets for sensitive data
+
+**Performance:**
+- Named volumes are faster than bind mounts on macOS/Windows
+- Use tmpfs for frequently accessed temporary data
+- Place volumes on fast storage
+- Consider volume drivers for distributed storage
+
+**Data management:**
+- Regular backups of important volumes
+- Test restore procedures
+- Monitor volume usage and clean up unused volumes
+- Document volume dependencies
+
+### Registry Best Practices
+
+**Tagging strategy:**
+- Use semantic versioning: `v1.2.3`
+- Tag with git commit SHA: `abc123`
+- Tag with build date: `2024-01-15`
+- Always tag `latest` for current production
+- Tag stable releases: `stable`
+
+**Security:**
+- Use credential helpers, not plain text passwords
+- Rotate access tokens regularly
+- Use least privilege access
+- Scan images before pushing
+- Sign images with Docker Content Trust or Cosign
+
+**Optimization:**
+- Use multi-stage builds to reduce image size
+- Push during off-peak hours for large images
+- Use registry mirrors for faster pulls
+- Enable layer compression
+
+**Multi-registry:**
+- Mirror critical images across registries
+- Use skopeo for efficient registry operations
+- Document registry dependencies
+- Test failover scenarios
+
+## Troubleshooting
+
+### Network Issues
+
+**Containers can't communicate:**
+- Check: Ensure containers are on the same network
+- Check: Verify DNS resolution with `docker exec container ping other_container`
+- Check: Inspect network connections with `docker network inspect`
+- Check: Firewall rules: `sudo iptables -L DOCKER`
+
+**Port already in use:**
+- Check: `lsof -i :8080`
+- Solution: Use different host port
+- Solution: Stop conflicting service
+
+**Can't remove network:**
+- Cause: Containers still connected
+- Solution: Disconnect or remove containers first
+- Solution: `docker network disconnect -f mynetwork container_name`
+
+**Check container network:**
+```bash
+# Get container IP
+docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' container_name
+podman inspect -f '{{.NetworkSettings.IPAddress}}' container_name
+
+# Test connectivity from container
+docker exec web ping db
+docker exec web nc -zv db 5432
+docker exec web nslookup db
+docker exec web ip route
+```
+
+**Check bridge and firewall:**
+```bash
+# List bridges
+ip link show type bridge
+
+# Show bridge details
+bridge link show
+
+# Check iptables rules
+sudo iptables -L DOCKER
+sudo iptables -L DOCKER-USER
+sudo iptables -t nat -L DOCKER
+```
+
+### Volume Issues
+
+**Permission denied in container:**
+- Cause: User ID mismatch between host and container
+- Solution: Run container as specific user
+ ```bash
+ docker run --user $(id -u):$(id -g) -v myvolume:/data myapp
+ ```
+- Solution: Fix permissions in container
+ ```bash
+ docker run --rm -v myvolume:/data alpine chown -R 1000:1000 /data
+ ```
+
+**Volume data disappeared:**
+- Cause: Used anonymous volume or accidentally removed volume
+- Solution: Always use named volumes for persistent data
+- Prevention: Regular backups
+
+**Cannot remove volume:**
+- Cause: Container still using it
+- Check: `docker ps -a --filter volume=myvolume`
+- Solution: Remove container first or use `docker volume rm -f`
+
+**Bind mount not updating (macOS/Windows):**
+- Cause: File sync delay in Docker Desktop
+- Solution: Use named volumes or configure file sharing
+
+**Volume full:**
+- Check size:
+ ```bash
+ docker run --rm -v myvolume:/data alpine du -sh /data
+ ```
+- Solution: Remove unnecessary files or increase volume size
+
+### Registry Issues
+
+**Authentication failed:**
+- Check: Verify credentials
+- Check: Ensure token hasn't expired
+- Check: Verify proper permissions on registry
+- Solution: Re-login with fresh credentials
+
+**Push denied:**
+- Check: Repository permissions
+- Check: Namespace/organization access
+- Solution: Create repository first (some registries require this)
+
+**Image not found:**
+- Check: Image name and tag spelling
+- Check: Registry URL is correct
+- Check: Image was pushed successfully
+
+**TLS certificate error:**
+- Solution (dev only): Add registry to insecure registries
+- Solution (production): Install proper CA certificates
+- Temporary: Use `--tls-verify=false` for testing only
+
+**Rate limit exceeded (Docker Hub):**
+- Solution: Login to increase limit (200 pulls/6 hours free)
+- Solution: Use registry mirror
+- Solution: Upgrade to paid plan
+
+## Infrastructure Integration Examples
+
+### Multi-Tier Application
+
+```bash
+# Create networks
+docker network create frontend
+docker network create backend
+
+# Create volumes
+docker volume create db-data
+docker volume create app-uploads
+
+# Start database with volume
+docker run -d \
+ --name postgres \
+ --network backend \
+ -v db-data:/var/lib/postgresql/data \
+ -e POSTGRES_PASSWORD=secret \
+ postgres:15
+
+# Start application server
+docker run -d \
+ --name app \
+ --network backend \
+ --network frontend \
+ -v app-uploads:/uploads \
+ myapp:latest
+
+# Start web server
+docker run -d \
+ --name nginx \
+ --network frontend \
+ -p 80:80 \
+ nginx:latest
+
+# Database is isolated on backend network
+# Web server only accesses app via frontend network
+```
+
+### Development with Live Reload
+
+```bash
+# Create network
+docker network create dev-network
+
+# Create volume for dependencies
+docker volume create node-modules
+
+# Start with bind mount for code
+docker run -d \
+ --name dev-server \
+ --network dev-network \
+ -v $(pwd)/src:/app/src \
+ -v node-modules:/app/node_modules \
+ -p 3000:3000 \
+ node:18 npm run dev
+```
+
+### Registry Workflow with Infrastructure
+
+```bash
+# Build application
+docker build -t myapp:latest .
+
+# Create production volume
+docker volume create prod-data
+
+# Test locally with network
+docker network create test-net
+docker run -d --name test --network test-net -v prod-data:/data myapp:latest
+
+# Tag for registry
+docker tag myapp:latest ghcr.io/username/myapp:v1.0.0
+docker tag myapp:latest ghcr.io/username/myapp:latest
+
+# Login and push
+echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
+docker push ghcr.io/username/myapp:v1.0.0
+docker push ghcr.io/username/myapp:latest
+
+# Deploy on production server
+docker pull ghcr.io/username/myapp:latest
+docker network create prod-net
+docker volume create prod-data
+docker run -d \
+ --name prod \
+ --network prod-net \
+ -v prod-data:/data \
+ -p 80:8080 \
+ ghcr.io/username/myapp:latest
+```
+
+### Backup Infrastructure Before Update
+
+```bash
+# Backup volume
+docker run --rm \
+ -v app-data:/data \
+ -v $(pwd)/backups:/backup \
+ alpine \
+ tar czf /backup/app-data-$(date +%Y%m%d).tar.gz -C /data .
+
+# Export network configuration
+docker network inspect prod-net > network-config.json
+
+# Tag current production image
+docker tag myapp:latest myapp:backup-$(date +%Y%m%d)
+
+# Push backup to registry
+docker tag myapp:backup-$(date +%Y%m%d) ghcr.io/username/myapp:backup-$(date +%Y%m%d)
+docker push ghcr.io/username/myapp:backup-$(date +%Y%m%d)
+```
dots/.config/claude/skills/Docker/workflows/Maintain.md
@@ -0,0 +1,933 @@
+# Maintain Workflow
+
+Maintain container infrastructure through resource cleanup and security scanning for healthy, secure operations.
+
+## Quick Start
+
+**Common maintenance tasks:**
+```bash
+# Check system health
+docker system df # Disk usage
+trivy image myapp:latest # Security scan
+
+# Quick cleanup
+docker container prune # Remove stopped containers
+docker image prune # Remove dangling images
+
+# Weekly maintenance
+docker system prune -a --volumes # Full cleanup
+trivy image --severity CRITICAL,HIGH myapp:latest
+```
+
+**Quick commands reference:**
+```bash
+# Runtime detection
+./DetectRuntime.sh
+
+# Cleanup (Docker/Podman)
+docker system df
+docker system prune -a --volumes
+podman system df
+podman system prune -a --volumes
+
+# Security scanning
+trivy image myapp:latest
+docker scout cves myapp:latest
+grype myapp:latest
+```
+
+## Resource Cleanup
+
+### Assess Current Usage
+
+**System-wide overview:**
+```bash
+docker system df
+podman system df
+```
+
+**Detailed view:**
+```bash
+docker system df -v
+podman system df -v
+```
+
+### Pruning Containers
+
+**Remove all stopped containers:**
+```bash
+docker container prune
+podman container prune
+```
+
+**Remove specific container:**
+```bash
+docker rm container_name
+podman rm container_name
+```
+
+**Remove all containers (dangerous!):**
+```bash
+# Stop all first
+docker stop $(docker ps -aq)
+docker rm $(docker ps -aq)
+
+podman stop -a
+podman rm -a
+```
+
+**Filter by age:**
+```bash
+# Remove containers stopped more than 24 hours ago
+docker container prune --filter "until=24h"
+podman container prune --filter "until=24h"
+```
+
+**Filter by label:**
+```bash
+docker container prune --filter "label=project=myapp"
+podman container prune --filter "label=project=myapp"
+```
+
+### Pruning Images
+
+**Remove dangling images (untagged):**
+```bash
+docker image prune
+podman image prune
+```
+
+**Remove unused images:**
+```bash
+docker image prune -a
+podman image prune -a
+```
+
+**Remove specific image:**
+```bash
+docker rmi image_name:tag
+podman rmi image_name:tag
+```
+
+**Remove all images (dangerous!):**
+```bash
+docker rmi $(docker images -q)
+podman rmi -a
+```
+
+**Remove images created more than 7 days ago:**
+```bash
+docker image prune -a --filter "until=168h"
+podman image prune -a --filter "until=168h"
+```
+
+**Clean specific image tags:**
+```bash
+# Remove old versions of specific image
+docker images myapp --format "{{.Tag}}" | grep -v "latest\|v1.0" | xargs -I {} docker rmi myapp:{}
+```
+
+**Clean by pattern:**
+```bash
+# Remove all development images
+docker images | grep "\-dev" | awk '{print $3}' | xargs docker rmi
+
+# Remove unnamed images
+docker images --filter "dangling=true" -q | xargs docker rmi
+```
+
+### Pruning Volumes
+
+**Remove unused volumes:**
+```bash
+docker volume prune
+podman volume prune
+```
+
+**Remove specific volume:**
+```bash
+docker volume rm volume_name
+podman volume rm volume_name
+```
+
+**Remove all volumes (dangerous!):**
+```bash
+docker volume rm $(docker volume ls -q)
+podman volume rm -a
+```
+
+### Pruning Networks
+
+**Remove unused networks:**
+```bash
+docker network prune
+podman network prune
+```
+
+**Remove specific network:**
+```bash
+docker network rm network_name
+podman network rm network_name
+```
+
+### Build Cache Cleanup
+
+**Clear build cache:**
+```bash
+docker builder prune
+podman system prune --all --volumes
+```
+
+**Clear all build cache (more aggressive):**
+```bash
+docker builder prune -a
+```
+
+### System-wide Cleanup
+
+**Prune everything (containers, images, volumes, networks):**
+```bash
+docker system prune -a --volumes
+podman system prune -a --volumes
+```
+
+**With force (skip confirmation):**
+```bash
+docker system prune -a --volumes -f
+podman system prune -a --volumes -f
+```
+
+### Safe Cleanup Strategy
+
+**Step-by-step approach:**
+
+1. **Start conservative:**
+ ```bash
+ # Remove stopped containers
+ docker container prune
+
+ # Remove dangling images
+ docker image prune
+ ```
+
+2. **Then volumes:**
+ ```bash
+ # Review volumes first
+ docker volume ls
+
+ # Remove unused
+ docker volume prune
+ ```
+
+3. **Finally unused images:**
+ ```bash
+ # This removes images not used by any container
+ docker image prune -a
+ ```
+
+4. **Build cache (if needed):**
+ ```bash
+ docker builder prune
+ ```
+
+**Retention strategy:**
+```bash
+# Keep images from last week
+docker image prune -a --filter "until=168h"
+
+# Keep containers stopped in last 24h
+docker container prune --filter "until=24h"
+```
+
+### Automated Cleanup
+
+**Docker system prune with cron:**
+```bash
+# Add to crontab (weekly cleanup)
+0 2 * * 0 docker system prune -a --volumes -f >> /var/log/docker-cleanup.log 2>&1
+```
+
+**Podman auto-prune with systemd:**
+```bash
+# Podman rootless with systemd timer
+systemctl --user enable --now podman-auto-update.timer
+```
+
+### Disk Space Management
+
+**Check for large log files:**
+```bash
+# Docker logs can grow large
+ls -lh /var/lib/docker/containers/*/*-json.log
+```
+
+**Configure log rotation:**
+```json
+{
+ "log-driver": "json-file",
+ "log-opts": {
+ "max-size": "10m",
+ "max-file": "3"
+ }
+}
+```
+
+### Podman-Specific Cleanup
+
+```bash
+# Reset entire podman storage (nuclear option)
+podman system reset
+
+# Clean up pods
+podman pod prune
+
+# Clean up specific user's containers (rootless)
+podman system prune --all
+```
+
+## Security Scanning
+
+### Scanning Tools Overview
+
+**Recommended tools:**
+- **Trivy**: Comprehensive, recommended for most use cases
+- **Docker Scout**: Built-in Docker, easy integration
+- **Grype**: Anchore's scanner, good SBOM support
+- **Snyk**: Enterprise features, policy management
+- **Clair**: CoreOS scanner, good for registries
+
+### Trivy (Recommended)
+
+**Installation:**
+```bash
+# Using package manager
+# Debian/Ubuntu
+sudo apt install trivy
+
+# Fedora/RHEL
+sudo dnf install trivy
+
+# macOS
+brew install trivy
+
+# Or use container
+alias trivy="docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy"
+```
+
+**Basic scanning:**
+```bash
+trivy image myapp:latest
+trivy image nginx:latest
+```
+
+**Scan with specific severity:**
+```bash
+trivy image --severity HIGH,CRITICAL myapp:latest
+```
+
+**Scan for specific vulnerability types:**
+```bash
+# OS packages only
+trivy image --vuln-type os myapp:latest
+
+# Application dependencies only
+trivy image --vuln-type library myapp:latest
+
+# Both
+trivy image --vuln-type os,library myapp:latest
+```
+
+**Output formats:**
+```bash
+# Table (default)
+trivy image myapp:latest
+
+# JSON
+trivy image -f json myapp:latest
+
+# SARIF (for GitHub)
+trivy image -f sarif -o results.sarif myapp:latest
+
+# HTML report
+trivy image -f template --template "@contrib/html.tpl" -o report.html myapp:latest
+```
+
+**Scan filesystem and configurations:**
+```bash
+# Scan project directory
+trivy fs /path/to/project
+trivy fs --security-checks vuln,secret,config .
+
+# Scan Dockerfile
+trivy config Dockerfile
+
+# Scan Kubernetes manifests
+trivy config deployment.yaml
+```
+
+**Advanced Trivy options:**
+```bash
+# Ignore unfixed vulnerabilities
+trivy image --ignore-unfixed myapp:latest
+
+# Exit with error on critical vulnerabilities
+trivy image --exit-code 1 --severity CRITICAL myapp:latest
+
+# Scan remote image
+trivy image ghcr.io/username/myapp:latest
+
+# Use custom cache directory
+trivy image --cache-dir /tmp/trivy myapp:latest
+```
+
+**Using .trivyignore file:**
+```bash
+# .trivyignore
+CVE-2023-1234
+CVE-2023-5678 # False positive: feature not used
+```
+
+### Docker Scout (Built-in)
+
+**Enable Docker Scout:**
+```bash
+# Login
+docker login
+
+# Enable Scout
+docker scout enroll
+```
+
+**Scan images:**
+```bash
+# Quick scan
+docker scout quickview myapp:latest
+
+# CVE scan
+docker scout cves myapp:latest
+
+# Show only fixable
+docker scout cves --only-fixed myapp:latest
+
+# Compare images
+docker scout compare myapp:old myapp:new
+
+# Get recommendations
+docker scout recommendations myapp:latest
+
+# Export to SARIF
+docker scout cves --format sarif myapp:latest > results.sarif
+```
+
+### Grype (Anchore)
+
+**Installation:**
+```bash
+# Using package manager
+brew install grype
+
+# Or download binary
+curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh
+
+# Or use container
+alias grype="docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/grype"
+```
+
+**Scan images:**
+```bash
+# Basic scan
+grype myapp:latest
+
+# Scan with filters
+grype myapp:latest --only-fixed
+grype myapp:latest --fail-on critical
+
+# Output formats
+grype -o json myapp:latest
+grype -o table myapp:latest
+grype -o cyclonedx myapp:latest # SBOM format
+```
+
+### Snyk Container
+
+**Installation:**
+```bash
+# Install Snyk CLI
+npm install -g snyk
+
+# Or use binary
+curl -O https://static.snyk.io/cli/latest/snyk-linux
+chmod +x snyk-linux
+mv snyk-linux /usr/local/bin/snyk
+
+# Authenticate
+snyk auth
+```
+
+**Scan images:**
+```bash
+# Scan image
+snyk container test myapp:latest
+
+# Monitor for vulnerabilities
+snyk container monitor myapp:latest
+
+# Test and generate report
+snyk container test myapp:latest --json-file-output=results.json
+```
+
+### Secret Scanning
+
+**Trivy secret scan:**
+```bash
+trivy fs --security-checks secret .
+trivy image --security-checks secret myapp:latest
+```
+
+**TruffleHog:**
+```bash
+# Install
+pip install truffleHog
+
+# Scan filesystem
+trufflehog filesystem /path/to/project
+
+# Scan container image
+docker save myapp:latest | trufflehog
+```
+
+### SBOM Generation
+
+**Generate Software Bill of Materials:**
+```bash
+# Trivy SBOM
+trivy image -f cyclonedx myapp:latest > sbom.json
+trivy image -f spdx myapp:latest > sbom.spdx
+
+# Grype SBOM
+grype -o cyclonedx myapp:latest > sbom.json
+
+# Syft (dedicated SBOM tool)
+syft myapp:latest -o cyclonedx-json > sbom.json
+```
+
+### Dockerfile Best Practices Scanning
+
+**Hadolint (Dockerfile linter):**
+```bash
+# Install
+brew install hadolint
+
+# Or use container
+docker run --rm -i hadolint/hadolint < Dockerfile
+
+# Scan Dockerfile
+hadolint Dockerfile
+
+# Ignore specific rule
+hadolint --ignore DL3008 Dockerfile
+```
+
+**Docker Bench Security:**
+```bash
+# Run security audit
+docker run --rm --net host --pid host --userns host --cap-add audit_control \
+ -v /var/lib:/var/lib \
+ -v /var/run/docker.sock:/var/run/docker.sock \
+ -v /etc:/etc \
+ --label docker_bench_security \
+ docker/docker-bench-security
+```
+
+### Security Best Practices
+
+**Base image selection:**
+```dockerfile
+# Prefer minimal base images
+FROM alpine:3.19
+FROM debian:bookworm-slim
+FROM gcr.io/distroless/static-debian12
+
+# Avoid
+FROM ubuntu:latest # Too large, "latest" is unpredictable
+```
+
+**Multi-stage builds:**
+```dockerfile
+# Build stage with more tools
+FROM golang:1.21 AS builder
+WORKDIR /src
+COPY . .
+RUN go build -o app
+
+# Runtime stage with minimal image
+FROM gcr.io/distroless/static-debian12
+COPY --from=builder /src/app /app
+ENTRYPOINT ["/app"]
+```
+
+**Update dependencies:**
+```dockerfile
+# Update OS packages during build
+RUN apt-get update && \
+ apt-get upgrade -y && \
+ apt-get install -y --no-install-recommends \
+ package1 \
+ package2 && \
+ rm -rf /var/lib/apt/lists/*
+```
+
+**Use specific versions:**
+```dockerfile
+# Bad: unpredictable
+FROM python:latest
+
+# Good: specific and minimal
+FROM python:3.11-slim-bookworm
+```
+
+**Run as non-root user:**
+```dockerfile
+# Create and use non-root user
+RUN adduser -D -u 1000 appuser
+USER appuser
+CMD ["/app"]
+```
+
+**Avoid secrets in images:**
+```dockerfile
+# Bad: secrets in image
+ENV API_KEY="secret123"
+COPY .env /app/.env
+
+# Good: secrets at runtime via environment or secrets management
+# No secrets in Dockerfile
+```
+
+### Remediation Strategies
+
+**Update base images regularly:**
+```bash
+docker pull alpine:3.19
+docker build --no-cache -t myapp:latest .
+```
+
+**Update application dependencies:**
+```dockerfile
+# Go
+RUN go get -u && go mod tidy
+
+# Node
+RUN npm update
+
+# Python
+RUN pip install --upgrade -r requirements.txt
+```
+
+**Use distroless images:**
+```dockerfile
+FROM gcr.io/distroless/python3-debian12
+COPY --from=builder /app /app
+CMD ["/app/main.py"]
+```
+
+### Interpreting Scan Results
+
+**Vulnerability severity (CVSS):**
+- **Critical** (9.0-10.0): Immediate action required
+- **High** (7.0-8.9): Fix within 1 week
+- **Medium** (4.0-6.9): Fix within 1 month
+- **Low** (0.1-3.9): Fix opportunistically
+
+**Handle false positives:**
+- Vulnerability in unused code path
+- Requires conditions that don't exist
+- Already mitigated at runtime
+- Document in .trivyignore with reason
+
+### CI/CD Integration
+
+**GitHub Actions:**
+```yaml
+name: Container Scan
+
+on: [push, pull_request]
+
+jobs:
+ scan:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Build image
+ run: docker build -t myapp:${{ github.sha }} .
+
+ - name: Run Trivy scanner
+ uses: aquasecurity/trivy-action@master
+ with:
+ image-ref: myapp:${{ github.sha }}
+ format: 'sarif'
+ output: 'trivy-results.sarif'
+
+ - name: Upload Trivy results to GitHub Security
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: 'trivy-results.sarif'
+```
+
+**GitLab CI:**
+```yaml
+container_scan:
+ image: aquasec/trivy:latest
+ script:
+ - trivy image --format json --output results.json myapp:latest
+ artifacts:
+ reports:
+ container_scanning: results.json
+```
+
+**Jenkins:**
+```groovy
+pipeline {
+ agent any
+ stages {
+ stage('Build') {
+ steps {
+ sh 'docker build -t myapp:latest .'
+ }
+ }
+ stage('Security Scan') {
+ steps {
+ sh 'trivy image --exit-code 1 --severity CRITICAL myapp:latest'
+ }
+ }
+ }
+}
+```
+
+## Monitoring and Health
+
+### Resource Usage Monitoring
+
+**Check system resources:**
+```bash
+# Disk usage overview
+docker system df
+docker system df -v
+
+# Container resource usage
+docker stats
+docker stats --no-stream
+
+# Podman stats
+podman stats
+```
+
+### Container Metrics
+
+**Monitor container health:**
+```bash
+# View container logs
+docker logs container_name
+docker logs -f --tail 100 container_name
+
+# Inspect container
+docker inspect container_name
+
+# Check container health status
+docker ps --filter "health=unhealthy"
+```
+
+### Health Checks
+
+**Define health checks in Dockerfile:**
+```dockerfile
+HEALTHCHECK --interval=30s --timeout=3s \
+ CMD curl -f http://localhost:8080/health || exit 1
+```
+
+**Check health status:**
+```bash
+docker inspect --format='{{.State.Health.Status}}' container_name
+```
+
+### Automated Maintenance
+
+**Combined cleanup and security scan script:**
+```bash
+#!/bin/bash
+# weekly-maintenance.sh
+
+# Cleanup
+echo "Starting cleanup..."
+docker system prune -a --volumes -f
+
+# Security scan
+echo "Scanning images..."
+for image in $(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "<none>"); do
+ echo "Scanning $image"
+ trivy image --severity CRITICAL,HIGH "$image"
+done
+
+# Report
+echo "Maintenance completed"
+docker system df
+```
+
+**Schedule with cron:**
+```bash
+# Every Sunday at 2 AM
+0 2 * * 0 /path/to/weekly-maintenance.sh >> /var/log/docker-maintenance.log 2>&1
+```
+
+## Best Practices
+
+### Maintenance Schedule
+
+**Regular tasks:**
+- **Daily**: Monitor disk usage and container health
+- **Weekly**: Prune stopped containers and dangling images
+- **Monthly**: Full system cleanup and security scan
+- **Quarterly**: Review and update base images
+
+### Safety Guidelines
+
+**Before cleanup:**
+- **Always preview** what will be removed
+- **Never use `-f` (force)** without understanding impact
+- Keep tagged images you need
+- Backup important volumes before cleanup
+- Test in development first
+
+**Before security fixes:**
+- Understand each vulnerability
+- Check if it applies to your use case
+- Test updates in staging
+- Have rollback plan
+
+### Security Scanning Workflow
+
+1. **Scan during build** - Catch issues early
+2. **Scan before push** - Gate deployments
+3. **Scan in CI/CD** - Automated verification
+4. **Scan running containers** - Regular monitoring
+5. **Monitor for new CVEs** - Stay informed
+
+### Integration Strategy
+
+**Combine cleanup with security:**
+```bash
+# Before cleanup, scan what you're keeping
+docker images --format "{{.Repository}}:{{.Tag}}" | \
+ while read image; do
+ trivy image --severity CRITICAL "$image"
+ done
+
+# Then cleanup old/vulnerable images
+docker image prune -a --filter "until=168h"
+```
+
+## Troubleshooting
+
+### Cleanup Issues
+
+**Issue**: Important data deleted
+- **Prevention**: Always use named volumes for important data
+- **Recovery**: Check volume backups if available
+
+**Issue**: Still using too much space
+- Check for large log files
+- Configure log rotation
+- Clean build cache: `docker builder prune -a`
+
+**Issue**: Cannot remove image in use
+- Check which containers use it: `docker ps -a --filter ancestor=image_name`
+- Stop and remove containers first
+
+**Issue**: Permission denied (Docker)
+- Use sudo or add user to docker group
+- With Podman: run as regular user (rootless)
+
+### Security Scan Issues
+
+**Issue**: Too many false positives
+- Use .trivyignore to document
+- Check if vulnerability applies to your use case
+- Focus on fixable issues first
+
+**Issue**: Scan takes too long
+- Use `--ignore-unfixed` to skip unfixable issues
+- Scan specific vulnerability types only
+- Use local cache directory
+
+**Issue**: Cannot update vulnerable package
+- Check if vulnerability affects your code path
+- Consider alternative base image
+- Document mitigation if no fix available
+
+**Issue**: Scan fails on large images
+- Increase timeout settings
+- Use streaming scan mode
+- Scan in stages (base image, then layers)
+
+## Output Format Examples
+
+**After cleanup:**
+```
+✓ Cleanup completed successfully
+ Runtime: docker
+
+ Removed:
+ - Containers: 5
+ - Images: 12
+ - Volumes: 3
+ - Networks: 2
+
+ Space reclaimed: 2.5 GB
+
+ Current usage:
+ - Images: 5.2 GB
+ - Containers: 150 MB
+ - Volumes: 800 MB
+ - Build cache: 1.1 GB
+ - Total: 7.25 GB
+
+Next steps:
+ - Schedule regular cleanup
+ - Configure log rotation
+ - Scan remaining images for vulnerabilities
+```
+
+**After security scan:**
+```
+✓ Security scan completed
+ Image: myapp:latest
+ Scanner: Trivy
+
+ Vulnerabilities found:
+ Critical: 2
+ High: 5
+ Medium: 12
+ Low: 8
+
+ Top issues:
+ 1. CVE-2023-1234 (Critical) - OpenSSL vulnerability
+ Fix: Update to openssl 3.0.10
+ 2. CVE-2023-5678 (High) - curl buffer overflow
+ Fix: Update to curl 8.1.2
+
+ Secrets found: 0
+ Misconfigurations: 3
+
+ Recommendations:
+ - Update base image from alpine:3.17 to alpine:3.19
+ - Remove unnecessary package: wget
+ - Add non-root user
+
+ Full report: results.json
+
+Next steps:
+ - Update base image
+ - Rebuild and rescan
+ - Review medium severity issues
+```
dots/.config/claude/skills/Docker/workflows/ManageContainers.md
@@ -1,241 +0,0 @@
-# ManageContainers Workflow
-
-Start, stop, restart, inspect, and manage container lifecycle.
-
-## Process
-
-1. **Detect Runtime**
- - Run `DetectRuntime.sh` to determine Docker/Podman
- - Check for running containers
-
-2. **Determine Action**
- - List containers
- - Start new container
- - Stop/restart existing container
- - Remove container
- - Inspect container details
-
-3. **Execute Container Management**
- - Run appropriate commands
- - Handle container naming
- - Manage ports and volumes
- - Set environment variables
-
-4. **Verify State**
- - Confirm container status
- - Show logs if issues occur
- - Display relevant information
-
-## Common Operations
-
-### List Containers
-
-**Show all running containers:**
-```bash
-docker ps
-podman ps
-```
-
-**Show all containers (including stopped):**
-```bash
-docker ps -a
-podman ps -a
-```
-
-**Format output:**
-```bash
-docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
-podman ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
-```
-
-### Start Containers
-
-**Run new container:**
-```bash
-docker run -d --name myapp -p 8080:80 myapp:latest
-podman run -d --name myapp -p 8080:80 myapp:latest
-```
-
-**Run with environment variables:**
-```bash
-docker run -d --name myapp -e KEY=value myapp:latest
-podman run -d --name myapp -e KEY=value myapp:latest
-```
-
-**Run with volume mount:**
-```bash
-docker run -d --name myapp -v /host/path:/container/path myapp:latest
-podman run -d --name myapp -v /host/path:/container/path myapp:latest
-```
-
-**Run interactively:**
-```bash
-docker run -it --name myapp myapp:latest /bin/bash
-podman run -it --name myapp myapp:latest /bin/bash
-```
-
-### Stop/Restart Containers
-
-**Stop container:**
-```bash
-docker stop myapp
-podman stop myapp
-```
-
-**Stop with timeout:**
-```bash
-docker stop -t 30 myapp
-podman stop -t 30 myapp
-```
-
-**Restart container:**
-```bash
-docker restart myapp
-podman restart myapp
-```
-
-**Kill container (forceful):**
-```bash
-docker kill myapp
-podman kill myapp
-```
-
-### Remove Containers
-
-**Remove stopped container:**
-```bash
-docker rm myapp
-podman rm myapp
-```
-
-**Force remove running container:**
-```bash
-docker rm -f myapp
-podman rm -f myapp
-```
-
-**Remove all stopped containers:**
-```bash
-docker container prune
-podman container prune
-```
-
-### Inspect Containers
-
-**Show detailed information:**
-```bash
-docker inspect myapp
-podman inspect myapp
-```
-
-**Get specific field:**
-```bash
-docker inspect -f '{{.State.Status}}' myapp
-podman inspect -f '{{.State.Status}}' myapp
-```
-
-**Show resource usage:**
-```bash
-docker stats myapp
-podman stats myapp
-```
-
-## Podman-Specific Features
-
-### Rootless Containers
-```bash
-# Run rootless (default in Podman)
-podman run -d --name myapp myapp:latest
-
-# Check if rootless
-podman info --format '{{.Host.Security.Rootless}}'
-```
-
-### Systemd Integration
-```bash
-# Generate systemd unit file
-podman generate systemd --name myapp > ~/.config/systemd/user/myapp.service
-
-# Enable and start service
-systemctl --user enable --now myapp.service
-```
-
-### Pods (Kubernetes-like)
-```bash
-# Create pod
-podman pod create --name mypod -p 8080:80
-
-# Add container to pod
-podman run -d --pod mypod --name myapp myapp:latest
-
-# List pods
-podman pod ps
-
-# Stop entire pod
-podman pod stop mypod
-```
-
-## Best Practices
-
-### Container Naming
-- Use descriptive names
-- Follow consistent naming convention
-- Avoid generic names like "app" or "container"
-
-### Resource Management
-- Set memory limits: `--memory 512m`
-- Set CPU limits: `--cpus 1.5`
-- Use health checks: `--health-cmd`
-
-### Security
-- Run as non-root when possible (Podman rootless)
-- Use read-only filesystem: `--read-only`
-- Drop capabilities: `--cap-drop ALL`
-- Use security profiles: `--security-opt`
-
-### Restart Policies
-```bash
-# Always restart
-docker run -d --restart always myapp
-
-# Restart on failure
-docker run -d --restart on-failure:5 myapp
-
-# No restart
-docker run -d --restart no myapp
-```
-
-## Common Issues
-
-**Issue**: Port already in use
-- Check what's using the port: `lsof -i :8080` or `ss -tlnp | grep 8080`
-- Use different host port: `-p 8081:80`
-
-**Issue**: Container exits immediately
-- Check logs: [trigger DebugContainer]
-- Run interactively to debug: `-it`
-
-**Issue**: Permission denied (Docker)
-- Add user to docker group: `sudo usermod -aG docker $USER`
-- Or use Podman rootless
-
-**Issue**: Cannot connect to container
-- Check port mapping: `docker port myapp`
-- Verify network: `docker network inspect bridge`
-
-## Output Format
-
-After container operation:
-```
-✓ Container started successfully
- Runtime: docker/podman
- Name: myapp
- Status: running
- Ports: 0.0.0.0:8080->80/tcp
- Uptime: 5s
-
-Next steps:
- - Check logs: docker logs myapp
- - Access application: curl http://localhost:8080
- - View stats: docker stats myapp
-```
dots/.config/claude/skills/Docker/workflows/NetworkManage.md
@@ -1,610 +0,0 @@
-# NetworkManage Workflow
-
-Create, manage, and troubleshoot container networks.
-
-## Process
-
-1. **Detect Runtime**
- - Run `DetectRuntime.sh` to determine Docker/Podman
-
-2. **Determine Network Operation**
- - List networks
- - Create network
- - Connect/disconnect containers
- - Inspect network
- - Remove network
-
-3. **Execute Network Command**
- - Run appropriate network command
- - Configure network settings
-
-4. **Verify Configuration**
- - Check network connectivity
- - Verify container connections
-
-## List Networks
-
-**Show all networks:**
-```bash
-docker network ls
-podman network ls
-```
-
-**Filter networks:**
-```bash
-# By driver
-docker network ls --filter driver=bridge
-podman network ls --filter driver=bridge
-
-# By name
-docker network ls --filter name=myapp
-podman network ls --filter name=myapp
-```
-
-## Create Networks
-
-### Bridge Network (Default)
-
-**Create simple bridge network:**
-```bash
-docker network create mynetwork
-podman network create mynetwork
-```
-
-**Create with subnet:**
-```bash
-docker network create \
- --subnet=172.20.0.0/16 \
- --gateway=172.20.0.1 \
- mynetwork
-
-podman network create \
- --subnet=172.20.0.0/16 \
- --gateway=172.20.0.1 \
- mynetwork
-```
-
-**Create with IP range:**
-```bash
-docker network create \
- --subnet=172.20.0.0/16 \
- --ip-range=172.20.240.0/20 \
- --gateway=172.20.0.1 \
- mynetwork
-```
-
-**Create with custom driver options:**
-```bash
-docker network create \
- --driver bridge \
- --opt "com.docker.network.bridge.name=br-myapp" \
- --opt "com.docker.network.bridge.enable_ip_masquerade=true" \
- mynetwork
-```
-
-### Host Network
-
-**Use host network (container shares host network stack):**
-```bash
-docker run --network host myapp
-podman run --network host myapp
-```
-
-Note: Cannot create host network, it's built-in.
-
-### Overlay Network (Swarm/Multi-host)
-
-**Create overlay network:**
-```bash
-# Docker Swarm only
-docker network create --driver overlay myoverlay
-
-# With encryption
-docker network create \
- --driver overlay \
- --opt encrypted \
- myoverlay
-```
-
-### Macvlan Network
-
-**Create macvlan network:**
-```bash
-docker network create \
- --driver macvlan \
- --subnet=192.168.1.0/24 \
- --gateway=192.168.1.1 \
- -o parent=eth0 \
- mymacvlan
-```
-
-### None Network (No networking)
-
-**Run with no network:**
-```bash
-docker run --network none myapp
-podman run --network none myapp
-```
-
-## Connect Containers
-
-### Connect to Network
-
-**Connect running container:**
-```bash
-docker network connect mynetwork container_name
-podman network connect mynetwork container_name
-```
-
-**Connect with specific IP:**
-```bash
-docker network connect --ip 172.20.0.100 mynetwork container_name
-podman network connect --ip 172.20.0.100 mynetwork container_name
-```
-
-**Connect with alias:**
-```bash
-docker network connect --alias db mynetwork container_name
-podman network connect --alias db mynetwork container_name
-```
-
-### Disconnect from Network
-
-**Disconnect container:**
-```bash
-docker network disconnect mynetwork container_name
-podman network disconnect mynetwork container_name
-```
-
-**Force disconnect:**
-```bash
-docker network disconnect -f mynetwork container_name
-podman network disconnect -f mynetwork container_name
-```
-
-### Run Container on Network
-
-**Start container on specific network:**
-```bash
-docker run --network mynetwork --name web nginx
-podman run --network mynetwork --name web nginx
-```
-
-**With custom IP:**
-```bash
-docker run --network mynetwork --ip 172.20.0.100 --name web nginx
-podman run --network mynetwork --ip 172.20.0.100 --name web nginx
-```
-
-**With network alias:**
-```bash
-docker run --network mynetwork --network-alias webapp --name web nginx
-podman run --network mynetwork --network-alias webapp --name web nginx
-```
-
-## Inspect Networks
-
-**View network details:**
-```bash
-docker network inspect mynetwork
-podman network inspect mynetwork
-```
-
-**Get specific field:**
-```bash
-# List connected containers
-docker network inspect -f '{{range .Containers}}{{.Name}} {{end}}' mynetwork
-
-# Get subnet
-docker network inspect -f '{{range .IPAM.Config}}{{.Subnet}}{{end}}' mynetwork
-
-# Get gateway
-docker network inspect -f '{{range .IPAM.Config}}{{.Gateway}}{{end}}' mynetwork
-```
-
-**JSON output with jq:**
-```bash
-docker network inspect mynetwork | jq '.[0].IPAM.Config'
-podman network inspect mynetwork | jq '.[0].subnets'
-```
-
-## Remove Networks
-
-**Remove network:**
-```bash
-docker network rm mynetwork
-podman network rm mynetwork
-```
-
-**Remove multiple networks:**
-```bash
-docker network rm network1 network2 network3
-podman network rm network1 network2 network3
-```
-
-**Remove all unused networks:**
-```bash
-docker network prune
-podman network prune
-```
-
-**Force remove (with confirmation):**
-```bash
-docker network prune -f
-podman network prune -f
-```
-
-## Network Drivers
-
-### Bridge (Default)
-
-**Best for:**
-- Single-host deployments
-- Isolated container groups
-- Development environments
-
-**Characteristics:**
-- Software bridge on host
-- NAT for external access
-- DNS resolution between containers
-- Isolated from host network
-
-### Host
-
-**Best for:**
-- Maximum network performance
-- Direct port binding
-- Legacy applications
-
-**Characteristics:**
-- No network isolation
-- Container uses host network stack
-- No port mapping needed
-- Higher performance, lower security
-
-### Overlay
-
-**Best for:**
-- Multi-host deployments
-- Docker Swarm
-- Microservices across hosts
-
-**Characteristics:**
-- Spans multiple Docker hosts
-- Requires swarm mode or key-value store
-- Encrypted overlay traffic option
-
-### Macvlan
-
-**Best for:**
-- Legacy applications
-- Direct Layer 2 access
-- Container needs MAC address
-
-**Characteristics:**
-- Containers get own MAC address
-- Appear as physical devices
-- Direct connection to physical network
-
-### None
-
-**Best for:**
-- Maximum isolation
-- Custom networking
-- Security-critical containers
-
-**Characteristics:**
-- No network interface
-- Complete network isolation
-- Must manually configure if needed
-
-## DNS and Service Discovery
-
-### Automatic DNS
-
-**Containers on same user-defined network can resolve each other by name:**
-```bash
-# Create network
-docker network create myapp
-
-# Start containers
-docker run -d --network myapp --name web nginx
-docker run -d --network myapp --name db postgres
-
-# web can reach db by name
-docker exec web ping db
-docker exec web curl http://db:5432
-```
-
-### Custom DNS
-
-**Set DNS servers:**
-```bash
-docker run --dns 8.8.8.8 --dns 8.8.4.4 myapp
-podman run --dns 8.8.8.8 myapp
-```
-
-**Set DNS search domain:**
-```bash
-docker run --dns-search example.com myapp
-podman run --dns-search example.com myapp
-```
-
-### Network Aliases
-
-**Add multiple aliases:**
-```bash
-docker network connect --alias db --alias database mynetwork container_name
-```
-
-## Port Mapping
-
-**Map ports:**
-```bash
-# Map container port to host
-docker run -p 8080:80 nginx # host:container
-podman run -p 8080:80 nginx
-
-# Map to specific interface
-docker run -p 127.0.0.1:8080:80 nginx
-podman run -p 127.0.0.1:8080:80 nginx
-
-# Map range
-docker run -p 8080-8090:8080-8090 myapp
-podman run -p 8080-8090:8080-8090 myapp
-
-# Map UDP
-docker run -p 53:53/udp dns-server
-podman run -p 53:53/udp dns-server
-```
-
-**Publish all exposed ports:**
-```bash
-docker run -P nginx # Maps to random host ports
-podman run -P nginx
-```
-
-**Check port mappings:**
-```bash
-docker port container_name
-podman port container_name
-```
-
-## Network Troubleshooting
-
-### Check Container Network
-
-**Get container IP:**
-```bash
-docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' container_name
-podman inspect -f '{{.NetworkSettings.IPAddress}}' container_name
-```
-
-**List all containers on network:**
-```bash
-docker network inspect mynetwork -f '{{range .Containers}}{{.Name}} {{.IPv4Address}}{{"\n"}}{{end}}'
-```
-
-### Test Connectivity
-
-**From container:**
-```bash
-# Ping another container
-docker exec web ping db
-
-# Test port connectivity
-docker exec web nc -zv db 5432
-
-# DNS resolution
-docker exec web nslookup db
-
-# Check routes
-docker exec web ip route
-```
-
-**From host:**
-```bash
-# Ping container
-ping 172.20.0.100
-
-# Test port
-nc -zv 172.20.0.100 80
-curl http://172.20.0.100
-```
-
-### Debug Network Issues
-
-**Check network exists:**
-```bash
-docker network ls | grep mynetwork
-```
-
-**Check container is connected:**
-```bash
-docker network inspect mynetwork | grep container_name
-```
-
-**Check firewall rules:**
-```bash
-# Docker creates iptables rules
-sudo iptables -L DOCKER
-sudo iptables -L DOCKER-USER
-sudo iptables -t nat -L DOCKER
-```
-
-**Check bridge:**
-```bash
-# List bridges
-ip link show type bridge
-
-# Show bridge details
-bridge link show
-```
-
-## Advanced Networking
-
-### Custom Bridge
-
-**Create custom bridge on host:**
-```bash
-# Create bridge
-sudo ip link add br-custom type bridge
-sudo ip addr add 172.30.0.1/24 dev br-custom
-sudo ip link set br-custom up
-
-# Use with Docker
-docker network create \
- --driver bridge \
- --opt "com.docker.network.bridge.name=br-custom" \
- mycustom
-```
-
-### Network Namespaces
-
-**Enter container network namespace:**
-```bash
-# Get container PID
-PID=$(docker inspect -f '{{.State.Pid}}' container_name)
-
-# Enter network namespace
-sudo nsenter -t $PID -n ip addr show
-```
-
-### IPv6 Support
-
-**Enable IPv6:**
-```bash
-# Docker daemon config (/etc/docker/daemon.json)
-{
- "ipv6": true,
- "fixed-cidr-v6": "2001:db8:1::/64"
-}
-
-# Create IPv6 network
-docker network create --ipv6 --subnet=2001:db8:1::/64 mynetwork
-```
-
-## Podman-Specific Networking
-
-### CNI Plugins
-
-**Podman uses CNI (Container Network Interface):**
-```bash
-# CNI config location
-/etc/cni/net.d/
-
-# List available plugins
-ls /usr/libexec/cni/
-```
-
-### Rootless Networking
-
-**Rootless uses slirp4netns by default:**
-```bash
-# Check rootless network
-podman network inspect podman
-
-# Create rootless network
-podman network create mynetwork
-```
-
-### Pod Networking
-
-**Containers in a pod share network:**
-```bash
-# Create pod
-podman pod create --name mypod -p 8080:80
-
-# Add containers (share network)
-podman run -d --pod mypod --name web nginx
-podman run -d --pod mypod --name app myapp
-
-# They can communicate via localhost
-```
-
-## Best Practices
-
-### Security
-
-- Use user-defined networks, not default bridge
-- Isolate sensitive services
-- Limit external exposure
-- Use internal networks for backend services
-
-### Organization
-
-- Name networks descriptively (e.g., `frontend`, `backend`, `data`)
-- One network per application tier
-- Document network topology
-- Use labels for organization
-
-### Performance
-
-- Use host networking for high-throughput apps (with caution)
-- Keep containers on same network for inter-container communication
-- Use overlay networks sparingly (overhead)
-
-## Common Issues
-
-**Issue**: Containers can't communicate
-- Ensure containers are on the same network
-- Check firewall rules
-- Verify DNS resolution
-
-**Issue**: Port already in use
-- Check host port availability: `lsof -i :8080`
-- Use different host port
-- Stop conflicting service
-
-**Issue**: Network already exists
-- Choose different name
-- Remove old network: `docker network rm`
-
-**Issue**: Can't remove network
-- **Cause**: Containers still connected
-- **Solution**: Disconnect or remove containers first
-
-## Output Format
-
-After network operation:
-```
-✓ Network created successfully
- Runtime: docker/podman
- Name: myapp-network
- Driver: bridge
- Subnet: 172.20.0.0/16
- Gateway: 172.20.0.1
-
- Connected containers: 0
-
- Connect container:
- docker network connect myapp-network container_name
-
- Run container on network:
- docker run --network myapp-network myapp
-```
-
-## Quick Reference
-
-```bash
-# Create network
-docker network create mynetwork
-
-# List networks
-docker network ls
-
-# Inspect network
-docker network inspect mynetwork
-
-# Connect container
-docker network connect mynetwork container_name
-
-# Disconnect container
-docker network disconnect mynetwork container_name
-
-# Remove network
-docker network rm mynetwork
-
-# Clean up unused networks
-docker network prune
-```
dots/.config/claude/skills/Docker/workflows/OptimizeImage.md
@@ -1,738 +0,0 @@
-# OptimizeImage Workflow
-
-Reduce container image size and improve build performance through optimization techniques.
-
-## Process
-
-1. **Analyze Current Image**
- - Check image size
- - Examine layers
- - Identify large files
- - Review Dockerfile
-
-2. **Identify Optimization Opportunities**
- - Base image selection
- - Layer optimization
- - Build cache usage
- - Unnecessary files
-
-3. **Apply Optimizations**
- - Use multi-stage builds
- - Minimize layers
- - Use smaller base images
- - Remove build artifacts
-
-4. **Measure Improvements**
- - Compare before/after sizes
- - Verify functionality
- - Test performance
-
-## Analyze Image
-
-### Check Image Size
-
-**View image size:**
-```bash
-docker images myapp
-podman images myapp
-```
-
-**Show size in different formats:**
-```bash
-docker images --format "{{.Repository}}:{{.Tag}}\t{{.Size}}"
-```
-
-### Examine Layers
-
-**View image history:**
-```bash
-docker history myapp:latest
-docker history --no-trunc myapp:latest # Full commands
-
-podman history myapp:latest
-```
-
-**Analyze with dive:**
-```bash
-# Install dive
-brew install dive
-# Or: docker pull wagoodman/dive
-
-# Analyze image
-dive myapp:latest
-```
-
-**Find large layers:**
-```bash
-docker history myapp:latest --format "{{.Size}}\t{{.CreatedBy}}" | sort -h
-```
-
-## Base Image Optimization
-
-### Choose Minimal Base Images
-
-**Size comparison:**
-```dockerfile
-# Large (1.1 GB)
-FROM ubuntu:latest
-
-# Medium (130 MB)
-FROM ubuntu:22.04
-
-# Small (77 MB)
-FROM debian:bookworm-slim
-
-# Smaller (7 MB)
-FROM alpine:3.19
-
-# Smallest (< 2 MB)
-FROM scratch # For static binaries
-FROM gcr.io/distroless/static-debian12 # For Go/Rust
-```
-
-### Language-Specific Minimal Images
-
-**Python:**
-```dockerfile
-# Large (900 MB)
-FROM python:3.11
-
-# Small (50 MB)
-FROM python:3.11-slim
-
-# Smaller (45 MB)
-FROM python:3.11-alpine
-```
-
-**Node.js:**
-```dockerfile
-# Large (1 GB)
-FROM node:20
-
-# Small (240 MB)
-FROM node:20-slim
-
-# Smaller (180 MB)
-FROM node:20-alpine
-```
-
-**Go:**
-```dockerfile
-# For building
-FROM golang:1.21-alpine AS builder
-
-# For runtime (static binary)
-FROM scratch
-FROM gcr.io/distroless/static-debian12
-```
-
-## Multi-Stage Builds
-
-### Basic Pattern
-
-**Before (large):**
-```dockerfile
-FROM golang:1.21
-WORKDIR /app
-COPY . .
-RUN go build -o myapp
-CMD ["/app/myapp"]
-# Result: ~1 GB
-```
-
-**After (small):**
-```dockerfile
-# Build stage
-FROM golang:1.21-alpine AS builder
-WORKDIR /app
-COPY go.* ./
-RUN go mod download
-COPY . .
-RUN go build -o myapp
-
-# Runtime stage
-FROM alpine:3.19
-WORKDIR /app
-COPY --from=builder /app/myapp .
-CMD ["/app/myapp"]
-# Result: ~20 MB
-```
-
-### Advanced Multi-Stage
-
-**Multiple build stages:**
-```dockerfile
-# Stage 1: Dependencies
-FROM node:20-alpine AS deps
-WORKDIR /app
-COPY package*.json ./
-RUN npm ci --only=production
-
-# Stage 2: Build
-FROM node:20-alpine AS builder
-WORKDIR /app
-COPY package*.json ./
-RUN npm ci
-COPY . .
-RUN npm run build
-
-# Stage 3: Runtime
-FROM node:20-alpine
-WORKDIR /app
-ENV NODE_ENV=production
-COPY --from=deps /app/node_modules ./node_modules
-COPY --from=builder /app/dist ./dist
-COPY package.json ./
-CMD ["node", "dist/index.js"]
-```
-
-## Layer Optimization
-
-### Combine RUN Commands
-
-**Before:**
-```dockerfile
-RUN apt-get update
-RUN apt-get install -y curl
-RUN apt-get install -y git
-RUN apt-get clean
-# Creates 4 layers
-```
-
-**After:**
-```dockerfile
-RUN apt-get update && \
- apt-get install -y --no-install-recommends \
- curl \
- git && \
- rm -rf /var/lib/apt/lists/*
-# Creates 1 layer
-```
-
-### Order Layers by Change Frequency
-
-**Optimize build cache:**
-```dockerfile
-# Bad: changes to code invalidate all layers
-FROM node:20-alpine
-WORKDIR /app
-COPY . .
-RUN npm install
-RUN npm run build
-
-# Good: dependencies cached separately
-FROM node:20-alpine
-WORKDIR /app
-# Copy package files first (changes less frequently)
-COPY package*.json ./
-RUN npm ci
-# Copy code last (changes most frequently)
-COPY . .
-RUN npm run build
-```
-
-### Clean Up in Same Layer
-
-**Bad:**
-```dockerfile
-RUN wget https://example.com/large-file.tar.gz
-RUN tar -xzf large-file.tar.gz
-RUN rm large-file.tar.gz
-# large-file.tar.gz still in first layer!
-```
-
-**Good:**
-```dockerfile
-RUN wget https://example.com/large-file.tar.gz && \
- tar -xzf large-file.tar.gz && \
- rm large-file.tar.gz
-# File removed in same layer
-```
-
-## Remove Unnecessary Files
-
-### Use .dockerignore
-
-**Create .dockerignore:**
-```dockerignore
-# Version control
-.git
-.gitignore
-
-# Dependencies
-node_modules
-vendor
-
-# Build artifacts
-dist
-build
-*.o
-*.a
-
-# Documentation
-*.md
-docs/
-
-# Tests
-*_test.go
-test/
-tests/
-__tests__
-
-# CI/CD
-.github
-.gitlab-ci.yml
-Jenkinsfile
-
-# Development
-.env
-.vscode
-.idea
-*.log
-
-# OS files
-.DS_Store
-Thumbs.db
-```
-
-### Remove Package Manager Cache
-
-**APT (Debian/Ubuntu):**
-```dockerfile
-RUN apt-get update && \
- apt-get install -y package && \
- rm -rf /var/lib/apt/lists/*
-```
-
-**YUM/DNF (RHEL/Fedora):**
-```dockerfile
-RUN dnf install -y package && \
- dnf clean all
-```
-
-**APK (Alpine):**
-```dockerfile
-RUN apk add --no-cache package
-```
-
-**npm:**
-```dockerfile
-RUN npm ci --only=production && \
- npm cache clean --force
-```
-
-**pip:**
-```dockerfile
-RUN pip install --no-cache-dir -r requirements.txt
-```
-
-## Minimize Installed Packages
-
-### Install Only Required Packages
-
-**Bad:**
-```dockerfile
-RUN apt-get update && \
- apt-get install -y build-essential
-# Installs many unnecessary packages
-```
-
-**Good:**
-```dockerfile
-RUN apt-get update && \
- apt-get install -y --no-install-recommends \
- gcc \
- make && \
- rm -rf /var/lib/apt/lists/*
-# Minimal installation
-```
-
-### Remove Build Dependencies
-
-**Pattern for temporary build deps:**
-```dockerfile
-RUN apk add --no-cache --virtual .build-deps \
- gcc \
- musl-dev \
- postgresql-dev && \
- pip install psycopg2 && \
- apk del .build-deps
-```
-
-## Static Binaries
-
-### Go Example
-
-```dockerfile
-# Build stage
-FROM golang:1.21-alpine AS builder
-WORKDIR /app
-COPY . .
-RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o myapp .
-
-# Runtime stage
-FROM scratch
-COPY --from=builder /app/myapp /myapp
-ENTRYPOINT ["/myapp"]
-# Result: ~10 MB (just the binary!)
-```
-
-### Rust Example
-
-```dockerfile
-# Build stage
-FROM rust:1.75-alpine AS builder
-WORKDIR /app
-COPY . .
-RUN cargo build --release
-
-# Runtime stage
-FROM scratch
-COPY --from=builder /app/target/release/myapp /myapp
-ENTRYPOINT ["/myapp"]
-```
-
-## Compression and Squashing
-
-### Use BuildKit Compression
-
-**Enable BuildKit:**
-```bash
-export DOCKER_BUILDKIT=1
-docker build --squash -t myapp:latest .
-```
-
-**Build with compression:**
-```bash
-docker build --compress -t myapp:latest .
-```
-
-### Squash Layers (Advanced)
-
-**Flatten layers:**
-```bash
-docker build --squash -t myapp:latest .
-```
-
-**Note:** Squashing can reduce cache effectiveness.
-
-## Distroless Images
-
-### Using Distroless
-
-**Java:**
-```dockerfile
-FROM gcr.io/distroless/java17-debian12
-COPY target/app.jar /app.jar
-CMD ["app.jar"]
-```
-
-**Python:**
-```dockerfile
-FROM gcr.io/distroless/python3-debian12
-COPY --from=builder /app /app
-WORKDIR /app
-CMD ["app.py"]
-```
-
-**Node.js:**
-```dockerfile
-FROM gcr.io/distroless/nodejs20-debian12
-COPY --from=builder /app /app
-WORKDIR /app
-CMD ["index.js"]
-```
-
-**Static binaries:**
-```dockerfile
-FROM gcr.io/distroless/static-debian12
-COPY --from=builder /app/myapp /
-CMD ["/myapp"]
-```
-
-## Optimization Checklist
-
-### Base Image
-- [ ] Use minimal base image (alpine, slim, distroless)
-- [ ] Use specific version tags, not `latest`
-- [ ] Consider distroless for production
-
-### Dockerfile Structure
-- [ ] Use multi-stage builds
-- [ ] Order layers by change frequency
-- [ ] Combine RUN commands
-- [ ] Clean up in same layer
-
-### Dependencies
-- [ ] Install only required packages
-- [ ] Use `--no-install-recommends` (apt)
-- [ ] Use `--no-cache` (apk)
-- [ ] Remove package manager cache
-- [ ] Remove build dependencies after use
-
-### Files
-- [ ] Create .dockerignore file
-- [ ] Exclude development files
-- [ ] Exclude documentation
-- [ ] Don't include .git directory
-
-### Security & Best Practices
-- [ ] Run as non-root user
-- [ ] Don't include secrets
-- [ ] Update packages during build
-- [ ] Use specific versions
-
-## Measurement
-
-### Compare Image Sizes
-
-```bash
-# Build original
-docker build -t myapp:old -f Dockerfile.old .
-
-# Build optimized
-docker build -t myapp:new -f Dockerfile.new .
-
-# Compare
-docker images | grep myapp
-```
-
-### Analyze Layer Sizes
-
-```bash
-# Detailed history
-docker history myapp:old --no-trunc
-docker history myapp:new --no-trunc
-
-# Compare with dive
-dive myapp:old
-dive myapp:new
-```
-
-### Calculate Savings
-
-```bash
-# Simple calculation
-OLD_SIZE=$(docker images myapp:old --format "{{.Size}}")
-NEW_SIZE=$(docker images myapp:new --format "{{.Size}}")
-echo "Old: $OLD_SIZE, New: $NEW_SIZE"
-```
-
-## Real-World Examples
-
-### Python Flask App
-
-**Before (500 MB):**
-```dockerfile
-FROM python:3.11
-WORKDIR /app
-COPY . .
-RUN pip install -r requirements.txt
-CMD ["python", "app.py"]
-```
-
-**After (50 MB):**
-```dockerfile
-FROM python:3.11-slim AS builder
-WORKDIR /app
-COPY requirements.txt .
-RUN pip install --user --no-cache-dir -r requirements.txt
-
-FROM python:3.11-slim
-WORKDIR /app
-COPY --from=builder /root/.local /root/.local
-COPY app.py .
-ENV PATH=/root/.local/bin:$PATH
-CMD ["python", "app.py"]
-```
-
-### Node.js React App
-
-**Before (1.2 GB):**
-```dockerfile
-FROM node:20
-WORKDIR /app
-COPY . .
-RUN npm install
-RUN npm run build
-CMD ["npm", "start"]
-```
-
-**After (100 MB):**
-```dockerfile
-FROM node:20-alpine AS builder
-WORKDIR /app
-COPY package*.json ./
-RUN npm ci
-COPY . .
-RUN npm run build
-
-FROM nginx:alpine
-COPY --from=builder /app/build /usr/share/nginx/html
-EXPOSE 80
-CMD ["nginx", "-g", "daemon off;"]
-```
-
-### Go Microservice
-
-**Before (800 MB):**
-```dockerfile
-FROM golang:1.21
-WORKDIR /app
-COPY . .
-RUN go build -o myapp
-CMD ["/app/myapp"]
-```
-
-**After (10 MB):**
-```dockerfile
-FROM golang:1.21-alpine AS builder
-WORKDIR /app
-COPY go.* ./
-RUN go mod download
-COPY . .
-RUN CGO_ENABLED=0 go build -ldflags="-w -s" -o myapp
-
-FROM scratch
-COPY --from=builder /app/myapp /
-CMD ["/myapp"]
-```
-
-## Advanced Techniques
-
-### Link-Time Optimization
-
-**Go:**
-```dockerfile
-RUN CGO_ENABLED=0 go build -ldflags="-w -s" -o myapp
-# -w: Omit debug info
-# -s: Omit symbol table
-```
-
-**Rust:**
-```dockerfile
-RUN cargo build --release
-RUN strip target/release/myapp
-```
-
-### Use BuildKit Cache Mounts
-
-```dockerfile
-# syntax=docker/dockerfile:1
-FROM golang:1.21-alpine
-WORKDIR /app
-COPY go.* ./
-RUN --mount=type=cache,target=/go/pkg/mod \
- go mod download
-COPY . .
-RUN --mount=type=cache,target=/go/pkg/mod \
- --mount=type=cache,target=/root/.cache/go-build \
- go build -o myapp
-```
-
-## Common Mistakes
-
-### Mistake 1: Installing Dev Dependencies
-
-```dockerfile
-# Bad
-RUN npm install
-
-# Good
-RUN npm ci --only=production
-```
-
-### Mistake 2: Not Using .dockerignore
-
-```dockerfile
-# Without .dockerignore: copies everything including node_modules, .git
-COPY . .
-
-# With .dockerignore: copies only needed files
-COPY . . # But .dockerignore excludes unnecessary files
-```
-
-### Mistake 3: Cleaning Up in Different Layer
-
-```dockerfile
-# Bad: file remains in earlier layer
-RUN wget large-file.tar.gz
-RUN rm large-file.tar.gz
-
-# Good: cleanup in same layer
-RUN wget large-file.tar.gz && \
- tar -xzf large-file.tar.gz && \
- rm large-file.tar.gz
-```
-
-### Mistake 4: Using `latest` Tag
-
-```dockerfile
-# Bad: unpredictable, may break
-FROM alpine:latest
-
-# Good: specific, reproducible
-FROM alpine:3.19
-```
-
-## Output Format
-
-After optimization:
-```
-✓ Image optimized successfully
- Image: myapp:latest
-
- Size reduction:
- Before: 850 MB
- After: 45 MB
- Savings: 805 MB (94.7%)
-
- Layers:
- Before: 15 layers
- After: 5 layers
-
- Optimizations applied:
- - Changed base image: python:3.11 → python:3.11-slim
- - Added multi-stage build
- - Combined RUN commands (4 → 1)
- - Removed package cache
- - Added .dockerignore (excluded 250 MB)
-
- Build time:
- Before: 3m 45s
- After: 1m 20s (faster due to better caching)
-
- Next steps:
- - Test optimized image
- - Run security scan
- - Push to registry
-```
-
-## Quick Reference
-
-```bash
-# Analyze image
-docker history myapp:latest
-dive myapp:latest
-
-# Use minimal base images
-FROM alpine:3.19
-FROM python:3.11-slim
-FROM gcr.io/distroless/static-debian12
-
-# Multi-stage build pattern
-FROM golang:1.21-alpine AS builder
-# ... build ...
-FROM scratch
-COPY --from=builder /app/binary /
-
-# Combine and clean up
-RUN apk add --no-cache package && \
- # do work && \
- apk del package
-
-# Use .dockerignore
-.git
-node_modules
-*.md
-```
dots/.config/claude/skills/Docker/workflows/RegistryManage.md
@@ -1,541 +0,0 @@
-# RegistryManage Workflow
-
-Push, pull, and manage container images in registries (Docker Hub, GHCR, private registries).
-
-## Process
-
-1. **Detect Runtime**
- - Run `DetectRuntime.sh` to determine Docker/Podman
-
-2. **Determine Registry**
- - Docker Hub (docker.io)
- - GitHub Container Registry (ghcr.io)
- - GitLab Container Registry (registry.gitlab.com)
- - Private/self-hosted registry
- - Cloud provider registries (ECR, GCR, ACR)
-
-3. **Authenticate**
- - Login to registry
- - Handle credentials securely
-
-4. **Execute Registry Operation**
- - Push images
- - Pull images
- - Search images
- - Delete images
-
-5. **Verify**
- - Confirm operation success
- - Show image details
-
-## Authentication
-
-### Docker Hub
-
-**Login:**
-```bash
-docker login
-# Or with credentials
-docker login -u username -p password
-
-podman login docker.io
-podman login -u username -p password docker.io
-```
-
-**Logout:**
-```bash
-docker logout
-podman logout docker.io
-```
-
-### GitHub Container Registry
-
-**Login with token:**
-```bash
-echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin
-echo $GITHUB_TOKEN | podman login ghcr.io -u USERNAME --password-stdin
-```
-
-**Login interactive:**
-```bash
-docker login ghcr.io
-podman login ghcr.io
-```
-
-### GitLab Container Registry
-
-**Login:**
-```bash
-docker login registry.gitlab.com -u USERNAME -p $CI_JOB_TOKEN
-podman login registry.gitlab.com -u USERNAME -p $CI_JOB_TOKEN
-```
-
-### Private Registry
-
-**Login to private registry:**
-```bash
-docker login myregistry.example.com
-podman login myregistry.example.com
-```
-
-**With self-signed certificate:**
-```bash
-# Docker: Add to /etc/docker/daemon.json
-{
- "insecure-registries": ["myregistry.example.com:5000"]
-}
-
-# Podman: Use --tls-verify=false (not recommended for production)
-podman login --tls-verify=false myregistry.example.com
-```
-
-### AWS ECR
-
-**Login to ECR:**
-```bash
-aws ecr get-login-password --region us-east-1 | \
- docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
-
-aws ecr get-login-password --region us-east-1 | \
- podman login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
-```
-
-### Google Container Registry
-
-**Login to GCR:**
-```bash
-gcloud auth configure-docker
-
-# Or manually
-cat keyfile.json | docker login -u _json_key --password-stdin gcr.io
-```
-
-### Azure Container Registry
-
-**Login to ACR:**
-```bash
-az acr login --name myregistry
-
-# Or with service principal
-docker login myregistry.azurecr.io -u $SP_ID -p $SP_PASSWORD
-```
-
-## Push Images
-
-### Tag for Registry
-
-**Tag image for registry:**
-```bash
-docker tag myapp:latest myregistry/myapp:latest
-docker tag myapp:latest myregistry/myapp:v1.0.0
-
-podman tag myapp:latest myregistry/myapp:latest
-podman tag myapp:latest myregistry/myapp:v1.0.0
-```
-
-**Tag for Docker Hub:**
-```bash
-docker tag myapp:latest username/myapp:latest
-podman tag myapp:latest docker.io/username/myapp:latest
-```
-
-**Tag for GHCR:**
-```bash
-docker tag myapp:latest ghcr.io/username/myapp:latest
-podman tag myapp:latest ghcr.io/username/myapp:latest
-```
-
-### Push to Registry
-
-**Push image:**
-```bash
-docker push myregistry/myapp:latest
-podman push myregistry/myapp:latest
-```
-
-**Push all tags:**
-```bash
-docker push --all-tags myregistry/myapp
-podman push --all-tags myregistry/myapp
-```
-
-**Push with digest:**
-```bash
-docker push myregistry/myapp:latest
-# Returns: latest: digest: sha256:abc123... size: 1234
-
-podman push myregistry/myapp:latest
-```
-
-## Pull Images
-
-### Pull from Registry
-
-**Pull latest:**
-```bash
-docker pull myregistry/myapp:latest
-podman pull myregistry/myapp:latest
-```
-
-**Pull specific tag:**
-```bash
-docker pull myregistry/myapp:v1.0.0
-podman pull myregistry/myapp:v1.0.0
-```
-
-**Pull by digest:**
-```bash
-docker pull myregistry/myapp@sha256:abc123...
-podman pull myregistry/myapp@sha256:abc123...
-```
-
-**Pull all tags:**
-```bash
-docker pull --all-tags myregistry/myapp
-podman pull --all-tags myregistry/myapp
-```
-
-**Pull for specific platform:**
-```bash
-docker pull --platform linux/arm64 myregistry/myapp:latest
-podman pull --arch arm64 myregistry/myapp:latest
-```
-
-## Search Images
-
-### Docker Hub Search
-
-**Search Docker Hub:**
-```bash
-docker search nginx
-docker search --filter "is-official=true" nginx
-docker search --filter "stars=100" nginx
-
-podman search nginx
-podman search --filter=stars=100 nginx
-```
-
-### List Tags
-
-**Using registry API:**
-```bash
-# List tags (requires curl/skopeo)
-curl https://registry.hub.docker.com/v2/repositories/library/nginx/tags
-
-# With skopeo
-skopeo list-tags docker://docker.io/nginx
-skopeo list-tags docker://ghcr.io/username/myapp
-```
-
-**Podman:**
-```bash
-podman search --list-tags docker.io/nginx
-```
-
-## Inspect Remote Images
-
-### Without Pulling
-
-**Inspect with skopeo:**
-```bash
-# Install skopeo if needed
-skopeo inspect docker://myregistry/myapp:latest
-skopeo inspect docker://ghcr.io/username/myapp:latest
-
-# Show specific field
-skopeo inspect docker://myapp:latest | jq '.Layers'
-```
-
-**Inspect manifest:**
-```bash
-# Docker
-docker manifest inspect myregistry/myapp:latest
-
-# Podman
-podman manifest inspect myregistry/myapp:latest
-
-# Skopeo
-skopeo inspect --raw docker://myregistry/myapp:latest
-```
-
-## Delete Images from Registry
-
-### Docker Hub
-
-**Delete via web interface or API:**
-```bash
-# Using Docker Hub API (requires token)
-curl -X DELETE \
- -H "Authorization: JWT $TOKEN" \
- https://hub.docker.com/v2/repositories/username/myapp/tags/latest/
-```
-
-### GitHub Container Registry
-
-**Delete with GitHub CLI:**
-```bash
-gh api -X DELETE /user/packages/container/myapp/versions/VERSION_ID
-```
-
-### Private Registry
-
-**Using registry API:**
-```bash
-# Get digest
-DIGEST=$(skopeo inspect docker://myregistry/myapp:latest | jq -r '.Digest')
-
-# Delete by digest
-curl -X DELETE https://myregistry/v2/myapp/manifests/$DIGEST
-```
-
-**Podman:**
-```bash
-podman image rm myregistry/myapp:latest
-# Note: This only removes locally, not from registry
-```
-
-## Copy Between Registries
-
-### Using skopeo
-
-**Copy image between registries:**
-```bash
-# Copy from Docker Hub to GHCR
-skopeo copy \
- docker://docker.io/username/myapp:latest \
- docker://ghcr.io/username/myapp:latest
-
-# Copy with authentication
-skopeo copy \
- --src-creds username:password \
- --dest-creds username:token \
- docker://registry1.com/myapp:latest \
- docker://registry2.com/myapp:latest
-```
-
-**Copy all tags:**
-```bash
-skopeo sync \
- --src docker --dest docker \
- username/myapp \
- ghcr.io/username/
-```
-
-### Using Docker/Podman
-
-**Pull, tag, push:**
-```bash
-docker pull registry1.com/myapp:latest
-docker tag registry1.com/myapp:latest registry2.com/myapp:latest
-docker push registry2.com/myapp:latest
-```
-
-## Manage Credentials
-
-### Docker
-
-**Credentials stored in:**
-```bash
-~/.docker/config.json
-```
-
-**Use credential helper:**
-```bash
-# Install credential helper
-# For Linux: docker-credential-secretservice
-# For macOS: docker-credential-osxkeychain
-# For Windows: docker-credential-wincred
-
-# Configure in ~/.docker/config.json
-{
- "credsStore": "secretservice"
-}
-```
-
-### Podman
-
-**Credentials stored in:**
-```bash
-# Rootless
-$XDG_RUNTIME_DIR/containers/auth.json
-
-# Rootful
-/run/containers/0/auth.json
-```
-
-**View stored credentials:**
-```bash
-cat ${XDG_RUNTIME_DIR}/containers/auth.json | jq
-```
-
-## Registry Configuration
-
-### Docker Daemon
-
-**Configure in /etc/docker/daemon.json:**
-```json
-{
- "insecure-registries": ["myregistry.local:5000"],
- "registry-mirrors": ["https://mirror.example.com"],
- "max-concurrent-downloads": 3,
- "max-concurrent-uploads": 5
-}
-```
-
-### Podman
-
-**Configure in /etc/containers/registries.conf:**
-```toml
-[registries.search]
-registries = ['docker.io', 'ghcr.io']
-
-[registries.insecure]
-registries = ['myregistry.local:5000']
-
-[[registry]]
-location = "docker.io"
-[[registry.mirror]]
-location = "mirror.example.com"
-```
-
-## Run Local Registry
-
-### Docker
-
-**Start local registry:**
-```bash
-docker run -d -p 5000:5000 --name registry registry:2
-
-# With persistence
-docker run -d -p 5000:5000 \
- --name registry \
- -v registry-data:/var/lib/registry \
- registry:2
-
-# With authentication
-docker run -d -p 5000:5000 \
- --name registry \
- -v registry-data:/var/lib/registry \
- -v $(pwd)/auth:/auth \
- -e REGISTRY_AUTH=htpasswd \
- -e REGISTRY_AUTH_HTPASSWD_PATH=/auth/htpasswd \
- -e REGISTRY_AUTH_HTPASSWD_REALM="Registry Realm" \
- registry:2
-```
-
-**Use local registry:**
-```bash
-docker tag myapp:latest localhost:5000/myapp:latest
-docker push localhost:5000/myapp:latest
-```
-
-### Podman
-
-**Start local registry:**
-```bash
-podman run -d -p 5000:5000 --name registry docker.io/library/registry:2
-```
-
-## Best Practices
-
-### Tagging Strategy
-
-- Use semantic versioning: `v1.2.3`
-- Tag with git commit SHA: `abc123`
-- Tag with build date: `2024-01-15`
-- Always tag `latest` for current production
-- Tag stable releases: `stable`
-
-### Security
-
-- Use credential helpers, not plain text
-- Rotate access tokens regularly
-- Use least privilege access
-- Scan images before pushing
-- Sign images with Docker Content Trust / Cosign
-
-### Optimization
-
-- Use multi-stage builds to reduce size
-- Push during off-peak hours for large images
-- Use registry mirrors for faster pulls
-- Enable layer compression
-
-### Naming Conventions
-
-```
-registry.example.com/project/app:version
-ghcr.io/username/myapp:v1.0.0
-docker.io/library/nginx:1.25-alpine
-```
-
-## Common Issues
-
-**Issue**: Authentication failed
-- Check credentials
-- Verify token hasn't expired
-- Ensure proper permissions
-
-**Issue**: Push denied
-- Check repository permissions
-- Verify namespace/organization access
-- May need to create repository first
-
-**Issue**: Image not found
-- Check image name and tag
-- Verify registry URL
-- Ensure image was pushed successfully
-
-**Issue**: TLS certificate error
-- Add registry to insecure registries (not recommended)
-- Install proper CA certificates
-- Use `--tls-verify=false` for testing only
-
-**Issue**: Rate limit exceeded (Docker Hub)
-- Login to increase limit
-- Use registry mirror
-- Upgrade to paid plan
-
-## Output Format
-
-After registry operation:
-```
-✓ Image pushed successfully
- Runtime: docker/podman
- Image: ghcr.io/username/myapp:latest
- Registry: ghcr.io
- Size: 125 MB
- Digest: sha256:abc123...
-
- Tags pushed:
- - latest
- - v1.0.0
- - 2024-01-15
-
- Pull command:
- docker pull ghcr.io/username/myapp:latest
-
- Verify:
- skopeo inspect docker://ghcr.io/username/myapp:latest
-```
-
-## Quick Reference
-
-```bash
-# Login
-docker login ghcr.io
-podman login ghcr.io
-
-# Tag and push
-docker tag myapp:latest ghcr.io/username/myapp:latest
-docker push ghcr.io/username/myapp:latest
-
-# Pull
-docker pull ghcr.io/username/myapp:latest
-
-# Inspect remote image (skopeo)
-skopeo inspect docker://ghcr.io/username/myapp:latest
-
-# Copy between registries (skopeo)
-skopeo copy docker://src/image:tag docker://dest/image:tag
-```
dots/.config/claude/skills/Docker/workflows/Run.md
@@ -0,0 +1,1140 @@
+# Run Workflow
+
+Manage container lifecycle, debug running containers, and orchestrate multi-container applications with Docker Compose.
+
+## Quick Start
+
+**Common run patterns:**
+```bash
+# Start a container
+docker run -d --name myapp -p 8080:80 myapp:latest
+
+# Start with logs following
+docker run -d --name myapp myapp:latest && docker logs -f myapp
+
+# Start and enter shell
+docker run -it --name myapp myapp:latest /bin/bash
+
+# Start all services from compose file
+docker-compose up -d
+
+# Check running containers
+docker ps
+
+# View container logs
+docker logs myapp
+
+# Open shell in running container
+docker exec -it myapp /bin/bash
+```
+
+**Runtime detection:**
+All commands show both Docker and Podman variants. Use `DetectRuntime.sh` to determine which is available.
+
+## Container Lifecycle
+
+### Starting Containers
+
+**Basic run:**
+```bash
+docker run -d --name myapp -p 8080:80 myapp:latest
+podman run -d --name myapp -p 8080:80 myapp:latest
+```
+
+**With environment variables:**
+```bash
+docker run -d --name myapp -e DATABASE_URL=postgres://db/myapp -e DEBUG=true myapp:latest
+podman run -d --name myapp -e DATABASE_URL=postgres://db/myapp myapp:latest
+```
+
+**With volume mount:**
+```bash
+docker run -d --name myapp -v /host/path:/container/path myapp:latest
+podman run -d --name myapp -v /host/path:/container/path myapp:latest
+```
+
+**Interactive mode:**
+```bash
+docker run -it --name myapp myapp:latest /bin/bash
+podman run -it --name myapp myapp:latest /bin/bash
+```
+
+**With resource limits:**
+```bash
+# Memory limit
+docker run -d --name myapp --memory 512m myapp:latest
+
+# CPU limit
+docker run -d --name myapp --cpus 1.5 myapp:latest
+
+# Combined limits
+docker run -d --name myapp --memory 512m --cpus 1.0 myapp:latest
+```
+
+### Restart Policies
+
+**Always restart:**
+```bash
+docker run -d --restart always --name myapp myapp:latest
+```
+
+**Restart on failure:**
+```bash
+docker run -d --restart on-failure:5 --name myapp myapp:latest
+```
+
+**No restart:**
+```bash
+docker run -d --restart no --name myapp myapp:latest
+```
+
+**Unless stopped:**
+```bash
+docker run -d --restart unless-stopped --name myapp myapp:latest
+```
+
+### Listing Containers
+
+**Show running containers:**
+```bash
+docker ps
+podman ps
+```
+
+**Show all containers (including stopped):**
+```bash
+docker ps -a
+podman ps -a
+```
+
+**Format output:**
+```bash
+docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
+podman ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
+```
+
+### Stopping and Restarting
+
+**Stop container gracefully:**
+```bash
+docker stop myapp
+podman stop myapp
+```
+
+**Stop with custom timeout:**
+```bash
+docker stop -t 30 myapp
+podman stop -t 30 myapp
+```
+
+**Restart container:**
+```bash
+docker restart myapp
+podman restart myapp
+```
+
+**Kill container forcefully:**
+```bash
+docker kill myapp
+podman kill myapp
+```
+
+### Removing Containers
+
+**Remove stopped container:**
+```bash
+docker rm myapp
+podman rm myapp
+```
+
+**Force remove running container:**
+```bash
+docker rm -f myapp
+podman rm -f myapp
+```
+
+**Remove all stopped containers:**
+```bash
+docker container prune
+podman container prune
+```
+
+**Remove with confirmation:**
+```bash
+docker container prune -f
+```
+
+### Inspecting Containers
+
+**Show detailed information:**
+```bash
+docker inspect myapp
+podman inspect myapp
+```
+
+**Get specific field:**
+```bash
+# Container status
+docker inspect -f '{{.State.Status}}' myapp
+
+# IP address
+docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' myapp
+
+# Exit code
+docker inspect -f '{{.State.ExitCode}}' myapp
+
+# Environment variables
+docker inspect -f '{{.Config.Env}}' myapp
+
+# Mounts
+docker inspect -f '{{.Mounts}}' myapp
+
+# Ports
+docker inspect -f '{{.NetworkSettings.Ports}}' myapp
+```
+
+**Show resource usage:**
+```bash
+docker stats myapp
+podman stats myapp
+```
+
+## Debugging Containers
+
+### Viewing Logs
+
+**Show container logs:**
+```bash
+docker logs myapp
+podman logs myapp
+```
+
+**Follow logs (real-time):**
+```bash
+docker logs -f myapp
+podman logs -f myapp
+```
+
+**Show last N lines:**
+```bash
+docker logs --tail 100 myapp
+podman logs --tail 100 myapp
+```
+
+**Show logs with timestamps:**
+```bash
+docker logs -t myapp
+podman logs -t myapp
+```
+
+**Show logs since specific time:**
+```bash
+docker logs --since 2024-01-01T10:00:00 myapp
+docker logs --since 1h myapp
+podman logs --since 1h myapp
+```
+
+**Search logs:**
+```bash
+docker logs myapp 2>&1 | grep ERROR
+docker logs myapp 2>&1 | grep -i "connection failed"
+podman logs myapp 2>&1 | grep ERROR
+```
+
+### Executing Commands
+
+**Open shell in running container:**
+```bash
+docker exec -it myapp /bin/bash
+docker exec -it myapp /bin/sh # if bash not available
+podman exec -it myapp /bin/bash
+```
+
+**Run specific command:**
+```bash
+docker exec myapp ls -la /app
+docker exec myapp ps aux
+docker exec myapp cat /etc/os-release
+podman exec myapp env
+```
+
+**Run as specific user:**
+```bash
+docker exec -u www-data -it myapp bash
+docker exec -u 0 -it myapp bash # run as root
+podman exec -u 1000 -it myapp bash
+```
+
+**Set environment variables:**
+```bash
+docker exec -e DEBUG=true myapp python script.py
+podman exec -e DEBUG=true myapp python script.py
+```
+
+### Monitoring Resources
+
+**Real-time stats:**
+```bash
+docker stats myapp
+podman stats myapp
+```
+
+**All containers stats:**
+```bash
+docker stats
+podman stats
+```
+
+**Stats without streaming:**
+```bash
+docker stats --no-stream
+podman stats --no-stream
+```
+
+**Format output:**
+```bash
+docker stats --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}"
+```
+
+**List processes in container:**
+```bash
+docker top myapp
+docker top myapp aux
+podman top myapp
+```
+
+### Checking Container Health
+
+**If healthcheck configured:**
+```bash
+docker inspect -f '{{.State.Health.Status}}' myapp
+docker inspect -f '{{json .State.Health}}' myapp | jq
+```
+
+### Network Debugging
+
+**Check container IP:**
+```bash
+docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' myapp
+```
+
+**List networks:**
+```bash
+docker network ls
+podman network ls
+```
+
+**Inspect network:**
+```bash
+docker network inspect bridge
+podman network inspect podman
+```
+
+**Test connectivity from container:**
+```bash
+docker exec myapp ping google.com
+docker exec myapp curl http://api.example.com
+docker exec myapp nc -zv database 5432
+```
+
+**Check DNS resolution:**
+```bash
+docker exec myapp nslookup database
+docker exec myapp cat /etc/resolv.conf
+```
+
+**Port mapping:**
+```bash
+docker port myapp
+podman port myapp
+```
+
+**Test from host to container:**
+```bash
+# Get container IP
+IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' myapp)
+ping $IP
+curl http://$IP:8080
+```
+
+### Filesystem Debugging
+
+**Copy files from container:**
+```bash
+docker cp myapp:/path/to/file ./local/path
+podman cp myapp:/path/to/file ./local/path
+```
+
+**Copy files to container:**
+```bash
+docker cp ./local/file myapp:/path/to/destination
+podman cp ./local/file myapp:/path/to/destination
+```
+
+**Check disk usage:**
+```bash
+docker exec myapp df -h
+docker exec myapp du -sh /var/log
+```
+
+**View file contents:**
+```bash
+docker exec myapp cat /etc/config.yml
+docker exec myapp tail -f /var/log/app.log
+```
+
+### Container Events
+
+**Watch events:**
+```bash
+docker events
+podman events
+```
+
+**Filter events for specific container:**
+```bash
+docker events --filter container=myapp
+podman events --filter container=myapp
+```
+
+**Filter by event type:**
+```bash
+docker events --filter event=start
+docker events --filter event=die
+```
+
+### Troubleshooting Crashes
+
+**Check exit code:**
+```bash
+docker inspect -f '{{.State.ExitCode}}' myapp
+```
+
+**Common exit codes:**
+- 0: Success
+- 1: Application error
+- 126: Command cannot be invoked
+- 127: Command not found
+- 137: SIGKILL (killed by system, often OOM)
+- 139: SIGSEGV (segmentation fault)
+- 143: SIGTERM (graceful termination)
+
+**Check if OOM killed:**
+```bash
+docker inspect -f '{{.State.OOMKilled}}' myapp
+dmesg | grep -i oom
+```
+
+**Run interactively to debug:**
+```bash
+docker run -it --entrypoint /bin/bash myapp:latest
+```
+
+### Advanced Debugging
+
+**Attach to container (see STDOUT/STDERR):**
+```bash
+docker attach myapp
+# Detach: Ctrl+P, Ctrl+Q
+```
+
+**Export container filesystem:**
+```bash
+docker export myapp > container.tar
+tar -xf container.tar
+```
+
+**Commit container state:**
+```bash
+docker commit myapp debug_snapshot:latest
+```
+
+**Trace system calls:**
+```bash
+docker exec myapp strace -p 1
+```
+
+## Docker Compose
+
+### Compose File Structure
+
+**Basic compose.yml:**
+```yaml
+version: '3.8'
+
+services:
+ web:
+ build:
+ context: .
+ dockerfile: Dockerfile
+ ports:
+ - "8080:80"
+ environment:
+ - DATABASE_URL=postgres://db/myapp
+ depends_on:
+ - db
+ networks:
+ - app-network
+ volumes:
+ - ./app:/app
+ restart: unless-stopped
+ healthcheck:
+ test: ["CMD", "curl", "-f", "http://localhost/health"]
+ interval: 30s
+ timeout: 10s
+ retries: 3
+
+ db:
+ image: postgres:16-alpine
+ environment:
+ - POSTGRES_DB=myapp
+ - POSTGRES_PASSWORD_FILE=/run/secrets/db_password
+ volumes:
+ - db-data:/var/lib/postgresql/data
+ networks:
+ - app-network
+ secrets:
+ - db_password
+
+networks:
+ app-network:
+ driver: bridge
+
+volumes:
+ db-data:
+
+secrets:
+ db_password:
+ file: ./secrets/db_password.txt
+```
+
+### Starting Services
+
+**Start all services:**
+```bash
+docker-compose up -d
+docker compose up -d
+podman-compose up -d
+```
+
+**Start specific service:**
+```bash
+docker-compose up -d web
+docker compose up -d web
+podman-compose up -d web
+```
+
+**Start with build:**
+```bash
+docker-compose up -d --build
+docker compose up -d --build
+podman-compose up -d --build
+```
+
+**Start with specific file:**
+```bash
+docker-compose -f docker-compose.prod.yml up -d
+docker compose -f docker-compose.prod.yml up -d
+podman-compose -f docker-compose.prod.yml up -d
+```
+
+**Use multiple compose files:**
+```bash
+docker-compose -f docker-compose.yml -f docker-compose.dev.yml up -d
+```
+
+### Stopping Services
+
+**Stop all services:**
+```bash
+docker-compose down
+docker compose down
+podman-compose down
+```
+
+**Stop and remove volumes:**
+```bash
+docker-compose down -v
+docker compose down -v
+podman-compose down -v
+```
+
+**Stop specific service:**
+```bash
+docker-compose stop web
+docker compose stop web
+podman-compose stop web
+```
+
+### Viewing Status and Logs
+
+**List running services:**
+```bash
+docker-compose ps
+docker compose ps
+podman-compose ps
+```
+
+**View logs:**
+```bash
+docker-compose logs
+docker compose logs
+podman-compose logs
+```
+
+**Follow logs:**
+```bash
+docker-compose logs -f
+docker compose logs -f
+podman-compose logs -f
+```
+
+**Logs for specific service:**
+```bash
+docker-compose logs -f web
+docker compose logs web
+podman-compose logs web
+```
+
+**Last N lines:**
+```bash
+docker-compose logs --tail 50 web
+```
+
+### Building Services
+
+**Build all services:**
+```bash
+docker-compose build
+docker compose build
+podman-compose build
+```
+
+**Build specific service:**
+```bash
+docker-compose build web
+docker compose build web
+podman-compose build web
+```
+
+**Build with no cache:**
+```bash
+docker-compose build --no-cache
+docker compose build --no-cache
+podman-compose build --no-cache
+```
+
+### Scaling Services
+
+**Scale service to multiple instances:**
+```bash
+docker-compose up -d --scale web=3
+docker compose up -d --scale web=3
+podman-compose up -d --scale web=3
+```
+
+### Executing Commands
+
+**Run command in service:**
+```bash
+docker-compose exec web bash
+docker compose exec web bash
+podman-compose exec web bash
+```
+
+**Run one-off command:**
+```bash
+docker-compose run web python manage.py migrate
+docker compose run web python manage.py migrate
+podman-compose run web python manage.py migrate
+```
+
+**Run without starting dependencies:**
+```bash
+docker-compose run --no-deps web python script.py
+```
+
+### Environment Variables
+
+**Using .env file:**
+```bash
+# .env
+DATABASE_URL=postgres://localhost/myapp
+SECRET_KEY=mysecret
+DEBUG=false
+```
+
+**In compose file:**
+```yaml
+services:
+ web:
+ env_file:
+ - .env
+ # Or specific variables
+ environment:
+ - DATABASE_URL=${DATABASE_URL}
+ - DEBUG=${DEBUG:-false}
+```
+
+**Important notes:**
+- .env file must be in same directory as compose file
+- Use `KEY=value` format (no quotes needed)
+- Variables can have defaults: `${VAR:-default}`
+
+### Networking in Compose
+
+**Services communicate by service name:**
+```yaml
+services:
+ web:
+ environment:
+ - DATABASE_URL=postgres://db:5432/myapp # 'db' is service name
+ db:
+ image: postgres:16-alpine
+```
+
+**Custom networks:**
+```yaml
+services:
+ web:
+ networks:
+ - frontend
+ - backend
+
+ db:
+ networks:
+ - backend
+
+networks:
+ frontend:
+ backend:
+ driver: bridge
+```
+
+### Volumes in Compose
+
+**Named volumes:**
+```yaml
+services:
+ db:
+ volumes:
+ - db-data:/var/lib/postgresql/data
+
+volumes:
+ db-data:
+```
+
+**Bind mounts:**
+```yaml
+services:
+ web:
+ volumes:
+ - ./app:/app
+ - ./config:/etc/app:ro # read-only
+```
+
+**Volume management:**
+```bash
+# List volumes
+docker volume ls
+
+# Inspect volume
+docker volume inspect projectname_db-data
+
+# Remove unused volumes
+docker volume prune
+```
+
+### Profiles
+
+**Define profiles:**
+```yaml
+services:
+ web:
+ # Always runs
+
+ debug:
+ profiles: ["debug"]
+ # Only runs with --profile debug
+
+ test:
+ profiles: ["testing"]
+```
+
+**Use profiles:**
+```bash
+docker-compose --profile debug up -d
+docker compose --profile debug up -d
+podman-compose --profile debug up -d
+```
+
+### Override Files
+
+**docker-compose.override.yml automatically loaded:**
+```bash
+# Automatically uses docker-compose.yml + docker-compose.override.yml
+docker-compose up -d
+```
+
+**Explicit override:**
+```bash
+docker-compose -f docker-compose.yml -f docker-compose.dev.yml up -d
+```
+
+### Resource Limits
+
+```yaml
+services:
+ web:
+ deploy:
+ resources:
+ limits:
+ cpus: '0.5'
+ memory: 512M
+ reservations:
+ cpus: '0.25'
+ memory: 256M
+```
+
+## Podman-Specific Features
+
+### Rootless Containers
+
+**Run rootless (default in Podman):**
+```bash
+podman run -d --name myapp myapp:latest
+```
+
+**Check if rootless:**
+```bash
+podman info --format '{{.Host.Security.Rootless}}'
+```
+
+**Troubleshoot rootless:**
+```bash
+# Check subuid/subgid
+cat /etc/subuid
+cat /etc/subgid
+
+# Migrate storage if needed
+podman system migrate
+```
+
+### Systemd Integration
+
+**Generate systemd unit file:**
+```bash
+podman generate systemd --name myapp > ~/.config/systemd/user/myapp.service
+
+# Enable and start service
+systemctl --user enable --now myapp.service
+```
+
+**Generate from compose:**
+```bash
+# Start services with podman-compose
+podman-compose up -d
+
+# Get pod name
+podman pod ps
+
+# Generate systemd unit
+podman generate systemd --name mypod_pod --files
+
+# Move to systemd directory
+mv *.service ~/.config/systemd/user/
+
+# Enable
+systemctl --user enable --now mypod_pod.service
+```
+
+### Pods (Kubernetes-like)
+
+**Create pod:**
+```bash
+podman pod create --name mypod -p 8080:80
+```
+
+**Add container to pod:**
+```bash
+podman run -d --pod mypod --name myapp myapp:latest
+```
+
+**List pods:**
+```bash
+podman pod ps
+```
+
+**Inspect pod:**
+```bash
+podman pod inspect mypod
+```
+
+**Stop entire pod:**
+```bash
+podman pod stop mypod
+```
+
+**Pod logs:**
+```bash
+podman pod logs mypod
+```
+
+**Generate Kubernetes YAML:**
+```bash
+podman generate kube mypod > pod.yaml
+```
+
+## Best Practices
+
+### Container Naming
+- Use descriptive names that indicate purpose
+- Follow consistent naming convention (e.g., `project-service-env`)
+- Avoid generic names like "app" or "container"
+
+### Resource Management
+- Always set memory limits for production: `--memory 512m`
+- Set CPU limits to prevent resource hogging: `--cpus 1.5`
+- Use health checks: `--health-cmd "curl -f http://localhost/health"`
+- Monitor resource usage with `docker stats`
+
+### Security
+- Run as non-root when possible (Podman rootless by default)
+- Use read-only filesystem when applicable: `--read-only`
+- Drop unnecessary capabilities: `--cap-drop ALL`
+- Use security profiles: `--security-opt`
+- Don't expose unnecessary ports
+- Use secrets for sensitive data (compose)
+
+### Networking
+- Use service names for inter-container communication
+- Limit exposed ports to necessary ones only
+- Use custom networks to isolate services
+- Avoid `network_mode: host` in production
+
+### Volumes and Persistence
+- Use named volumes for data persistence
+- Back up volumes regularly
+- Use read-only mounts when data shouldn't change
+- Clean up unused volumes: `docker volume prune`
+
+### Compose Files
+- Use specific image tags (not `latest`)
+- Define health checks for all services
+- Specify restart policies
+- Use `.env` files for environment-specific config
+- Define resource limits
+- Document dependencies with `depends_on`
+- Use secrets for sensitive data
+
+### Development vs Production
+- Use override files for environment differences
+- Keep production configs minimal and secure
+- Use profiles for optional services
+- Separate build and runtime concerns
+
+## Troubleshooting
+
+### Container Exits Immediately
+
+**Diagnosis:**
+```bash
+# Check exit code
+docker inspect -f '{{.State.ExitCode}}' myapp
+
+# Check logs
+docker logs myapp
+
+# Run interactively
+docker run -it --entrypoint /bin/bash myapp:latest
+```
+
+**Common causes:**
+- Application error (check logs)
+- Missing command in Dockerfile
+- Configuration issue
+- OOM kill (exit code 137)
+
+### Port Already in Use
+
+**Diagnosis:**
+```bash
+# Check what's using port
+lsof -i :8080
+ss -tlnp | grep 8080
+
+# Check container port mappings
+docker port myapp
+```
+
+**Solutions:**
+- Use different host port: `-p 8081:80`
+- Stop conflicting service
+- Remove old container: `docker rm -f old-container`
+
+### Permission Denied
+
+**Docker:**
+```bash
+# Add user to docker group
+sudo usermod -aG docker $USER
+# Then logout and login again
+```
+
+**Podman:**
+```bash
+# Check if rootless
+podman info --format '{{.Host.Security.Rootless}}'
+
+# Check subuid/subgid
+cat /etc/subuid
+cat /etc/subgid
+```
+
+**Container filesystem:**
+```bash
+# Check file permissions
+docker exec myapp ls -la /app
+
+# Run as root to fix
+docker exec -u 0 -it myapp bash
+```
+
+### Cannot Connect to Container
+
+**Diagnosis:**
+```bash
+# Check if container is running
+docker ps
+
+# Check port mapping
+docker port myapp
+
+# Get container IP
+docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' myapp
+
+# Test from host
+curl http://localhost:8080
+```
+
+**Check network:**
+```bash
+docker network inspect bridge
+docker exec myapp ip addr
+docker exec myapp netstat -tlnp
+```
+
+### Memory/CPU Issues
+
+**Check resources:**
+```bash
+docker stats myapp
+docker stats --no-stream
+```
+
+**Check if OOM killed:**
+```bash
+docker inspect -f '{{.State.OOMKilled}}' myapp
+dmesg | grep -i oom
+```
+
+**Set appropriate limits:**
+```bash
+docker run -d --memory="1g" --cpus="2.0" --name myapp myapp:latest
+```
+
+### Volume/Mount Issues
+
+**Check mounts:**
+```bash
+docker inspect -f '{{json .Mounts}}' myapp | jq
+```
+
+**Verify volume:**
+```bash
+docker volume ls
+docker volume inspect volume_name
+```
+
+**Check permissions:**
+```bash
+docker exec myapp ls -la /mounted/path
+```
+
+**Common causes:**
+- Wrong path (bind mount)
+- Permission issues (SELinux, user permissions)
+- Volume not created
+- Path doesn't exist in container
+
+### Compose Issues
+
+**Compose file not found:**
+```bash
+# Specify file explicitly
+docker-compose -f /path/to/docker-compose.yml up -d
+```
+
+**Services can't communicate:**
+- Ensure services are on same network
+- Use service names as hostnames (not IPs)
+- Check network configuration in compose file
+
+**Environment variables not loading:**
+- Verify .env file is in same directory as compose file
+- Check variable syntax: `KEY=value` (no quotes)
+- Don't use `.env` for secrets in production
+
+**Version not supported:**
+- Use version 3.8 or omit version for modern compose
+- Check compose tool version: `docker-compose --version`
+
+### Network Connectivity
+
+**DNS not resolving:**
+```bash
+docker exec myapp cat /etc/resolv.conf
+docker exec myapp nslookup google.com
+```
+
+**Can't reach other containers:**
+```bash
+docker exec myapp ping other-container
+docker network inspect bridge
+```
+
+**Can't reach outside:**
+```bash
+docker exec myapp ping 8.8.8.8
+docker exec myapp curl https://google.com
+```
+
+## Quick Reference
+
+**Container lifecycle:**
+```bash
+docker run -d --name myapp myapp:latest # Start
+docker ps # List running
+docker stop myapp # Stop
+docker restart myapp # Restart
+docker rm myapp # Remove
+```
+
+**Debugging:**
+```bash
+docker logs -f myapp # Follow logs
+docker exec -it myapp bash # Get shell
+docker inspect myapp # Full details
+docker stats myapp # Resource usage
+docker top myapp # Processes
+docker port myapp # Port mappings
+```
+
+**Compose:**
+```bash
+docker-compose up -d # Start all
+docker-compose ps # List services
+docker-compose logs -f # Follow logs
+docker-compose exec web bash # Exec in service
+docker-compose down # Stop all
+```
dots/.config/claude/skills/Docker/workflows/SecurityScan.md
@@ -1,631 +0,0 @@
-# SecurityScan Workflow
-
-Scan container images for security vulnerabilities, misconfigurations, and best practice violations.
-
-## Process
-
-1. **Detect Runtime**
- - Run `DetectRuntime.sh` to determine Docker/Podman
-
-2. **Select Scanning Tool**
- - Trivy (recommended, comprehensive)
- - Docker Scout (built-in Docker)
- - Grype (Anchore)
- - Clair
- - Snyk
-
-3. **Scan Image**
- - Scan for vulnerabilities (CVEs)
- - Check for secrets
- - Analyze configuration
- - Check for malware
-
-4. **Review Results**
- - Categorize findings by severity
- - Identify actionable items
- - Generate report
-
-5. **Remediate**
- - Update base images
- - Patch dependencies
- - Remove secrets
- - Fix misconfigurations
-
-## Trivy (Recommended)
-
-### Installation
-
-```bash
-# Using package manager
-# Debian/Ubuntu
-sudo apt install trivy
-
-# Fedora/RHEL
-sudo dnf install trivy
-
-# macOS
-brew install trivy
-
-# Or use container
-alias trivy="docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy"
-```
-
-### Scan Images
-
-**Basic scan:**
-```bash
-trivy image myapp:latest
-trivy image nginx:latest
-```
-
-**Scan with specific severity:**
-```bash
-trivy image --severity HIGH,CRITICAL myapp:latest
-```
-
-**Scan for specific vulnerability types:**
-```bash
-# OS packages only
-trivy image --vuln-type os myapp:latest
-
-# Application dependencies only
-trivy image --vuln-type library myapp:latest
-
-# Both
-trivy image --vuln-type os,library myapp:latest
-```
-
-**Output formats:**
-```bash
-# Table (default)
-trivy image myapp:latest
-
-# JSON
-trivy image -f json myapp:latest
-
-# SARIF (for GitHub)
-trivy image -f sarif -o results.sarif myapp:latest
-
-# Template
-trivy image -f template --template "@contrib/html.tpl" -o report.html myapp:latest
-```
-
-**Scan filesystem:**
-```bash
-trivy fs /path/to/project
-trivy fs --security-checks vuln,secret,config .
-```
-
-**Scan Dockerfile:**
-```bash
-trivy config Dockerfile
-```
-
-**Scan Kubernetes manifests:**
-```bash
-trivy config deployment.yaml
-```
-
-### Advanced Trivy
-
-**Ignore unfixed vulnerabilities:**
-```bash
-trivy image --ignore-unfixed myapp:latest
-```
-
-**Use .trivyignore file:**
-```bash
-# .trivyignore
-CVE-2023-1234
-CVE-2023-5678
-```
-
-**Scan with cache:**
-```bash
-trivy image --cache-dir /tmp/trivy myapp:latest
-```
-
-**Exit with error on vulnerabilities:**
-```bash
-trivy image --exit-code 1 --severity CRITICAL myapp:latest
-```
-
-**Scan remote image:**
-```bash
-trivy image ghcr.io/username/myapp:latest
-```
-
-## Docker Scout (Built-in)
-
-### Enable Docker Scout
-
-```bash
-# Login
-docker login
-
-# Enable Scout
-docker scout enroll
-```
-
-### Scan Images
-
-**Quick scan:**
-```bash
-docker scout quickview myapp:latest
-```
-
-**CVE scan:**
-```bash
-docker scout cves myapp:latest
-```
-
-**Show only fixable:**
-```bash
-docker scout cves --only-fixed myapp:latest
-```
-
-**Compare images:**
-```bash
-docker scout compare myapp:old myapp:new
-```
-
-**Recommendations:**
-```bash
-docker scout recommendations myapp:latest
-```
-
-**Export to SARIF:**
-```bash
-docker scout cves --format sarif myapp:latest > results.sarif
-```
-
-## Grype (Anchore)
-
-### Installation
-
-```bash
-# Using package manager
-brew install grype
-
-# Or download binary
-curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh
-
-# Or use container
-alias grype="docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/grype"
-```
-
-### Scan Images
-
-**Basic scan:**
-```bash
-grype myapp:latest
-```
-
-**Scan with specific severity:**
-```bash
-grype myapp:latest --only-fixed
-grype myapp:latest --fail-on critical
-```
-
-**Output formats:**
-```bash
-grype -o json myapp:latest
-grype -o table myapp:latest
-grype -o cyclonedx myapp:latest
-```
-
-## Snyk Container
-
-### Installation
-
-```bash
-# Install Snyk CLI
-npm install -g snyk
-
-# Or use binary
-curl -O https://static.snyk.io/cli/latest/snyk-linux
-chmod +x snyk-linux
-mv snyk-linux /usr/local/bin/snyk
-
-# Authenticate
-snyk auth
-```
-
-### Scan Images
-
-**Scan image:**
-```bash
-snyk container test myapp:latest
-```
-
-**Monitor for vulnerabilities:**
-```bash
-snyk container monitor myapp:latest
-```
-
-**Test and generate report:**
-```bash
-snyk container test myapp:latest --json-file-output=results.json
-```
-
-## Clair
-
-### Using Clair
-
-**Run Clair server:**
-```bash
-docker run -p 6060:6060 -p 6061:6061 -d --name clair quay.io/coreos/clair:latest
-```
-
-**Scan with clairctl:**
-```bash
-clairctl analyze myapp:latest
-clairctl report myapp:latest
-```
-
-## Secret Scanning
-
-### Trivy Secret Scan
-
-**Scan for secrets:**
-```bash
-trivy fs --security-checks secret .
-trivy image --security-checks secret myapp:latest
-```
-
-### TruffleHog
-
-```bash
-# Install
-pip install truffleHog
-
-# Scan filesystem
-trufflehog filesystem /path/to/project
-
-# Scan container image
-docker save myapp:latest | trufflehog
-```
-
-### git-secrets
-
-```bash
-# Install
-git clone https://github.com/awslabs/git-secrets.git
-cd git-secrets && make install
-
-# Scan
-git secrets --scan
-```
-
-## Configuration Scanning
-
-### Hadolint (Dockerfile Linter)
-
-**Install:**
-```bash
-brew install hadolint
-
-# Or use container
-docker run --rm -i hadolint/hadolint < Dockerfile
-```
-
-**Scan Dockerfile:**
-```bash
-hadolint Dockerfile
-hadolint --ignore DL3008 Dockerfile # Ignore specific rule
-```
-
-### Docker Bench Security
-
-**Run security audit:**
-```bash
-docker run --rm --net host --pid host --userns host --cap-add audit_control \
- -v /var/lib:/var/lib \
- -v /var/run/docker.sock:/var/run/docker.sock \
- -v /etc:/etc \
- --label docker_bench_security \
- docker/docker-bench-security
-```
-
-## CI/CD Integration
-
-### GitHub Actions
-
-```yaml
-name: Container Scan
-
-on: [push, pull_request]
-
-jobs:
- scan:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v3
-
- - name: Build image
- run: docker build -t myapp:${{ github.sha }} .
-
- - name: Run Trivy scanner
- uses: aquasecurity/trivy-action@master
- with:
- image-ref: myapp:${{ github.sha }}
- format: 'sarif'
- output: 'trivy-results.sarif'
-
- - name: Upload Trivy results to GitHub Security
- uses: github/codeql-action/upload-sarif@v2
- with:
- sarif_file: 'trivy-results.sarif'
-```
-
-### GitLab CI
-
-```yaml
-container_scan:
- image: aquasec/trivy:latest
- script:
- - trivy image --format json --output results.json myapp:latest
- artifacts:
- reports:
- container_scanning: results.json
-```
-
-### Jenkins
-
-```groovy
-pipeline {
- agent any
- stages {
- stage('Build') {
- steps {
- sh 'docker build -t myapp:latest .'
- }
- }
- stage('Security Scan') {
- steps {
- sh 'trivy image --exit-code 1 --severity CRITICAL myapp:latest'
- }
- }
- }
-}
-```
-
-## Best Practices
-
-### Regular Scanning
-
-- Scan during build
-- Scan before push
-- Scan in CI/CD pipeline
-- Scan running containers periodically
-- Monitor for new vulnerabilities
-
-### Prioritization
-
-1. **Critical**: Fix immediately
-2. **High**: Fix within 1 week
-3. **Medium**: Fix within 1 month
-4. **Low**: Fix when convenient
-
-### Base Image Selection
-
-```dockerfile
-# Prefer minimal base images
-FROM alpine:3.19
-FROM debian:bookworm-slim
-FROM gcr.io/distroless/static-debian12
-
-# Avoid
-FROM ubuntu:latest # Too large, "latest" is unpredictable
-```
-
-### Multi-stage Builds
-
-```dockerfile
-# Build stage with more tools
-FROM golang:1.21 AS builder
-WORKDIR /src
-COPY . .
-RUN go build -o app
-
-# Runtime stage with minimal image
-FROM gcr.io/distroless/static-debian12
-COPY --from=builder /src/app /app
-ENTRYPOINT ["/app"]
-```
-
-### Keep Images Updated
-
-```bash
-# Update base images regularly
-docker pull alpine:3.19
-docker build --no-cache -t myapp:latest .
-```
-
-### Don't Ignore Vulnerabilities
-
-- Understand each vulnerability
-- Check if it applies to your use case
-- Document why ignoring (if appropriate)
-- Revisit ignored vulnerabilities periodically
-
-## Interpreting Results
-
-### Vulnerability Severity
-
-**CVSS Score:**
-- **Critical** (9.0-10.0): Immediate action required
-- **High** (7.0-8.9): Fix soon
-- **Medium** (4.0-6.9): Schedule fix
-- **Low** (0.1-3.9): Fix opportunistically
-
-### False Positives
-
-**Common scenarios:**
-- Vulnerability in unused code path
-- Vulnerability requires conditions that don't exist
-- Already mitigated at runtime
-
-**Handle false positives:**
-```bash
-# Document in .trivyignore
-echo "CVE-2023-1234 # False positive: feature not used" >> .trivyignore
-```
-
-## Remediation Strategies
-
-### Update Dependencies
-
-**For OS packages:**
-```dockerfile
-# Update packages during build
-RUN apt-get update && \
- apt-get upgrade -y && \
- rm -rf /var/lib/apt/lists/*
-```
-
-**For application dependencies:**
-```dockerfile
-# Update Go dependencies
-RUN go get -u && go mod tidy
-
-# Update Node dependencies
-RUN npm update
-
-# Update Python dependencies
-RUN pip install --upgrade -r requirements.txt
-```
-
-### Use Specific Versions
-
-```dockerfile
-# Bad: unpredictable
-FROM python:latest
-
-# Good: specific and minimal
-FROM python:3.11-slim-bookworm
-```
-
-### Remove Unnecessary Packages
-
-```dockerfile
-# Install only what's needed
-RUN apt-get update && \
- apt-get install -y --no-install-recommends \
- package1 \
- package2 && \
- rm -rf /var/lib/apt/lists/*
-```
-
-### Use Distroless Images
-
-```dockerfile
-FROM gcr.io/distroless/python3-debian12
-COPY --from=builder /app /app
-CMD ["/app/main.py"]
-```
-
-## Common Vulnerabilities
-
-### Secrets in Images
-
-**Problem:**
-```dockerfile
-# Bad: secrets in image
-ENV API_KEY="secret123"
-COPY .env /app/.env
-```
-
-**Solution:**
-```dockerfile
-# Good: secrets at runtime
-# Use environment variables or secrets management
-```
-
-### Running as Root
-
-**Problem:**
-```dockerfile
-# Bad: default user is root
-CMD ["/app"]
-```
-
-**Solution:**
-```dockerfile
-# Good: create and use non-root user
-RUN adduser -D -u 1000 appuser
-USER appuser
-CMD ["/app"]
-```
-
-### Exposed Sensitive Ports
-
-**Check for:**
-- Database ports (3306, 5432)
-- Admin interfaces
-- Debug ports
-
-### Old Base Images
-
-**Problem:**
-```dockerfile
-FROM ubuntu:18.04 # EOL, no security updates
-```
-
-**Solution:**
-```dockerfile
-FROM ubuntu:22.04 # Supported LTS version
-```
-
-## Output Format
-
-After security scan:
-```
-✓ Security scan completed
- Image: myapp:latest
- Scanner: Trivy
-
- Vulnerabilities found:
- Critical: 2
- High: 5
- Medium: 12
- Low: 8
-
- Top issues:
- 1. CVE-2023-1234 (Critical) - OpenSSL vulnerability
- Fix: Update to openssl 3.0.10
- 2. CVE-2023-5678 (High) - curl buffer overflow
- Fix: Update to curl 8.1.2
-
- Secrets found: 0
- Misconfigurations: 3
-
- Recommendations:
- - Update base image from alpine:3.17 to alpine:3.19
- - Remove unnecessary package: wget
- - Add non-root user
-
- Full report: results.json
-```
-
-## Quick Reference
-
-```bash
-# Trivy
-trivy image myapp:latest
-trivy image --severity CRITICAL,HIGH myapp:latest
-trivy fs --security-checks vuln,secret,config .
-
-# Docker Scout
-docker scout cves myapp:latest
-docker scout quickview myapp:latest
-
-# Grype
-grype myapp:latest
-
-# Snyk
-snyk container test myapp:latest
-
-# Hadolint (Dockerfile)
-hadolint Dockerfile
-```
dots/.config/claude/skills/Docker/workflows/VolumeManage.md
@@ -1,610 +0,0 @@
-# VolumeManage Workflow
-
-Create, manage, and troubleshoot persistent storage volumes for containers.
-
-## Process
-
-1. **Detect Runtime**
- - Run `DetectRuntime.sh` to determine Docker/Podman
-
-2. **Determine Volume Operation**
- - List volumes
- - Create volume
- - Mount volume to container
- - Inspect volume
- - Backup/restore volume
- - Remove volume
-
-3. **Execute Volume Command**
- - Run appropriate volume command
- - Configure volume settings
-
-4. **Verify Configuration**
- - Check volume exists
- - Verify data persistence
-
-## Types of Persistent Storage
-
-### Named Volumes (Recommended)
-
-**Managed by Docker/Podman:**
-- Stored in Docker/Podman-managed location
-- Easy to backup and migrate
-- Work across platforms
-- Best for most use cases
-
-### Bind Mounts
-
-**Direct host path mapping:**
-- Mount specific host directory
-- Useful for development
-- Direct file access from host
-- Platform-specific paths
-
-### tmpfs Mounts (Linux only)
-
-**In-memory storage:**
-- Stored in host memory
-- Not persisted to disk
-- Fast but temporary
-- Good for sensitive data
-
-## List Volumes
-
-**Show all volumes:**
-```bash
-docker volume ls
-podman volume ls
-```
-
-**Filter volumes:**
-```bash
-# By name
-docker volume ls --filter name=myapp
-podman volume ls --filter name=myapp
-
-# By driver
-docker volume ls --filter driver=local
-podman volume ls --filter driver=local
-
-# Dangling (not attached to container)
-docker volume ls --filter dangling=true
-podman volume ls --filter dangling=true
-```
-
-## Create Volumes
-
-### Named Volumes
-
-**Create volume:**
-```bash
-docker volume create myvolume
-podman volume create myvolume
-```
-
-**Create with driver options:**
-```bash
-docker volume create \
- --driver local \
- --opt type=nfs \
- --opt o=addr=192.168.1.1,rw \
- --opt device=:/path/to/dir \
- nfs-volume
-```
-
-**Create with labels:**
-```bash
-docker volume create \
- --label project=myapp \
- --label environment=production \
- myvolume
-
-podman volume create \
- --label project=myapp \
- myvolume
-```
-
-## Mount Volumes
-
-### Named Volume Mount
-
-**Mount to container:**
-```bash
-docker run -v myvolume:/data myapp
-docker run --mount source=myvolume,target=/data myapp
-
-podman run -v myvolume:/data myapp
-podman run --mount type=volume,source=myvolume,target=/data myapp
-```
-
-**Mount read-only:**
-```bash
-docker run -v myvolume:/data:ro myapp
-docker run --mount source=myvolume,target=/data,readonly myapp
-
-podman run -v myvolume:/data:ro myapp
-```
-
-**Mount with specific options:**
-```bash
-docker run --mount type=volume,source=myvolume,target=/data,volume-opt=o=size=100m myapp
-```
-
-### Bind Mount
-
-**Mount host directory:**
-```bash
-docker run -v /host/path:/container/path myapp
-docker run --mount type=bind,source=/host/path,target=/container/path myapp
-
-podman run -v /host/path:/container/path myapp
-podman run --mount type=bind,source=/host/path,target=/container/path myapp
-```
-
-**Bind mount read-only:**
-```bash
-docker run -v /host/path:/container/path:ro myapp
-podman run -v /host/path:/container/path:ro myapp
-```
-
-**Bind mount with propagation:**
-```bash
-# Shared propagation
-docker run -v /host/path:/container/path:shared myapp
-
-# Private propagation (default)
-docker run -v /host/path:/container/path:private myapp
-
-# Slave propagation
-docker run -v /host/path:/container/path:slave myapp
-```
-
-### tmpfs Mount
-
-**Create tmpfs mount:**
-```bash
-docker run --tmpfs /app/cache myapp
-docker run --mount type=tmpfs,target=/app/cache myapp
-
-podman run --tmpfs /app/cache myapp
-```
-
-**With size limit:**
-```bash
-docker run --tmpfs /app/cache:size=100m myapp
-docker run --mount type=tmpfs,target=/app/cache,tmpfs-size=100m myapp
-```
-
-## Inspect Volumes
-
-**View volume details:**
-```bash
-docker volume inspect myvolume
-podman volume inspect myvolume
-```
-
-**Get specific field:**
-```bash
-# Get mountpoint
-docker volume inspect -f '{{.Mountpoint}}' myvolume
-podman volume inspect -f '{{.Mountpoint}}' myvolume
-
-# Get driver
-docker volume inspect -f '{{.Driver}}' myvolume
-
-# Get labels
-docker volume inspect -f '{{.Labels}}' myvolume
-```
-
-**JSON output with jq:**
-```bash
-docker volume inspect myvolume | jq '.[0].Mountpoint'
-podman volume inspect myvolume | jq '.[] | .Mountpoint'
-```
-
-## Remove Volumes
-
-**Remove volume:**
-```bash
-docker volume rm myvolume
-podman volume rm myvolume
-```
-
-**Force remove (if in use):**
-```bash
-docker volume rm -f myvolume
-podman volume rm -f myvolume
-```
-
-**Remove multiple volumes:**
-```bash
-docker volume rm volume1 volume2 volume3
-podman volume rm volume1 volume2 volume3
-```
-
-**Remove all unused volumes:**
-```bash
-docker volume prune
-podman volume prune
-```
-
-**Filter and remove:**
-```bash
-# Remove dangling volumes
-docker volume prune --filter "dangling=true"
-
-# Remove volumes with specific label
-docker volume prune --filter "label=project=old"
-```
-
-## Backup and Restore
-
-### Backup Volume
-
-**Backup to tar archive:**
-```bash
-# Create temporary container to backup volume
-docker run --rm \
- -v myvolume:/data \
- -v $(pwd):/backup \
- alpine \
- tar czf /backup/myvolume-backup.tar.gz -C /data .
-
-podman run --rm \
- -v myvolume:/data \
- -v $(pwd):/backup \
- alpine \
- tar czf /backup/myvolume-backup.tar.gz -C /data .
-```
-
-**Backup with timestamp:**
-```bash
-TIMESTAMP=$(date +%Y%m%d_%H%M%S)
-docker run --rm \
- -v myvolume:/data \
- -v $(pwd):/backup \
- alpine \
- tar czf /backup/myvolume-${TIMESTAMP}.tar.gz -C /data .
-```
-
-### Restore Volume
-
-**Restore from tar archive:**
-```bash
-# Create volume if it doesn't exist
-docker volume create myvolume
-
-# Restore data
-docker run --rm \
- -v myvolume:/data \
- -v $(pwd):/backup \
- alpine \
- tar xzf /backup/myvolume-backup.tar.gz -C /data
-
-podman run --rm \
- -v myvolume:/data \
- -v $(pwd):/backup \
- alpine \
- tar xzf /backup/myvolume-backup.tar.gz -C /data
-```
-
-### Copy Between Volumes
-
-**Copy data from one volume to another:**
-```bash
-docker run --rm \
- -v source-volume:/source:ro \
- -v dest-volume:/dest \
- alpine \
- cp -av /source/. /dest/
-```
-
-### Export Volume to Host
-
-**Copy volume contents to host:**
-```bash
-docker run --rm \
- -v myvolume:/data \
- -v $(pwd)/export:/export \
- alpine \
- cp -av /data/. /export/
-```
-
-## Access Volume Data
-
-### Direct Access (Advanced)
-
-**Find volume location:**
-```bash
-# Docker (requires root)
-docker volume inspect -f '{{.Mountpoint}}' myvolume
-# Usually: /var/lib/docker/volumes/myvolume/_data
-
-# Podman (rootless)
-podman volume inspect -f '{{.Mountpoint}}' myvolume
-# Usually: ~/.local/share/containers/storage/volumes/myvolume/_data
-```
-
-**Access data directly (requires appropriate permissions):**
-```bash
-# Docker (requires root)
-sudo ls -la $(docker volume inspect -f '{{.Mountpoint}}' myvolume)
-
-# Podman (rootless)
-ls -la $(podman volume inspect -f '{{.Mountpoint}}' myvolume)
-```
-
-### Use Helper Container
-
-**Browse volume contents:**
-```bash
-docker run -it --rm \
- -v myvolume:/data \
- alpine \
- sh
-
-# Now you can explore /data
-```
-
-## Volume Drivers
-
-### Local Driver (Default)
-
-**Standard local storage:**
-```bash
-docker volume create --driver local myvolume
-```
-
-**With options:**
-```bash
-docker volume create \
- --driver local \
- --opt type=none \
- --opt device=/path/to/host/dir \
- --opt o=bind \
- myvolume
-```
-
-### NFS Driver
-
-**Create NFS volume:**
-```bash
-docker volume create \
- --driver local \
- --opt type=nfs \
- --opt o=addr=192.168.1.100,rw,nfsvers=4 \
- --opt device=:/exported/path \
- nfs-volume
-```
-
-### Third-Party Drivers
-
-**Examples of available drivers:**
-- REX-Ray (cloud storage)
-- Convoy
-- Flocker
-- GlusterFS
-- NetApp
-
-## Containers and Volumes
-
-### Check Volume Usage
-
-**Find containers using a volume:**
-```bash
-docker ps -a --filter volume=myvolume
-podman ps -a --filter volume=myvolume
-```
-
-**List volumes used by container:**
-```bash
-docker inspect -f '{{range .Mounts}}{{.Name}} {{.Destination}}{{"\n"}}{{end}}' container_name
-podman inspect -f '{{range .Mounts}}{{.Name}} {{.Destination}}{{"\n"}}{{end}}' container_name
-```
-
-### Anonymous Volumes
-
-**Created automatically:**
-```dockerfile
-# In Dockerfile
-VOLUME /data
-```
-
-**When running:**
-```bash
-docker run -v /data myapp # Creates anonymous volume
-```
-
-**List anonymous volumes:**
-```bash
-docker volume ls --filter dangling=true
-```
-
-## Docker Compose Volumes
-
-### Define Volumes
-
-```yaml
-version: '3.8'
-
-services:
- web:
- image: nginx
- volumes:
- - html-data:/usr/share/nginx/html
- - ./config:/etc/nginx/conf.d:ro
- - type: tmpfs
- target: /tmp
-
- db:
- image: postgres
- volumes:
- - postgres-data:/var/lib/postgresql/data
-
-volumes:
- html-data:
- postgres-data:
- driver: local
- driver_opts:
- type: none
- device: /path/to/host/dir
- o: bind
-```
-
-### External Volumes
-
-```yaml
-volumes:
- external-vol:
- external: true
- name: my-existing-volume
-```
-
-## Best Practices
-
-### When to Use Named Volumes
-
-- Database data
-- Application state
-- Uploaded files
-- Configuration that persists
-
-### When to Use Bind Mounts
-
-- Development (live code reload)
-- Configuration files (from host)
-- Log file access
-- Sharing files with host
-
-### When to Use tmpfs
-
-- Temporary files
-- Cache
-- Sensitive data (not persisted)
-- Session storage
-
-### Volume Naming
-
-- Use descriptive names: `postgres-data`, `app-uploads`
-- Include app name: `myapp-database`, `myapp-cache`
-- Use labels for organization
-- Consistent naming convention
-
-### Security
-
-- Use read-only mounts when possible
-- Limit bind mount scope
-- Don't mount sensitive host directories
-- Use appropriate permissions
-- Consider using secrets for sensitive data
-
-### Performance
-
-- Named volumes are faster than bind mounts on macOS/Windows
-- Use tmpfs for frequently accessed temporary data
-- Place volumes on fast storage
-- Consider volume drivers for distributed storage
-
-## Common Issues
-
-**Issue**: Permission denied in container
-- **Cause**: User ID mismatch between host and container
-- **Solution**:
- ```bash
- # Run container as specific user
- docker run --user $(id -u):$(id -g) -v myvolume:/data myapp
-
- # Or fix permissions in container
- docker run --rm -v myvolume:/data alpine chown -R 1000:1000 /data
- ```
-
-**Issue**: Volume data disappeared
-- **Cause**: Used anonymous volume or removed volume
-- **Solution**: Always use named volumes for persistent data
-
-**Issue**: Cannot remove volume
-- **Cause**: Container still using it
-- **Solution**: Remove container first or use `docker volume rm -f`
-
-**Issue**: Bind mount not updating (macOS/Windows)
-- **Cause**: File sync delay in Docker Desktop
-- **Solution**: Use named volumes or configure file sharing
-
-**Issue**: Volume full
-- **Check size**:
- ```bash
- docker run --rm -v myvolume:/data alpine du -sh /data
- ```
-- **Clean up**: Remove unnecessary files or increase volume size
-
-## Podman-Specific Volumes
-
-### Rootless Volumes
-
-**Location:**
-```bash
-~/.local/share/containers/storage/volumes/
-```
-
-### Import/Export
-
-**Export volume:**
-```bash
-podman volume export myvolume > myvolume.tar
-```
-
-**Import volume:**
-```bash
-podman volume import myvolume < myvolume.tar
-```
-
-## Output Format
-
-After volume operation:
-```
-✓ Volume created successfully
- Runtime: docker/podman
- Name: myapp-data
- Driver: local
- Mountpoint: /var/lib/docker/volumes/myapp-data/_data
-
- Mount to container:
- docker run -v myapp-data:/data myapp
-
- Backup volume:
- docker run --rm -v myapp-data:/data -v $(pwd):/backup alpine tar czf /backup/backup.tar.gz -C /data .
-
- Inspect:
- docker volume inspect myapp-data
-```
-
-## Quick Reference
-
-```bash
-# Create volume
-docker volume create myvolume
-
-# List volumes
-docker volume ls
-
-# Inspect volume
-docker volume inspect myvolume
-
-# Mount to container
-docker run -v myvolume:/data myapp
-
-# Bind mount
-docker run -v /host/path:/container/path myapp
-
-# Backup volume
-docker run --rm -v myvolume:/data -v $(pwd):/backup alpine tar czf /backup/backup.tar.gz -C /data .
-
-# Restore volume
-docker run --rm -v myvolume:/data -v $(pwd):/backup alpine tar xzf /backup/backup.tar.gz -C /data
-
-# Remove volume
-docker volume rm myvolume
-
-# Clean up unused volumes
-docker volume prune
-```
dots/.config/claude/skills/Docker/SKILL.md
@@ -20,17 +20,10 @@ Comprehensive container management using Docker or Podman with intelligent runti
| Workflow | Trigger | File |
|----------|---------|------|
-| **BuildImage** | "build docker image", "create dockerfile", "build container image" | `workflows/BuildImage.md` |
-| **ManageContainers** | "start container", "stop container", "container status", "list containers" | `workflows/ManageContainers.md` |
-| **ComposeManage** | "docker compose", "compose up", "manage compose services" | `workflows/ComposeManage.md` |
-| **CleanupResources** | "clean docker", "remove unused images", "prune containers" | `workflows/CleanupResources.md` |
-| **DebugContainer** | "container logs", "exec into container", "debug container" | `workflows/DebugContainer.md` |
-| **BuildMultiArch** | "build arm image", "multi-arch build", "cross-platform image" | `workflows/BuildMultiArch.md` |
-| **RegistryManage** | "push image", "pull image", "login to registry" | `workflows/RegistryManage.md` |
-| **NetworkManage** | "create network", "list networks", "connect container to network" | `workflows/NetworkManage.md` |
-| **VolumeManage** | "create volume", "list volumes", "mount volume" | `workflows/VolumeManage.md` |
-| **SecurityScan** | "scan image", "check vulnerabilities", "security scan" | `workflows/SecurityScan.md` |
-| **OptimizeImage** | "reduce image size", "optimize dockerfile", "smaller image" | `workflows/OptimizeImage.md` |
+| **Build** | "build docker image", "create dockerfile", "build container image", "build arm image", "multi-arch build", "cross-platform image", "reduce image size", "optimize dockerfile", "smaller image", "buildx", "buildah", "multi-stage build" | `workflows/Build.md` |
+| **Run** | "start container", "stop container", "container status", "list containers", "container logs", "exec into container", "debug container", "docker compose", "compose up", "manage compose services", "restart container", "inspect container", "attach to container" | `workflows/Run.md` |
+| **Infrastructure** | "create network", "list networks", "connect container to network", "create volume", "list volumes", "mount volume", "push image", "pull image", "login to registry", "registry auth", "docker network", "docker volume" | `workflows/Infrastructure.md` |
+| **Maintain** | "clean docker", "remove unused images", "prune containers", "scan image", "check vulnerabilities", "security scan", "trivy", "grype", "docker system prune", "cleanup resources" | `workflows/Maintain.md` |
## Docker vs Podman
@@ -77,7 +70,7 @@ When you mention a specific runtime, the skill will use that runtime exclusively
**Example 1: Build a container image**
```
User: "Build a Docker image from the Dockerfile in the current directory"
-→ Invokes BuildImage workflow
+→ Invokes Build workflow
→ Detects Docker/Podman
→ Builds image with best practices
→ Tags appropriately
@@ -86,7 +79,7 @@ User: "Build a Docker image from the Dockerfile in the current directory"
**Example 2: Debug a running container**
```
User: "Show me the logs for the nginx container"
-→ Invokes DebugContainer workflow
+→ Invokes Run workflow
→ Retrieves and displays logs
→ Offers to exec into container if needed
```
@@ -94,7 +87,7 @@ User: "Show me the logs for the nginx container"
**Example 3: Clean up unused resources**
```
User: "Clean up old Docker images and containers"
-→ Invokes CleanupResources workflow
+→ Invokes Maintain workflow
→ Shows what will be removed
→ Prunes unused resources safely
```
@@ -102,7 +95,7 @@ User: "Clean up old Docker images and containers"
**Example 4: Multi-architecture build**
```
User: "Build this image for both AMD64 and ARM64"
-→ Invokes BuildMultiArch workflow
+→ Invokes Build workflow
→ Sets up buildx/buildah
→ Builds for multiple platforms
→ Pushes to registry with manifest
@@ -111,12 +104,12 @@ User: "Build this image for both AMD64 and ARM64"
**Example 5: Explicit runtime selection**
```
User: "Use Docker to build this image"
-→ Invokes BuildImage workflow
+→ Invokes Build workflow
→ Forces Docker runtime (--runtime docker)
→ Uses Docker-specific features if needed
User: "With Podman, start a rootless container"
-→ Invokes ManageContainers workflow
+→ Invokes Run workflow
→ Forces Podman runtime (--runtime podman)
→ Uses Podman rootless mode
```