What are environment variables in Docker?

Environment variables in Docker configure containers without hardcoding values in images. Multiple ways to set them: (1) Dockerfile ENV instruction: ENV NODE_ENV=production PORT=3000 — baked into the image, available in all containers created from it. Can be overridden at runtime; (2) docker run -e: docker run -e NODE_ENV=production -e DB_URL=mysql://... — set at container creation; (3) docker run --env-file: docker run --env-file .env myapp — read from a file; (4) Docker Compose environment: in compose.yml: environment: - NODE_ENV=production - DB_PASSWORD=${DB_PASSWORD} — supports variable interpolation from the host shell; (5) Docker Compose env_file: env_file: - .env — reads from .env file. ARG vs ENV: ARG is available only during build (--build-arg), not in the running container. ENV is available both during build and at runtime. Security: never put secrets in Dockerfile ENV (they become part of the image layers and are visible with docker inspect or docker history). Use Docker secrets (Swarm), Kubernetes secrets, or a secrets manager (Vault, AWS SSM) for sensitive values. Inspect env vars in a running container: docker exec mycontainer env or docker inspect mycontainer.