docker · mohithshuka · Mar 19, 2026 · Apr 27, 2026 · May 1, 2026 · May 6, 2026
diff --git a/content/get-started/docker-concepts/the-basics/images/container-architecture.png b/content/get-started/docker-concepts/the-basics/images/container-architecture.png
diff --git a/content/get-started/docker-concepts/the-basics/images/containers-vs-vms.png b/content/get-started/docker-concepts/the-basics/images/containers-vs-vms.png
diff --git a/content/get-started/docker-concepts/the-basics/what-is-a-container.md b/content/get-started/docker-concepts/the-basics/what-is-a-container.md
@@ -33,6 +33,8 @@ Here's what makes them awesome. Containers are:
 - Independent. Each container is independently managed. Deleting one container won't affect any others.
 - Portable. Containers can run anywhere! The container that runs on your development machine will work the same way in a data center or anywhere in the cloud!
 
+![Diagram showing three containers (frontend, backend, database) running side by side, each with an isolated filesystem, all sharing the host OS kernel](images/container-architecture.png)
+
 ### Containers versus virtual machines (VMs)
 
 Without getting too deep, a VM is an entire operating system with its own kernel, hardware drivers, programs, and applications. Spinning up a VM only to isolate a single application is a lot of overhead.
@@ -43,6 +45,8 @@ A container is simply an isolated process with all of the files it needs to run.
 >
 > Quite often, you will see containers and VMs used together. As an example, in a cloud environment, the provisioned machines are typically VMs. However, instead of provisioning one machine to run one application, a VM with a container runtime can run multiple containerized applications, increasing resource utilization and reducing costs.
 
+![Diagram comparing virtual machines (each with a full Guest OS) versus containers (sharing the host kernel with no Guest OS overhead)](images/containers-vs-vms.png)
+
 
 ## Try it out
 

diff --git a/content/reference/compose-file/services.md b/content/reference/compose-file/services.md
@@ -1069,7 +1069,7 @@ For more information on `HEALTHCHECK`, see the [Dockerfile reference](/reference
 
 ```yml
 healthcheck:
-  test: ["CMD", "curl", "-f", "http://localhost"]
+  test: ["CMD-SHELL", "curl -f http://localhost || exit 1"]
   interval: 1m30s
   timeout: 10s
   retries: 3
@@ -1085,7 +1085,7 @@ If it's a string, it's equivalent to specifying `CMD-SHELL` followed by that str
 
 ```yml
 # Hit the local web app
-test: ["CMD", "curl", "-f", "http://localhost"]
+test: ["CMD-SHELL", "curl -f http://localhost || exit 1"]
 ```
 
 Using `CMD-SHELL` runs the command configured as a string using the container's default shell
@@ -1922,7 +1922,7 @@ the service's containers.
 
 - `source`: The name of the secret as it exists on the platform.
 - `target`: The name of the file to be mounted in `/run/secrets/` in the
-  service's task container, or absolute path of the file if an alternate location is required. Defaults to `source` if not specified.
+  service's task container. Defaults to `source` if not specified.
 - `uid` and `gid`: The numeric uid or gid that owns the file within
   `/run/secrets/` in the service's task containers.
 - `mode`: The [permissions](https://wintelguy.com/permissions-calc.pl) for the file to be mounted in `/run/secrets/`