Effective debugging of Docker containers

Bug Hunt

Forensic Investigations

If you encounter content during the examination of a Docker container that you would like to look at in more detail, you are faced with a challenge: For good reason, the container's files are strictly separated from the host's files. However, docker supports a cp command that can copy files from running containers to the host. For example, if you suspect that malware has been distributed over a Docker-operated web server after a break-in, you can access these files and put them through in-depth forensics.

In addition to the logs command mentioned before, docker stats is very useful. It continuously displays a container's metrics, such as resource consumption with regard to the CPU, RAM, or the network. Containers running amok can thus be quickly identified and withdrawn from circulation.

Container Inspection

In addition to the many tricks and tips already discussed, Docker itself also offers various helpful information sources. Docker's inspect command is a very powerful tool, which tells you about almost every property of a container.

If you start a container by typing docker, the docker command-line tool contacts the Docker daemon's API. The command for starting a container takes the form of a REST request in JSON format, which the client sends to the server. The server then processes the request and uses the JSON file for internal management of the container.

The file also is updated if the container's state has changed (i.e., because you have connected a new Docker volume to it). The inspect command lets you display a JSON file's contents onscreen, thus opening up a reliable source of information.

Field Info

The State field entry provides information about the container status. If you have exposed ports for the container at startup, the ports are listed in NetworkSettings.Ports. Another practical feature is that the inspect output shows the container's currently connected volumes and their paths on the host filesystem.

The same applies to the container logfile. The Docker daemon logs the output to stdout for each container, so you can access it with the logs command. The container's JSON file stores the automatically generated path to the file with the output to stdout, so you can also access it directly.

By far, however, the most important information in the inspect output is the environment that the container received from the Docker daemon at startup time. It is quite common to influence the container's configuration with the use of environment variables passed to docker run with the -e parameter. In the Dockerfile, these variables can then be processed with the values that have been set accordingly.

If something fails to work when passing in the environment parameters, you can discover from the inspect output which variables were set for the container at startup (Figure 4).

Figure 4: The docker inspect command displays detailed information about the container, such as the connected networks or their current states.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus