Effective debugging of Docker containers
Bug Hunt
Forensic Investigations
If you encounter content during the examination of a Docker container that you would like to look at in more detail, you are faced with a challenge: For good reason, the container's files are strictly separated from the host's files. However, docker supports a cp command that can copy files from running containers to the host. For example, if you suspect that malware has been distributed over a Docker-operated web server after a break-in, you can access these files and put them through in-depth forensics.
In addition to the logs command mentioned before, docker stats is very useful. It continuously displays a container's metrics, such as resource consumption with regard to the CPU, RAM, or the network. Containers running amok can thus be quickly identified and withdrawn from circulation.
Container Inspection
In addition to the many tricks and tips already discussed, Docker itself also offers various helpful information sources. Docker's inspect command is a very powerful tool, which tells you about almost every property of a container.
If you start a container by typing docker, the docker command-line tool contacts the Docker daemon's API. The command for starting a container takes the form of a REST request in JSON format, which the client sends to the server. The server then processes the request and uses the JSON file for internal management of the container.
The file also is updated if the container's state has changed (i.e., because you have connected a new Docker volume to it). The inspect command lets you display a JSON file's contents onscreen, thus opening up a reliable source of information.
Field Info
The State field entry provides information about the container status. If you have exposed ports for the container at startup, the ports are listed in NetworkSettings.Ports. Another practical feature is that the inspect output shows the container's currently connected volumes and their paths on the host filesystem.
The same applies to the container logfile. The Docker daemon logs the output to stdout for each container, so you can access it with the logs command. The container's JSON file stores the automatically generated path to the file with the output to stdout, so you can also access it directly.
By far, however, the most important information in the inspect output is the environment that the container received from the Docker daemon at startup time. It is quite common to influence the container's configuration with the use of environment variables passed to docker run with the -e parameter. In the Dockerfile, these variables can then be processed with the values that have been set accordingly.
If something fails to work when passing in the environment parameters, you can discover from the inspect output which variables were set for the container at startup (Figure 4).
Figure 4: The docker inspect command displays detailed information about the container, such as the connected networks or their current states.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Dockerizing Legacy Applications
Sooner or later, you'll want to convert your legacy application to a containerized environment. Docker offers the tools for a smooth and efficient transition. -
Application virtualization with Docker
Half-lives of products are becoming shorter and shorter on today's virtualization market. This year, the buzz is all about Docker. -
Keeping the software in Docker containers up to date
Docker has radically changed the way admins roll out their software in many companies. However, regular updates are still needed. How does this work most effectively with containers? -
Minifying container images with DockerSlim
DockerSlim minifies your Docker container images up to 30x and adds security, too. -
More Best Practices for HPC Containers
Best practices for building and running Docker and Singularity containers.