Effective debugging of Docker containers
Bug Hunt
Forensic Investigations
If you encounter content during the examination of a Docker container that you would like to look at in more detail, you are faced with a challenge: For good reason, the container's files are strictly separated from the host's files. However, docker
supports a cp
command that can copy files from running containers to the host. For example, if you suspect that malware has been distributed over a Docker-operated web server after a break-in, you can access these files and put them through in-depth forensics.
In addition to the logs
command mentioned before, docker stats
is very useful. It continuously displays a container's metrics, such as resource consumption with regard to the CPU, RAM, or the network. Containers running amok can thus be quickly identified and withdrawn from circulation.
Container Inspection
In addition to the many tricks and tips already discussed, Docker itself also offers various helpful information sources. Docker's inspect
command is a very powerful tool, which tells you about almost every property of a container.
If you start a container by typing docker
, the docker
command-line tool contacts the Docker daemon's API. The command for starting a container takes the form of a REST request in JSON format, which the client sends to the server. The server then processes the request and uses the JSON file for internal management of the container.
The file also is updated if the container's state has changed (i.e., because you have connected a new Docker volume to it). The inspect
command lets you display a JSON file's contents onscreen, thus opening up a reliable source of information.
Field Info
The State
field entry provides information about the container status. If you have exposed ports for the container at startup, the ports are listed in NetworkSettings.Ports
. Another practical feature is that the inspect
output shows the container's currently connected volumes and their paths on the host filesystem.
The same applies to the container logfile. The Docker daemon logs the output to stdout
for each container, so you can access it with the logs
command. The container's JSON file stores the automatically generated path to the file with the output to stdout
, so you can also access it directly.
By far, however, the most important information in the inspect
output is the environment that the container received from the Docker daemon at startup time. It is quite common to influence the container's configuration with the use of environment variables passed to docker run
with the -e
parameter. In the Dockerfile, these variables can then be processed with the values that have been set accordingly.
If something fails to work when passing in the environment parameters, you can discover from the inspect
output which variables were set for the container at startup (Figure 4).
Buy this article as PDF
(incl. VAT)