DOCKER

1.DOCKER

Docker is an open-source platform that automates the deployment, scaling, and management of applications
using containerization. Containers are lightweight, standalone packages that include everything needed to
run an application: code, runtime, libraries, and system tools. They ensure consistency across different
environments

2.DIFFERENCE BETWEEN VIRTUALIZATION AND DOCKERIZATION

(CONTAINERIZATION)

Aspect Virtualization Dockerization (Containerization)

Runs multiple OS instances on a host Runs multiple isolated applications sharing the
Definition
using a hypervisor. same OS kernel.
Resource
Heavy, each VM has its own OS. Lightweight, containers share the host OS.
usage
Startup time Takes minutes to start a VM. Starts in seconds or less.
Lightweight isolation using namespaces &
Isolation Strong isolation via hypervisor.
cgroups.
Microservices, fast deployment, CI/CD
Use cases Running different OSes, full isolation.
pipelines.
Storage Uses virtual disk images. Uses layered images and volumes.

3. DOCKER VOLUME

Docker volumes are persistent storage areas managed by Docker, used to store data outside the container's
writable layer. They help persist data across container restarts or removal.

Types of Docker Volumes:

 Named Volumes:
o Created and managed by Docker.
o Stored at /var/lib/docker/volumes/ on Linux hosts.
o Use: docker volume create my_volume
 Anonymous Volumes:
o Created when you use -v /path without naming a volume.
o Docker manages these but they are harder to track.
 Bind Mounts:
o Directly mount a host directory or file inside a container.
o Paths can be anywhere on the host.
o Example: -v /host/path:/container/path

Related Commands:

 docker volume ls — List volumes

 docker volume inspect <volume_name> — Show details
 docker volume rm <volume_name> — Remove volume
 docker run -v my_volume:/data — Attach volume to container
4. DOCKER NETWORKING

Definition:
Docker networking allows containers to communicate with each other, the host, and external networks.

Types with Real-time Examples:

 Bridge Network (default):

Default network for standalone containers on a single host.
Example: Two containers communicating on the same host using a user-defined bridge network.
 Host Network:
Container uses the host’s network stack directly.
Example: A container running a web server accessible on the host’s IP and port directly.
 Overlay Network:
Used in Docker Swarm for multi-host container communication.
Example: Services across multiple Docker hosts in a cluster.
 Macvlan Network:
Assigns a MAC address to containers, making them appear as physical devices on the network.
Example: Containers appearing as physical devices in LAN for legacy applications.

Related Commands:

 docker network ls — List all networks

 docker network create <name> — Create a new network
 docker network inspect <network> — Inspect network details
 docker network connect <network> <container> — Connect a container to a
network
 docker network disconnect <network> <container> — Disconnect container from
network

5. MULTISTAGE BUILD

Definition:
A Dockerfile technique to reduce image size by using multiple FROM statements, copying only necessary
artifacts from earlier stages to the final image.

Step-by-step Workflow with Example:

Dockerfile
CopyEdit
# Stage 1: Build stage
FROM golang:1.20 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp

# Stage 2: Final stage

FROM alpine:latest
COPY --from=builder /app/myapp /usr/local/bin/myapp
ENTRYPOINT ["myapp"]

Explanation:

 Build the app in the first stage (with Go compiler).

 Copy only the compiled binary to a lightweight Alpine image.
  Result: Small final image without build tools.

What happens?

 Stage 1 (builder):
Full Go environment compiles the app. This stage contains all build tools and source code.
 Stage 2 (runtime):
Only the compiled binary from the builder stage is copied into a minimal Alpine image for runtime.

Why two stages?

To keep the final image small and secure, avoiding unnecessary build tools and source files in the runtime
image.

6. DOCKER COMPOSE

Definition:
Docker Compose is a tool to define and run multi-container Docker applications using a YAML file
(docker-compose.yml).

Use Cases:

 Define services, networks, and volumes in one place.

 Start complex apps with a single command.
 Local development with multiple dependent services.

Components included:

 services: Containers to run

 volumes: Persistent storage
 networks: Custom networks

Example:

yaml
CopyEdit
version: "3"
services:
web:
image: nginx
ports:
- "80:80"
db:
image: mysql
environment:
MYSQL_ROOT_PASSWORD: example
volumes:
- db-data:/var/lib/mysql

volumes:
db-data:

Commands:

 docker-compose up — Start services

 docker-compose down — Stop and remove containers/networks
  docker-compose logs — View logs

7. HOW TO CHECK ERRORS IN DOCKER

 docker logs <container_id> — View container logs

 docker inspect <container_id> — Detailed container info, check error states
 Check Docker daemon logs (sudo journalctl -u docker on Linux)
 Use docker events to monitor real-time events
 Run docker-compose logs for errors in multi-container apps.

8. COMMON TROUBLESHOOTING SCENARIOS IN DOCKER

 Container fails to start (check logs and inspect)

 Port conflicts (check if ports are already in use)
 Volume permission issues (check host directory permissions)
 Network connectivity problems (verify Docker network settings)
 Image pull failures (check Docker registry, authentication)

9. COMMON DOCKER COMMANDS

Command Description
docker run Run a container
docker ps List running containers
docker ps -a List all containers (including stopped)
docker stop <container> Stop a running container
docker rm <container> Remove a container
docker rmi <image> Remove an image
docker images List images
docker build -t <tag> . Build an image from Dockerfile
docker pull <image> Pull an image from a registry
docker push <image> Push an image to a registry
docker logs <container> Show logs of a container
docker exec -it <container> /bin/bash Open a shell inside a running container
docker volume ls List volumes
docker network ls List networks
docker-compose up Start multi-container app (docker-compose)
docker-compose down Stop and remove multi-container app

10. COMMON TROUBLESHOOTING SCENARIOS WITH REAL-TIME EXAMPLES

 Container Fails to Start:

o Check logs with docker logs <container>
o Example: App crashes due to missing environment variable.
 Port Conflicts:
o Error when host port is already in use.
o Fix by changing host port mapping.
 Volume Permission Issues:
 o Container can't write to mounted volume due to host folder permissions.
o Fix by adjusting permissions on host folder (chmod, chown).
 Network Connectivity Problems:
o Containers can't communicate on the expected network.
o Inspect network settings with docker network inspect <network>.
 Image Pull Failures:
o Happens due to network issues or authentication failures.
o Retry or login with docker login.

 High Disk Usage:

Example: Old images and containers accumulate. Clean with docker system prune.
 Container Stops Unexpectedly:
Example: Out of memory or resource limits. Check host resources and container limits.

11. REASONS FOR DOCKER IMAGE CREATION FAILURE (WITH EXAMPLES)

1. Incorrect Dockerfile Syntax

o Example: Misspelled command like FRM ubuntu instead of FROM ubuntu causes build
failure.
o Fix: Double-check Dockerfile syntax and use linters or docker build error messages.
2. Missing Files or Directories in COPY/ADD
o Example: COPY ./app /app fails if ./app doesn’t exist in the build context.
o Fix: Ensure all required files are in the build context (folder where docker build is run).
3. Network Issues During Build
o Example: RUN apt-get update fails because the build host has no internet connection.
o Fix: Check network connectivity; try offline caching of packages if necessary.
4. Invalid Base Image or Image Not Found
o Example: FROM nonexistent/image:latest causes failure because the image
doesn’t exist on Docker Hub.
o Fix: Verify the image name and tag; ensure you are logged into private registries if needed.
5. Commands Failing in RUN Step
o Example: RUN pip install somepackage fails because of a typo or missing
dependencies.
o Fix: Test commands manually; check error output for details.
6. Permission Issues
o Example: Trying to access files during build without permissions.
o Fix: Check file permissions; use USER directive carefully.

COMMANDS & FIXES FOR IMAGE CREATION FAILURES

1. Check Dockerfile syntax errors:

docker build . # Check error messages carefully

2. Verify files exist before COPY/ADD:

Make sure your build context folder contains the files or folders mentioned in Dockerfile.
3. Test RUN commands locally:

# For example, test apt-get command inside a container:

docker run -it ubuntu bash
apt-get update

4. Pull base image explicitly:

 docker pull ubuntu:latest

5. View container logs to understand failure:

docker logs <container_id or name>

6. Run container with different entrypoint:

docker run --entrypoint /bin/bash <image>

7. Check port conflicts:

sudo lsof -i :80

# Change port mapping if necessary
docker run -p 8080:80 <image>

8. Pass environment variables:

docker run -e DB_HOST=localhost -e DB_PASS=secret <image>

9. Adjust volume permissions:

sudo chown -R 1000:1000 /host/volume/path

11. REASONS FOR CONTAINER NOT RUNNING (WITH EXAMPLES)

1. Incorrect ENTRYPOINT or CMD

o Example: CMD points to a script that doesn’t exist or is not executable.
o Fix: Check the command in Dockerfile or override with docker run --entrypoint.
2. Port Conflicts on Host
o Example: Container tries to bind host port 80, but host already uses it.
o Fix: Change host port mapping (e.g., -p 8080:80).
3. Missing Environment Variables or Configurations
o Example: App crashes because DB URL env var is not set.
o Fix: Pass environment variables with -e or use Docker Compose env files.
4. Resource Constraints
o Example: Container killed due to exceeding memory limits.
o Fix: Increase resource limits or optimize app usage.
5. Volume Mount Issues
o Example: Container cannot write to a mounted volume due to host permissions.
o Fix: Adjust permissions on the host folder.
6. Application Crashes Immediately
o Example: App inside container exits due to runtime errors (bad config, missing files).
o Fix: Check container logs: docker logs <container>.

12. HOW TO SECURE DOCKER (BEST PRACTICES)

1. Use Official and Minimal Base Images

o Less vulnerable code means fewer security risks.
2. Run Containers with Least Privilege
o Avoid running containers as root user (USER directive).
 o Use Docker security options like --user flag.
3. Use Docker Content Trust
o Sign and verify images to ensure authenticity.
4. Keep Docker and Host OS Updated
o Regularly patch Docker Engine and OS security vulnerabilities.
5. Limit Container Capabilities
o Use --cap-drop to remove unnecessary Linux capabilities.
6. Use Read-Only Filesystems Where Possible
o --read-only flag restricts write access inside containers.
7. Restrict Network Access
o Use user-defined networks and firewall rules to isolate containers.
8. Scan Images for Vulnerabilities
o Use tools like Docker Scout, Clair, or Trivy to scan images.
9. Avoid Privileged Containers
o Don’t run containers with --privileged unless absolutely needed.
10. Secure Docker Daemon Access
o Restrict Docker socket (/var/run/docker.sock) access to trusted users.

Docker Security Commands & Tips

1. Run container as non-root user:

Add to Dockerfile:

dockerfile
CopyEdit
RUN useradd -m appuser
USER appuser

Or at runtime:

docker run --user 1000:1000 <image>

2. Use read-only filesystem:

docker run --read-only <image>

3. Drop Linux capabilities:

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE <image>

4. Enable Docker Content Trust:

export DOCKER_CONTENT_TRUST=1
docker pull <image>

5. Scan images for vulnerabilities (using Trivy):

(Install Trivy first)

trivy image <image>

6. Restrict Docker socket access:

ls -l /var/run/docker.sock
sudo chmod 660 /var/run/docker.sock
sudo chown root:docker /var/run/docker.sock
 # Add only trusted users to docker group
sudo usermod -aG docker <username>

Sample Secure Dockerfile

dockerfile
CopyEdit
# Use official minimal base image
FROM python:3.11-slim

# Create non-root user

RUN useradd -m appuser

# Set workdir and copy files

WORKDIR /app
COPY requirements.txt .

# Install dependencies without cache

RUN pip install --no-cache-dir -r requirements.txt

# Copy app source code

COPY . .

# Change ownership to non-root user

RUN chown -R appuser:appuser /app

# Switch to non-root user

USER appuser

# Make the container filesystem read-only (optional runtime)

# Note: add writable volumes for logs/temp if needed

# Expose port
EXPOSE 5000

# Run the app

CMD ["python", "app.py"]

Sample Secure Docker Compose (docker-compose.yml)

yaml
CopyEdit
version: "3.8"

services:
web:
build: .
ports:
- "5000:5000"
environment:
- ENV=production
volumes:
- web-data:/app/data # Persist writable data
user: "1000:1000" # Run as non-root user
read_only: true # Read-only root filesystem
 cap_drop:
- ALL # Drop all Linux capabilities

volumes:
web-data:

Quick Docker Debugging Checklist

Issue Command / Tip

Image build error Check docker build . logs
Missing files in build context Verify files exist in build directory
Container won’t start docker logs <container>
Check container status docker ps -a
Port conflict on host sudo lsof -i :<port> or change host port in run
Environment variables missing Pass with -e VAR=value or use .env in Compose
Volume permission issues sudo chown or check host directory permissions
Network issues docker network ls and docker network inspect
Resource constraints Check host memory and CPU usage

13. HOW TO MAKE DOCKER HIGHLY AVAILABLE

1. Use Docker Swarm or Kubernetes for Orchestration

o Both provide clustering, service discovery, and failover.
o Swarm is native to Docker and easier to start with. Kubernetes is more powerful and
industry-standard.
2. Run Multiple Replicas of Containers (Services)
o Deploy several instances of your service across different nodes.
o If one container/node fails, others keep serving requests.
3. Distribute Containers Across Multiple Hosts
o Avoid a single point of failure by running containers on multiple physical or virtual
machines.
4. Use Load Balancing
o Use built-in Docker Swarm load balancing or external tools (NGINX, HAProxy) to distribute
traffic evenly.
5. Persist Data Using Distributed Storage
o Use shared storage solutions (like NFS, GlusterFS, or cloud storage) to keep data consistent
and available across nodes.
6. Automate Health Checks and Restart Policies
o Configure health checks so orchestrators can detect unhealthy containers and restart or
replace them automatically.
7. Backup and Restore Strategies
o Regularly backup volumes and configs to avoid data loss during failures.
8. Monitor and Alert
o Use monitoring tools (Prometheus, Grafana, ELK stack) to detect issues proactively.
14. DOCKER TROUBLESHOOTING SCENARIOS RELATED TO VOLUMES, NETWORKS,
IMAGES, AND CONTAINERS, INCLUDING THE ERROR, REASON, AND RESOLUTION

1. Volume Issues

Error:
Permission denied when container tries to write to a mounted volume.

Reason:
Host directory permissions don’t allow container user to write.

Resolution:
Adjust permissions on the host folder:

sudo chown -R 1000:1000 /path/to/volume

Error:
Data not persisting after container removal.

Reason:
Using anonymous volumes or no volume specified, so data is lost with container.

Resolution:
Use named volumes or bind mounts in docker run or docker-compose.yml:

docker volume create myvolume

docker run -v myvolume:/data ...

2. Network Issues

Error:
Container cannot reach another container by service name.

Reason:
Containers not on the same user-defined network.

Resolution:
Create and attach containers to the same network:

docker network create mynet

docker run --network mynet ...

Error:
Port already in use on host.

Reason:
Host port is busy with another process.

Resolution:
Check process using port and change port mapping:

sudo lsof -i :80

docker run -p 8080:80 ...

3. Image Issues

Error:
manifest for image:tag not found

Reason:
Image or tag does not exist in Docker Hub or registry.

Resolution:
Verify image name and tag; pull correct image or build locally.

Error:
Build fails with COPY failed: file not found

Reason:
File/directory missing in build context.

Resolution:
Ensure file exists relative to Dockerfile and build context root.

4. Container Issues

Error:
Container exits immediately after start.

Reason:
Main process (CMD/ENTRYPOINT) finishes or crashes immediately.

Resolution:
Check container logs for errors:

docker logs <container>

Fix CMD or entrypoint script.

Error:
no such file or directory on ENTRYPOINT or CMD.

Reason:
Script or executable missing or wrong path.

Resolution:
Verify executable exists inside image and paths are correct.
Error:
docker: Error response from daemon: Conflict. The container name "/name"
is already in use.

Reason:
Container with same name exists.

Resolution:
Remove or rename existing container:

docker rm <container>

Detailed commands and debugging steps for each troubleshooting scenario

1. Volume Issues

Permission denied writing to volume

 Check volume mount and permissions:

docker inspect <container> --format '{{ json .Mounts }}' | jq

ls -ld /path/on/host

 Fix permissions on host folder:

sudo chown -R $(id -u):$(id -g) /path/on/host

Data not persisting

 List volumes:

docker volume ls

 Inspect volume:

docker volume inspect myvolume

 Run container with named volume:

docker run -v myvolume:/app/data myimage

Error: Volume data is not updating inside container after host file changes
Reason: Volume mount uses a cached or read-only mode, or container app caches data internally.
Resolution:

 Ensure volume is mounted in read-write mode (default).

 Restart container if app caches data on startup.
 Use bind mounts for live updates during development:

docker run -v /host/path:/container/path:rw myimage

Error: Named volume deleted but container still runs without errors
Reason: Container using anonymous or different volume than expected.
Resolution:

 Inspect container volumes:

docker inspect <container> --format '{{ json .Mounts }}' | jq

 Verify volume names and remove unused volumes:

docker volume ls -f dangling=true

docker volume rm $(docker volume ls -qf dangling=true)

Volume data not updating after host changes

 Problem: Changes on host files don’t reflect inside container.

 Cause: Mounted as read-only or app caches data internally.
 Fix & Debug:

# Check mount options

docker inspect <container> --format '{{ json .Mounts }}' | jq

# Run container with read-write bind mount (for development)

docker run -v /host/path:/container/path:rw myimage

# Restart container/app to clear internal cache

docker restart <container>

Named volume deleted but container still works

 Problem: Data persists or container runs despite deleting a named volume.

 Cause: Container uses anonymous or other volumes.
 Fix & Debug:

# Inspect container mounts

docker inspect <container> --format '{{ json .Mounts }}' | jq

# List dangling volumes (not used by any container)

docker volume ls -f dangling=true

# Remove dangling volumes to free space

docker volume rm $(docker volume ls -qf dangling=true)

Error: Docker volume is mounted but files inside container are empty or missing
Reason: Wrong volume path or volume not mounted correctly.
Resolution:

 Verify mount paths inside container:

docker inspect <container> --format '{{ json .Mounts }}' | jq

  Confirm files exist on host path.
 Use bind mount if you want live sync:

docker run -v /host/path:/container/path:rw myimage

2. Network Issues

Container can’t reach other container by name

 Check networks:

docker network ls
docker network inspect <network_name>

 Create and use user-defined network:

docker network create mynet

docker run -d --network mynet --name container1 alpine sleep 1d
docker run -it --network mynet alpine ping container1

Port conflict on host

 Find process using port:

sudo lsof -i :80

 Run container on different port:

docker run -p 8080:80 myimage

Error: Containers can’t communicate after Docker daemon restart**

Reason: Default bridge network recreated; user-defined networks persist but containers may disconnect.
Resolution:

 Restart containers attached to user networks.

 Recreate containers if necessary.
 Use user-defined networks over default bridge for persistent networking.

Error: DNS resolution fails inside container (e.g., ping google.com fails)
Reason: Docker DNS settings misconfigured or host DNS issues.
Resolution:

 Check /etc/resolv.conf inside container:

docker exec -it <container> cat /etc/resolv.conf

 Override DNS in Docker run:

docker run --dns 8.8.8.8 myimage

Containers lose connectivity after Docker restart

 Problem: Containers on default bridge lose network after daemon restart.

 Cause: Default bridge network resets.
 Fix & Debug:

# Restart affected containers

docker restart <container>

# Use user-defined networks (persistent)

docker network create mynet
docker network connect mynet <container>

DNS resolution fails inside container

 Problem: Cannot resolve domain names inside container.

 Cause: Docker’s DNS config incorrect or host DNS problems.
 Fix & Debug:

# Check container DNS config

docker exec -it <container> cat /etc/resolv.conf

# Override DNS server in container

docker run --dns 8.8.8.8 myimage ping google.com

Error: Container cannot connect to external internet or registry

Reason: Firewall or proxy settings blocking Docker daemon.
Resolution:

 Check host firewall rules and allow Docker traffic.

 Configure Docker daemon proxy settings in
/etc/systemd/system/docker.service.d/http-proxy.conf or Docker Desktop
proxy settings.

Error: port is already allocated when starting container

Reason: Port conflict with another container or process.
Resolution:

 List all containers and ports:

docker ps

 Find host process using port:

sudo lsof -i :<port>

 Change exposed port in docker run or stop conflicting container.

3. Image Issues
Image not found

 Check available images/tags on Docker Hub:

Visit Docker Hub or run:

docker search imagename

 Pull specific image:

docker pull ubuntu:20.04

 Build local image:

docker build -t myimage:latest .

COPY failed: file not found

 Check build context (folder from which you run build):

ls -l ./relative_path_to_file

 Run build with verbose output:

docker build --progress=plain .

Error: Build cache causes outdated layers to be used, changes not reflected**
Reason: Docker reuses cached image layers to speed up build.
Resolution:

 Force no cache build:

docker build --no-cache -t myimage .

 Optimize Dockerfile layer order to improve caching.

Error: Large image size causing slow push/pull**

Reason: Image contains unnecessary files or layers.
Resolution:

 Use .dockerignore file to exclude files.

 Use multistage builds to reduce image size (build dependencies separate from runtime).
 Use minimal base images (e.g., alpine).

Docker build cache causes outdated layers

 Problem: Changes not reflected because Docker uses cached layers.

 Cause: Docker build cache reuses unchanged steps.
 Fix & Debug:

# Build without cache

docker build --no-cache -t myimage .
 # Check Dockerfile layer order to optimize cache hits

Large image size slows push/pull

 Problem: Image size too big, slowing operations.

 Cause: Unnecessary files or layers included.
 Fix & Debug:

# Use .dockerignore to exclude files

# Use multistage build to reduce final size (example below)

# Use minimal base images like alpine

Error: Build fails with failed to fetch anonymous token or authentication error pulling image
Reason: Docker Hub rate limits or authentication failure.
Resolution:

 Login to Docker Hub:

docker login

 Use a personal access token or different registry mirror.

 Wait and retry after rate limit window resets.

Error: Cannot push large image to remote registry

Reason: Network timeout or registry size limits.
Resolution:

 Check network connection stability.

 Compress image using multistage builds.
 Split large app into microservices.

4. Container Issues

Container exits immediately

 Check logs:

docker logs <container_id_or_name>

 Run container interactively to debug:

docker run -it –entry

Error: Container network interface down or no IP assigned**
Reason: Network driver issue or IP conflicts.
Resolution:

 Restart Docker daemon.

 Remove and recreate network:

docker network rm mynet

docker network create mynet

 Inspect container network:

docker inspect -f '{{json .NetworkSettings}}' <container>

Error: Container process consumes 100% CPU or memory**

Reason: Application bug or resource limit missing.
Resolution:

 Limit container resources:

docker run --memory=512m --cpus=1 myimage

 Inspect resource usage:

docker stats

Error: no space left on device error on container start**

Reason: Disk full on host or Docker storage driver issue.
Resolution:

 Clean unused images, containers, volumes:

docker system prune -a --volumes

 Check disk space on host:

df -h

Container network interface down / no IP

 Problem: Container cannot access network, no IP assigned.

 Cause: Network driver issues or IP conflicts.
 Fix & Debug:

# Restart Docker daemon

sudo systemctl restart docker

# Remove and recreate network

docker network rm mynet
docker network create mynet

# Inspect container network

docker inspect -f '{{json .NetworkSettings}}' <container>
Container process consumes 100% CPU or memory

 Problem: Container hogs resources.

 Cause: Application bug or no resource limits set.
 Fix & Debug:

# Monitor container stats

docker stats

# Limit resources when running container

docker run --memory=512m --cpus=1 myimage

“No space left on device” error

 Problem: Docker cannot start container or build image.

 Cause: Disk full or Docker storage full.
 Fix & Debug:

# Check disk space

df -h

# Cleanup unused containers, images, volumes

docker system prune -a --volumes

Error: Container logs show cannot connect to database or service dependency failure
Reason: Container startup order or network issue between containers.
Resolution:

 Use Docker Compose depends_on to control startup order.

 Verify network connectivity:

bash
CopyEdit
docker network inspect <network>
docker exec -it <container> ping <other_container>

Error: Container stuck in Created or Restarting state

Reason: Failed health checks, entrypoint issues, or resource constraints.
Resolution:

 Inspect container state and logs:

docker ps -a
docker logs <container>

 Check Docker daemon logs for errors.

 Fix entrypoint or resource limits.
5. Docker Daemon Issues

Error: Docker daemon won’t start or crashes on boot

Reason: Corrupted Docker files, incompatible versions, or lack of system resources.
Resolution:

 Restart Docker service:

bash
CopyEdit
sudo systemctl restart docker

 Check daemon logs:

bash
CopyEdit
sudo journalctl -u docker

 Reinstall or upgrade Docker.

6.Security Issues

Error: Unauthorized access to Docker socket (/var/run/docker.sock)

Reason: Docker socket exposed to untrusted users.
Resolution:

 Limit access to socket only to trusted users/groups.

 Use Docker API authentication or tools like docker-bench-security to audit.

Bonus: Common Commands for Troubleshooting

# Inspect container details

docker inspect <container>

# Check container logs

docker logs <container>

# List all containers including stopped ones

docker ps -a

# Monitor container resource usage

docker stats

# Remove unused resources (images, containers, volumes)

docker system prune -a --volumes

# Show Docker daemon logs (Linux)

sudo journalctl -fu docker

# List networks and inspect

docker network ls
docker network inspect <network>
# Manage volumes
docker volume ls
docker volume inspect <volume>
docker volume rm <volume>

15. COMPLETE, ORGANIZED DOCKER TROUBLESHOOTING GUIDE COVERING ALL

COMMON ISSUES RELATED TO VOLUMES, NETWORKING, IMAGES, CONTAINERS,
DAEMON, AND SECURITY — EACH WITH:

 Error/Issue
 Reason
 Step-by-step Debug/Resolution
 Commands you can run

1. Volume Issues

A. Volume data not syncing / missing inside container

Error: Files inside the container are missing or do not update after host file changes.
Reason: Volume path mismatch, read-only mount, or app caching.
Fix:

1. Check mounts of container:

docker inspect <container> --format '{{ json .Mounts }}' | jq

2. Confirm files exist on host path and are accessible:

ls -l /host/path

3. Run container with read-write bind mount for live sync:

docker run -v /host/path:/container/path:rw myimage

4. Restart container or app if caching data internally:

docker restart <container>

B. Volume deleted but container still works / data persists unexpectedly

Error: Removing a named volume doesn’t seem to affect container data.

Reason: Container may be using anonymous or different volumes.
Fix:

1. Inspect container mounts to verify used volumes:

docker inspect <container> --format '{{ json .Mounts }}' | jq

2. List dangling (unused) volumes:

 docker volume ls -f dangling=true

3. Remove unused volumes:

docker volume rm $(docker volume ls -qf dangling=true)

C. Permission denied when writing to volume

Error: Container cannot write to volume mounted from host, shows permission denied.
Reason: Host directory permissions don’t allow container user to write.
Fix:

1. Check host folder permissions:

ls -ld /host/path

2. Change ownership to your user/group:

sudo chown -R $(id -u):$(id -g) /host/path

3. Rerun container.

2. Network Issues

A. Containers can’t reach each other by name

Error: Ping or connect by container name fails.

Reason: Containers are not on the same user-defined network.
Fix:

1. List Docker networks:

docker network ls

2. Create a user-defined network if needed:

docker network create mynet

3. Run containers attached to the same network:

docker run -d --network mynet --name container1 myimage

docker run -it --network mynet alpine ping container1

B. DNS resolution inside container fails

Error: Cannot resolve domain names like google.com.

Reason: Docker DNS misconfigured or host network issue.
Fix:
 1. Check DNS config inside container:

docker exec -it <container> cat /etc/resolv.conf

2. Override DNS server for container:

docker run --dns 8.8.8.8 myimage

C. Port already allocated error when starting container

Error: port is already allocated on docker run -p.

Reason: Port conflict with another container or host process.
Fix:

1. List containers and ports:

docker ps

2. Check which process uses port:

sudo lsof -i :<port>

3. Stop conflicting container or use a different port:

docker run -p 8080:80 myimage

D. Containers lose connectivity after Docker daemon restart

Error: Containers cannot reach network or each other after Docker restart.
Reason: Default bridge network resets; user-defined networks persist but containers disconnected.
Fix:

1. Restart affected containers:

docker restart <container>

2. Use user-defined networks (persistent) rather than default bridge.

3. Image Issues

A. Docker build cache causes outdated layers

Error: Changes in code don’t show up after build due to caching.

Reason: Docker build reuses cached layers for speed.
Fix:

1. Build without cache:

docker build --no-cache -t myimage .

 2. Optimize Dockerfile layers (copy files after installing dependencies).

B. COPY command fails: file not found

Error: COPY failed: file not found in build context.

Reason: File is missing or build context is incorrect.
Fix:

1. Verify file location relative to Dockerfile:

ls -l ./path/to/file

2. Run build from correct folder:

docker build -t myimage .

C. Image too large, slow push/pull

Error: Image size large causing slow operations.

Reason: Unnecessary files or tools included in image.
Fix:

1. Use .dockerignore to exclude files.

2. Use multistage builds (example below).
3. Use minimal base images (alpine).

Multistage example:

dockerfile
CopyEdit
FROM golang:1.20 AS builder
WORKDIR /app
COPY . .
RUN go build -o app

FROM alpine
WORKDIR /app
COPY --from=builder /app/app .
CMD ["./app"]

D. Pull fails due to rate limits or authentication

Error: toomanyrequests: You have reached your pull rate limit.

Reason: Docker Hub limits anonymous pulls.
Fix:

1. Login to Docker Hub:

docker login

2. Use authenticated pulls or private registry.

4. Container Issues

A. Container exits immediately after start

Error: Container stops right after starting.

Reason: Application crashes, wrong entrypoint, or missing CMD.
Fix:

1. Check logs:

docker logs <container>

2. Run container interactively to debug:

docker run -it --entrypoint /bin/sh myimage

3. Fix Dockerfile CMD or ENTRYPOINT.

B. Container stuck restarting (Restarting state)

Error: Container constantly restarts.

Reason: Crash loop, failing health checks, resource limits exceeded.
Fix:

1. Check logs and inspect container state:

docker ps -a
docker logs <container>

2. Fix app errors, increase resources or adjust restart policy.

C. Container uses 100% CPU or memory

Error: Container consumes excessive resources.

Reason: Buggy app or no resource limits set.
Fix:

1. Monitor resource usage:

docker stats

2. Set limits:

docker run --memory=512m --cpus=1 myimage

D. No space left on device error

Error: Docker cannot start container/build image.
Reason: Disk or Docker storage full.
Fix:

1. Check disk space:

df -h

2. Clean up unused data:

docker system prune -a --volumes

5. Docker Daemon Issues

A. Docker daemon won’t start

Error: Docker service fails or crashes.

Reason: Corrupt files, incompatible Docker version, system resource issues.
Fix:

1. Restart Docker:

sudo systemctl restart docker

2. Check logs:

sudo journalctl -u docker

3. Reinstall or update Docker.

B. Docker commands hang or time out

Error: docker ps or docker build commands hang.

Reason: Docker daemon unresponsive or deadlock.
Fix:

1. Restart Docker daemon.

2. Reboot host if needed.

6. Security Issues

A. Unauthorized access to Docker socket

Error: Unintended users access /var/run/docker.sock.

Reason: Socket permission too open.
Fix:
 1. Limit socket access:

sudo chown root:docker /var/run/docker.sock

sudo chmod 660 /var/run/docker.sock

2. Add trusted users to docker group only.

3. Use tools like docker-bench-security to audit.

B. Containers run with too many privileges

Error: Containers run as root or with --privileged.

Reason: Security risks.
Fix:

1. Avoid --privileged flag unless necessary.

2. Run containers as non-root users inside container.

16. COMMON USEFUL DOCKER COMMANDS FOR TROUBLESHOOTING

# List all containers (running + stopped)

docker ps -a

# Inspect detailed container info

docker inspect <container>

# Show container logs

docker logs <container>

# Monitor container resource usage

docker stats

# List volumes and inspect volume info

docker volume ls
docker volume inspect <volume>

# List networks and inspect network details

docker network ls
docker network inspect <network>

# Remove unused resources

docker system prune -a --volumes

# Restart Docker daemon (Linux)

sudo systemctl restart docker

# Check Docker daemon logs (Linux)

sudo journalctl -u docker
17. DOCKER TROUBLESHOOTING GUIDE: ALL SCENARIOS, COMMANDS, AND
SOLUTIONS

1. Volume Issues

Scenario A: Volume data missing or not syncing inside container

 Error: Files inside container missing or stale.

 Reason: Wrong mount path, read-only volume, or app cache.
 Fix:
o Check mounts:

docker inspect <container> --format '{{ json .Mounts }}' | jq

o Verify host files exist:

ls -l /host/path

o Use correct bind mount with read-write:

docker run -v /host/path:/container/path:rw myimage

o Restart container/app to refresh cache:

docker restart <container>

Scenario B: Data persists even after volume removal

 Error: Data still appears even after deleting volumes.

 Reason: Anonymous volumes or multiple volumes attached.
 Fix:
o Inspect mounts:

docker inspect <container> --format '{{ json .Mounts }}' | jq

o List dangling volumes:

docker volume ls -f dangling=true

o Remove unused volumes:

docker volume rm $(docker volume ls -qf dangling=true)

Scenario C: Permission denied writing to mounted volume

 Error: Permission denied errors inside container on volume path.

 Reason: Host directory permissions don’t allow container user access.
 Fix:
o Check host folder permissions:

ls -ld /host/path

o Change ownership/permissions:
 sudo chown -R $(id -u):$(id -g) /host/path

o Rerun container.

2. Network Issues

Scenario A: Container cannot ping another container by name

 Error: ping container_name fails.

 Reason: Containers not on same user-defined network.
 Fix:
o List networks:

docker network ls

o Create network if missing:

docker network create mynet

o Run containers attached to same network:

docker run -d --network mynet --name container1 myimage

docker run -it --network mynet alpine ping container1

Scenario B: DNS resolution fails inside container

 Error: Cannot resolve external domains.

 Reason: Docker DNS or host network misconfiguration.
 Fix:
o Check /etc/resolv.conf inside container:

docker exec -it <container> cat /etc/resolv.conf

o Run container with explicit DNS:

docker run --dns 8.8.8.8 myimage

Scenario C: Port is already allocated error

 Error: On docker run -p you see port conflict.

 Reason: Another container or host process uses port.
 Fix:
o List containers & ports:

docker ps

o Check host process:

sudo lsof -i :<port>

o Stop conflicting container or use different port.

Scenario D: Network lost after Docker restart

 Error: Containers lose network connectivity after Docker daemon restart.

 Reason: Default bridge network resets; user networks persistent but containers disconnected.
 Fix:
o Restart containers or use user-defined networks.

3. Image Issues

Scenario A: Build cache causes stale builds

 Error: Changes don’t appear in container after rebuild.

 Reason: Docker build cache reused.
 Fix:
o Build without cache:

docker build --no-cache -t myimage .

o Optimize Dockerfile to order instructions wisely.

Scenario B: COPY command fails during build

 Error: COPY failed: file not found in build context

 Reason: File missing or build context wrong.
 Fix:
o Verify files present:

ls -l ./file

o Run build in correct directory.

Scenario C: Image size too large

 Error: Large image slows push/pull.

 Reason: Unnecessary files or no multistage build.
 Fix:
o Use .dockerignore to exclude files.
o Use multistage build:

dockerfile
CopyEdit
FROM golang:1.20 AS builder
WORKDIR /app
COPY . .
RUN go build -o app

FROM alpine
WORKDIR /app
COPY --from=builder /app/app .
CMD ["./app"]

Scenario D: Pull limit reached or auth error

 Error: toomanyrequests or authentication failures.

 Reason: Docker Hub rate limits or missing login.
 Fix:
o Login to Docker Hub:

docker login

o Use private registry or authenticated pulls.

4. Container Issues

Scenario A: Container exits immediately

 Error: Container stops as soon as started.

 Reason: App crash, wrong entrypoint, no foreground process.
 Fix:
o Check logs:

docker logs <container>

o Run interactively:

docker run -it --entrypoint /bin/sh myimage

o Fix Dockerfile CMD or entrypoint.

Scenario B: Container stuck restarting

 Error: Container keeps restarting (Restarting).

 Reason: Crash loops, health check failures, resource constraints.
 Fix:
o Inspect logs:

docker logs <container>

o Adjust restart policy or resource limits.

Scenario C: High CPU or memory usage

 Error: Container hogs resources.

 Reason: Buggy app, no limits set.
 Fix:
 o Monitor:

docker stats

o Set limits:

docker run --memory=512m --cpus=1 myimage

Scenario D: No space left on device

 Error: Disk full error on build/run.

 Reason: Docker storage or disk full.
 Fix:
o Check disk space:

df -h

o Cleanup:

docker system prune -a --volumes

5. Docker Daemon Issues

Scenario A: Docker daemon won’t start

 Error: Docker service fails.

 Reason: Corrupt files, system errors.
 Fix:
o Restart Docker:

sudo systemctl restart docker

o Check logs:

sudo journalctl -u docker

o Reinstall/update Docker.

Scenario B: Docker commands hang

 Error: Commands stuck or timeout.

 Reason: Deadlocked daemon or resource issues.
 Fix:
o Restart daemon or host.

6. Security Issues

Scenario A: Unauthorized access to Docker socket

  Error: Anyone can control Docker daemon.
 Reason: Overly permissive /var/run/docker.sock.
 Fix:
o Secure socket:

sudo chown root:docker /var/run/docker.sock

sudo chmod 660 /var/run/docker.sock

o Add only trusted users to docker group.

Scenario B: Containers run as root or privileged

 Error: Security risk with privileged containers.

 Reason: Running with --privileged or default root user.
 Fix:
o Avoid --privileged.
o Run as non-root inside container (using USER in Dockerfile).

Common Docker Troubleshooting Commands

bash
CopyEdit
docker ps -a
docker logs <container>
docker inspect <container>
docker stats
docker volume ls
docker volume inspect <volume>
docker volume rm <volume>
docker network ls
docker network inspect <network>
docker system prune -a --volumes
sudo systemctl restart docker
sudo journalctl -u docker
docker exec -it <container> /bin/sh
docker run -it --entrypoint /bin/sh myimage
docker build --no-cache -t myimage .
docker run --memory=512m --cpus=1 myimage

Bonus: Docker Troubleshooting Checklist

1. Identify the problem (logs, errors)

2. Check container status: docker ps -a
3. View container logs: docker logs <container>
4. Inspect container for mounts, network: docker inspect <container>
5. Check Docker daemon status: sudo systemctl status docker
6. Monitor resource usage: docker stats
7. Check volumes and networks: docker volume ls, docker network ls
8. Check disk space: df -h
 9. Clean unused resources: docker system prune -a --volumes
10. Restart containers or daemon if needed.

Bonus: Sample Automated Troubleshooting Script (Linux Bash)

#!/bin/bash

echo "Docker Troubleshooting Report"

echo "1. Docker daemon status:"

sudo systemctl status docker --no-pager

echo "2. Docker containers:"

docker ps -a

echo "3. Docker logs of recently exited containers:"

for c in $(docker ps -a -f "status=exited" -q); do
echo "Logs for container $c:"
docker logs $c --tail 20
done

echo "4. Inspect container mounts and network:"

for c in $(docker ps -q); do
echo "Inspecting container $c:"
docker inspect $c --format '{{ json .Mounts }}' | jq
docker inspect $c --format '{{ json .NetworkSettings.Networks }}' | jq
done

echo "5. Docker volumes usage:"

docker volume ls
docker volume prune -f

echo "6. Disk usage on Docker storage:"

df -h

echo "7. Docker system disk usage:"

docker system df

echo "8. Active networks:"

docker network ls

echo "Report finished."