Docker Gotchas

Docker Gotchas
Dan Sosedoff
Doejo
github/twitter: @sosedoff

View Slide

• Docker and UFW don't play nice
• Containers don't have persistent IP address
• Port publishing creates docker proxy processes
• Out-of-memory errors can knock down your OS
• Dangling and untagged images pollute FS
Gotchas

View Slide

Typical setup:
$ ufw default deny incoming
$ ufw allow 22 # SSH
$ ufw allow 80 # HTTP
$ ufw allow from 10.0.1.25 to any port 5432
In multi host environment you need to publish ports:
$ docker run -d -p 5432:5432 postgres:9.5
You still can access the host from unrestricted machines:
$ psql -h ip-address mydb
Docker and UFW

View Slide

Docker and UFW
• Start docker daemon with “—iptables=false”
• Audit your iptables setup
• Do not publish ports (-p/-P ﬂag) unless have to.

View Slide

Container IP is not persistent
$ docker run -d --name=myapp ruby ping google.com
a3bfaa3be952cb28b8a033d9121f86205d37966e9dd9e464b89c6c0a8d6e4810
$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' myapp
172.17.0.2
$ docker stop myapp
$ docker run -d --name=myapp2 ruby ping facebook.com
6cc90fc176d9fb2868abd2e998b8830e29a9e6262f81895a48babfd65b77534c
$ docker start my app
$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' myapp
172.17.0.3 # <—- THIS IP CHANGED
$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' myapp2
172.17.0.2

View Slide

Container IP is not persistent
• Never rely on container IP address
• Create custom Docker networks
• Reference containers by name
• Set container IP with “—ip” ﬂag

View Slide

Docker network proxy
Start container with published port:
$ docker run -d -p 5000:5000 myapp
Check out processes:
$ ps aux | grep docker-proxy
docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 5000 -container-ip
172.17.0.4 -container-port 5000

View Slide

Docker network proxy
• Not really an issue. Be aware.
• Runs TCP/UDP proxy process per container
• Adds an extra overhead
• Don’t publish ports on host unless needed

View Slide

Kernel OOM errors
Docker containers will use all available memory
$ docker run -d my-beefy-rails-app
Restrict memory usage with ﬂags:
$ docker run -d \
—restart=always \
—memory=512 \
—memory-swap=0 \
my-beefy-rails-app

View Slide

Kernel OOM errors
• Always specify memory restrictions
• Always deﬁne restart policy
• Use latest kernel, enable swap
• Actively monitor container resource usage

View Slide

$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
myapp latest 3cfbce003800 43 hours ago 1.016 GB
58e12b181489 2 days ago 1.016 GB
09c6230a686f 2 days ago 1.024 GB
559efd23e19c 2 days ago 1.024 GB
ec6f4f18c90c 2 days ago 1.035 GB
c50506c9fa32 2 days ago 1.034 GB
dd9429b92f28 3 days ago 1.033 GB
60534a5aa2b6 3 days ago 1.033 GB
46a302aa0da1 3 days ago 1.029 GB
3497cd79d8e0 3 days ago 1.029 GB
b154ef538cb2 3 days ago 1.029 GB
b6a176f9183c 3 days ago 1.027 GB
# Or list ALL images
$ docker images -a
Dangling Images

View Slide

Dangling Images
$ docker images -q | xargs docker rmi
Deleted: sha256:58e12b18148976dda668b1d001745853d4997
Deleted: sha256:fd0161ef5c76870cd7a2afe8cada44de5474594
Deleted: sha256:22b96627b93798445d9af6e53bfbc68fde4df14
Deleted: sha256:03879b4386b3362486fc2fe209433dd7177e16
Deleted: sha256:09c6230a686f907721bc4bbfe4009c10872253
Deleted: sha256:088e3f6d5febe3ef82543345aacb12dd7df1ea2
Error response from daemon: conﬂict: unable to delete 3cfbce003800
(cannot be forced) - image is being used by running container 9298939fdffd
Docker won’t delete images that are being used.
Tag your images.

View Slide

Bonus!
#!/bin/bash
if [ $# -eq 0 ] ; then
docker ps -aq | xargs docker rm -f
else
docker ps -a | grep $1 | awk {'print $1'} | xargs docker rm -f
ﬁ
Simple script to clean your dev environment

View Slide

Thanks!
Dan Sosedoff
Doejo
github/twitter: @sosedoff

View Slide

Docker Gotchas

Docker Gotchas

Dan Sosedoff

Other Decks in Technology

Featured

Transcript