Common Docker Problems and Solutions
0 likes234 views
The document discusses common problems and solutions related to Docker, including issues like memory leaks, missing dependencies, filesystem errors, and security vulnerabilities. It provides recommendations for maintaining stability and security, such as logging, testing, upgrading Docker versions, using secure practices for handling secrets, and selecting stable storage drivers. Additionally, it emphasizes the importance of keeping images and Docker up-to-date to mitigate potential risks.
Common Docker Problems and Solutions
- 1. Common Docker Problems and Solutions Joel Chen LinkedIn: http://lnkd.in/bwwnBWR GitHub: https://github.com/joelchen
- 2. Stability: Problems š Memory leak: $ free -h total used free shared buffers cached Mem: 995M 961M 33M 480K 57M 252M -/+ buffers/cache: 961M 0M Swap: 1.0G 1.0G 0M š Dependencies not included in official Docker images (e.g. OpenJDK missing libfontconfig1: https://github.com/docker-library/openjdk/issues/46) š Filesystem error: create/symlink failed, no inodes free
- 3. Stability: Solutions š Prevent problems by logging, monitoring, and testing š Prevent multiple containers from using the same port š Upgrade to latest version of Docker š File issue in the official Docker image repository in GitHub, and other issue trackers related to the problem š Use workaround until issue is resolved (e.g. older version of official Docker image with dependencies included) š Select a stable storage driver and filesystem
- 5. Security: Problems š Common security concerns (exploits, attacks, threats) š Sharing secrets using environment variables (exposed in many places) š In Docker 1.7 and below, Docker is vulnerable to image forgery and replay attacks š In Docker 1.9 and below, processes running as root (UID 0) in a container has root-level privileges on the underlying host when interacting with the kernel š Vulnerable Docker images
- 6. Security: Problems Official Images with Vulnerabilities General Images with Vulnerabilities http://www.banyanops.com/blog/analyzing-docker-hub/
- 7. Security: Solutions š Security practices (encryption, monitoring, access control, inbound/outbound filtering, logging, backup, patching, verifying authenticity, policy, training) š Pass secrets in volumes, or in key-value stores (etcd, Vault, Keywhiz) š Mount the container's root filesystem as read only whenever possible (mount tmpfs directories if required) docker run -d --read-only --tmpfs /run --tmpfs /tmp IMAGE š Upgrade to latest version of Docker (Docker 1.8 introduced Docker Content Trust, and Docker 1.10 introduced Seccomp Profiles, User Namespaces, Authorization Plugins) š Use and periodically update to the latest version of images š Use minimal base images (scratch, busybox, alpine) and USER instruction to build custom Docker images whenever possible š Security tools, especially Docker Bench for Security (https://dockerbench.com/), and others (https://www.alfresco.com/blogs/devops/2015/12/03/docker-security-tools-audit-and- vulnerability-assessment/)
- 8. Thank You Joel Chen LinkedIn: http://lnkd.in/bwwnBWR GitHub: https://github.com/joelchen