Thursday, February 6, 2025

Docker Security and Troubleshooting


Double-click on the image to zoom-out ...Larger.

To return to Home page: Refresh Page or Take ESC Button on Keyboard.

Docker Security & Troubleshooting Guide 

1. Docker Security Best Practices 

A. General Security Measures

Use Official & Trusted Images
Always pull images from official repositories or trusted sources.

docker pull devopspatemf2021/webapps:latest

 Use Docker Content Trust (DCT) to verify image integrity:

export DOCKER_CONTENT_TRUST=1

Run Containers as a Non-Root User
Avoid running containers as root.

dockerfile

# Inside Dockerfile
RUN adduser --disabled-password twtech-user
USER twtech-user

Keep Docker & Dependencies Updated
Regularly update Docker, host OS, and dependencies.

apt-get update && apt-get upgrade -y

Enable Docker Security Scanning
Scan images for vulnerabilities:

docker scan devopspatemf2021/webapps:latest

Use Read-Only Filesystems
Prevent containers from modifying the filesystem.

docker run --read-only twtech-webapp

Use Resource Limits (CPU & Memory)
Prevent resource exhaustion with --memory and --cpu limits.

docker run --memory=512m --cpus=1 twtech-webapp

Enable Logging & Monitoring
Use logging tools like ELK Stack, Datadog, CloudWatch, Prometheus, and Grafana.

Enable Seccomp, AppArmor, and SELinux
Use security profiles to restrict container actions.

docker run --security-opt seccomp=default.json twtech-webapp

Restrict Privileged Mode
Never run containers with --privileged flag unless absolutely necessary.

docker run --cap-drop=ALL twtech-webapp

Network Security (Avoid Default Bridge)
Use a custom bridge for better network isolation.

docker network create twtech-secure-net
docker run --network=twtech-secure-net twtech-webapp

Limit Container Capabilities
Drop unnecessary Linux capabilities.

docker run --cap-drop=NET_RAW twtech-webapp

2. Docker Troubleshooting Guide 

A. General Troubleshooting Commands

1,  Check Running Containers

docker ps -a

2,  View Logs

docker logs twtech-webapp

3,  Enter a Running Container

docker exec -it twtech-webapp /bin/bash

4,  Inspect Container Details

docker inspect twtech-webapp

5,  Check Resource Usage

docker stats

6,  Check Network Configuration

docker network inspect bridge

B. Common Issues & Fixes

1. Container Won’t Start

Check logs:

docker logs twtech-webapp

Run container interactively for debugging:

docker run -it twtech-webapp /bin/sh

Check the error message and missing dependencies.

2. Port Binding Issues

Issue: Container runs but is not accessible from the host.
Fix: Ensure the port is mapped correctly.

docker run -d -p 8080:8080 twtech-webapp

Check if the port is already in use:

netstat -tulnp | grep 8080

3. High CPU/Memory Usage

Issue: Container consuming too many resources.
Fix: Check resource usage.

docker stats

Limit resources:

docker run --memory=512m --cpus=1 twtech-webapp

4. Docker Daemon Not Starting

Issue: Docker service won’t start.
Fix: Restart Docker.

systemctl restart docker

Check daemon logs:

journalctl -u docker --no-pager | tail -n 50

5. Image Pull Fails

Issue: Docker can’t pull an image due to network issues.
Fix: Test internet connectivity.

ping google.com

Use an alternative DNS (e.g., Google DNS).

{
  "dns": ["8.8.8.8", "8.8.4.4"]
}

Manually pull the image:

docker pull twtech-webapp
 
6. Repository: check whether image actually exist on repo
 
go to docker hub and verify ( image and version might have changed or removed)  

 7. Also find out is the image is on the private or public repo :

  private repo need docker login to pull image

  docker login -u < peronal docker-account-name>

  password < dockerhub login password

8 . Storage Issues (No Space Left)

Issue: Docker consuming too much disk space.

Fix: Remove unused images & containers.

docker system prune -a

Check disk usage:

docker system df

twtech-Thoughts

Security First: Run containers with minimal privileges and update regularly.
Use Logs & Monitoring: Always check logs (docker logs), inspect containers (docker inspect), and monitor resources (docker stats).
Network & Storage Optimization: Use custom networks, optimize storage, and clean up old resources.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

AWS DynamoDB | Integration With S3 Bucket.

  AWS DynamoDB ↔ S3 integration , View: What DynamoDB ↔ S3 integration is,   How to use DynamoDB ↔ S3 integration,   Why uses DynamoDB ↔  S3...