Docker Gotchas
Image Building
- •
apt-get updateandapt-get installin separate RUN layers = stale packages weeks later — always combine them - •
python:latesttoday is different thanpython:latesttomorrow — pin versions likepython:3.11.5-slim - •Multi-stage builds: forgotten
--from=buildercopies from wrong stage silently - •COPY before RUN invalidates cache on every file change — copy requirements first, install, then copy code
Runtime Crashes
- •Default log driver has no size limit — one chatty container fills disk and crashes host
- •OOM killer strikes without warning — set memory limits with
-m 512mon every container - •Container runs as root by default — add
USER nonrootor security scans fail and platforms reject - •
localhostinside container is container's localhost, not host — bind to0.0.0.0
Networking
- •Container DNS only works on custom networks — default bridge can't resolve container names
- •Published ports bind to
0.0.0.0by default — use127.0.0.1:5432:5432for local-only - •Zombie connections from killed containers — set proper health checks and restart policies
- •Port already in use: previous container still stopping — wait or force remove
Compose Traps
- •
depends_onwaits for container start, not service ready — usecondition: service_healthywith healthcheck - •
.envfile in wrong directory silently ignored — must be next to docker-compose.yml - •Volume mounts overwrite container files — empty host dir = empty container dir
- •YAML anchors don't work across files — extends deprecated, use multiple compose files
Volumes and Data
- •Anonymous volumes from Dockerfile VOLUME instruction accumulate silently — use named volumes
- •Bind mounts have host permission issues — container user must match host user or use
:zsuffix - •
docker system prunedoesn't remove named volumes — add-volumesflag explicitly - •Stopped container data persists until container removed —
docker rmdeletes data
Resource Leaks
- •Dangling images grow unbounded —
docker image pruneregularly - •Build cache grows forever —
docker builder prunereclaims space - •Stopped containers consume disk —
docker container pruneor--rmon run - •Networks pile up from compose projects —
docker network prune
Secrets and Security
- •ENV and COPY bake secrets into layer history permanently — use secrets mount or runtime env
- •
--privilegeddisables all security — almost never needed, find specific capability instead - •Images from unknown registries may be malicious — verify sources
- •Build args visible in image history — don't use for secrets
Debugging
- •Exit code 137 = OOM killed, 139 = segfault — check
docker inspect --format='{{.State.ExitCode}}' - •Container won't start: check logs even for failed containers —
docker logs <container> - •No shell in distroless images —
docker cpfiles out or use debug sidecar - •Inspect filesystem of dead container —
docker cp deadcontainer:/path ./local