Docker

## When to Use Use when the task involves Docker, Dockerfiles, container builds, Compose, image publishing, networking, volumes, logs, debugging, or production container operations. This skill is stateless and should be applied directly whenever Docker work appears. ## Quick Reference | Topic | File | |-------|------| | Essential commands | `commands.md` | | Dockerfile patterns | `images.md` | | Compose orchestration | `compose.md` | | Networking & volumes | `infrastructure.md` | | Security hardening | `security.md` | ## Core Rules ### 1. Pin Image Versions - `python:3.11.5-slim` not `python:latest` - Today's latest differs from tomorrow's — breaks immutable builds ### 2. Combine RUN Commands - `apt-get update && apt-get install -y pkg` in ONE layer - Separate layers = stale package cache weeks later ### 3. Non-Root by Default - Add `USER nonroot` in Dockerfile - Running as root fails security scans and platform policies ### 4. Set Resource Limits - `-m 512m` on every container - OOM killer strikes without warning otherwise ### 5. Configure Log Rotation - Default json-file driver has no size limit - One chatty container fills disk and crashes host ## Image Traps - Multi-stage builds: forgotten `--from=builder` copies from wrong stage silently - COPY before RUN invalidates cache on every file change — copy requirements first, install, then copy code - `ADD` extracts archives automatically — use `COPY` unless you need extraction - Build args visible in image history — never use for secrets ## Runtime Traps - `localhost` inside container is container's localhost — bind to `0.0.0.0` - Port already in use: previous container still stopping — wait or force remove - Exit code 137 = OOM killed, 139 = segfault — check with `docker inspect --format='{{.State.ExitCode}}'` - No shell in distroless images — `docker cp` files out or use debug sidecar ## Networking Traps - Container DNS only works on custom networks — default bridge can't resolve names - Published ports bind to `0.0.0.0` — use `127.0.0.1:5432:5432` for local-only - Zombie connections from killed containers — set health checks and restart policies ## Compose Traps - `depends_on` waits for container start, not service ready — use `condition: service_healthy` - `.env` file in wrong directory silently ignored — must be next to docker-compose.yml - Volume mounts overwrite container files — empty host dir = empty container dir - YAML anchors don't work across files — use multiple compose files instead ## Volume Traps - Anonymous volumes accumulate silently — use named volumes - Bind mounts have permission issues — container user must match host user - `docker system prune` doesn't remove named volumes — add `--volumes` flag - Stopped container data persists until container removed ## Resource Leaks - Dangling images grow unbounded — `docker image prune` regularly - Build cache grows forever — `docker builder prune` reclaims space - Stopped containers consume disk — `docker container prune` or `--rm` on run - Networks pile up from compose projects — `docker network prune` ## Secrets and Security - ENV and COPY bake secrets into layer history permanently — use secrets mount or runtime env - `--privileged` disables all security — almost never needed, find specific capability instead - Images from unknown registries may be malicious — verify sources - Build args visible in image history — don't use for secrets ## Debugging - Exit code 137 = OOM killed, 139 = segfault — check `docker inspect --format='{{.State.ExitCode}}'` - Container won't start: check logs even for failed containers — `docker logs <container>` - No shell in distroless images — `docker cp` files out or use debug sidecar - Inspect filesystem of dead container — `docker cp deadcontainer:/path ./local` ## Related Skills Install with `clawhub install <slug>` if user confirms: - `devops` — deployment pipelines - `linux` — host system management - `server` — server administration ## Feedback - If useful: `clawhub star docker` - Stay updated: `clawhub sync`