Directory leaks

Earlier in the Data volume section, you learned that the Docker Engine automatically creates directories based on the VOLUME instruction in the Dockerfile as well as the -v option of the docker run subcommand. We also understood that the Docker Engine does not automatically delete these autogenerated directories in order to preserve the state of the application(s) run inside the container. We can force Docker to remove these directories using the -v option of the docker rm subcommand. This process of manual deletion poses two major challenges enumerated as follows:

  • Undeleted directories: There can be scenarios where you may intentionally or unintentionally choose not to remove the generated directory while removing the container.
  • Third-party images: Quite often, we leverage third-party Docker images that could have been built with the VOLUME instruction. Likewise, we might also have our own Docker images with VOLUME inscribed in it. When we launch containers using such Docker images, the Docker Engine will autogenerate the prescribed directories. Since we are not aware of the data volume creation, we may not call the docker rm subcommand with the -v option to delete the autogenerated directory.

In the previously mentioned scenarios, once the associated container is removed, there is no direct way to identify the directories whose containers were removed. Here are a few recommendations on how to avoid this pitfall:

  • Always inspect the Docker images using the docker inspect subcommand and check whether any data volume is inscribed in the image or not.
  • Always run the docker rm subcommand with the -v option to remove any data volume (directory) created for the container. Even if the data volume is shared by multiple containers, it is still safe to run the docker rm subcommand with the -v option because the directory associated with the data volume will be deleted only when the last container sharing that data volume is removed.
  • For any reason, if you choose to preserve the autogenerated directory, you must keep a clear record so that you can remove them at a later point.
  • Implement an audit framework that will audit and find out the directories that do not have any container association.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset