Common Docker Pitfalls and How to Avoid Them
Docker is a fantastic tool that I use regularly, but over time, I’ve encountered a few pitfalls. Below is a collection of common issues you may face and how to address them.
Networking Issues When Running Multiple Stacks
If you’re using Docker Compose, you might run into odd errors when running many stacks simultaneously.
The issue stems from Docker creating very large bridge networks in the private Class B and Class C address ranges. Specifically, Docker can only create 32 subnets within this range before it runs out of address space.
This can cause connectivity problems if you have other devices on your network using the same address space (a common issue in home networks). For example, you may not be able to reach your Docker services from other devices, or vice versa.
To resolve this, you can configure the default-address-pools
setting to reduce the size of the networks and ensure the address ranges do not overlap with those of your home network.
In your /etc/docker/daemon.json
, you can add the following configuration:
{
"default-address-pools" : [
{
"base" : "172.27.0.0/12",
"size" : 24
}
]
}
This will restrict Docker networks to the 172.27.*.*
address space.
For more information, check out this guide
Excessive Disk Usage for Log Files
If your containers generate a lot of output to stdout
or stderr
, you may encounter excessive disk usage due to log file accumulation. It’s not uncommon for containers to consume 40GB or more just in log data.
By default, Docker logs all output uncompressed in a JSON format without any file size limits, leading to this issue.
To mitigate this, you can set up log rotation by configuring the /etc/docker/daemon.json
file:
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}
This configuration limits logs to three files, each with a maximum size of 10MB.
Issues with iptables-Based Firewalls
Some firewalls, such as UFW (Uncomplicated Firewall), may not work correctly with Docker. This happens because Docker directly manipulates iptables configurations, as do many firewalls. As a result, this can lead to various issues, such as:
- Internal ports becoming exposed to the internet.
- Published ports not being reachable.
One solution to this is using a workaround like ufw-docker, which addresses these conflicts.