Docker debugging cheatsheet.
Getting inside
docker exec -it web bash # or sh
docker exec -it web sh -c "ls /app"
docker exec --user root web bash # as root
If no shell in image (distroless):
docker run --rm -it --pid=container:web --net=container:web nicolaka/netshoot
netshoot is a debug toolkit container that shares namespace with target.
Inspect
docker inspect web | jq
docker inspect --format='{{.State.Status}}' web
docker inspect --format='{{.NetworkSettings.IPAddress}}' web
docker inspect --format='{{json .Config.Env}}' web | jq
docker inspect --format='{{range .Mounts}}{{.Source}} -> {{.Destination}}{{println}}{{end}}' web
Logs
docker logs web
docker logs -f --tail 100 web
docker logs --since 10m web
docker logs web 2>&1 | grep ERROR
docker logs -t web # add timestamps
Container won’t start
docker run --rm myimage # see the error
docker inspect <id> --format='{{.State.Error}}'
docker logs <id>
docker events --filter container=<id>
For “exec format error”: built for wrong architecture.
Networking
# DNS
docker exec web nslookup db
docker exec web getent hosts db
# Connectivity
docker exec web ping -c 3 db
docker exec web nc -zv db 5432
docker exec web curl -v http://api/
# Port listen
docker exec web netstat -tlnp # if available
docker exec web ss -tlnp
If netstat/ss missing, attach netshoot.
Process inspection
docker top web
docker exec web ps auxf
docker exec web pstree
File contents / diff
docker exec web cat /etc/hosts
docker diff web # changes since image started
Useful to spot unexpected modifications.
Open file descriptors
docker exec web ls -la /proc/1/fd/
For “too many open files”:
docker exec web cat /proc/1/limits
strace
docker exec --cap-add SYS_PTRACE web strace -p 1
System call trace. Requires CAP_SYS_PTRACE.
tcpdump
docker run --rm --net container:web nicolaka/netshoot \
tcpdump -i any -w - | wireshark -k -i -
Capture traffic from web container.
CPU / memory pressure
docker stats web
docker stats --no-stream
# Inside container
docker exec web top
docker exec web free -h
Disk usage
docker system df
docker system df -v
du -sh /var/lib/docker/volumes/*/_data | sort -h
Exit codes
| Code | Meaning |
|---|---|
| 0 | success |
| 1 | general error |
| 125 | docker daemon error |
| 126 | command not executable |
| 127 | command not found |
| 137 | SIGKILL (OOM or docker stop) |
| 139 | segfault |
| 143 | SIGTERM |
docker inspect --format='{{.State.ExitCode}}' web
Core dumps
docker run --ulimit core=-1 --security-opt seccomp=unconfined app
# Inside container, core dump on crash
Restart loop
docker inspect --format='{{.State.RestartCount}}' web
docker logs --tail 100 web # what's the error?
Image debugging
docker history --no-trunc myimage
docker run --rm -it myimage sh # inspect contents
docker save myimage > image.tar
tar tvf image.tar # list layers
Profile inside container
# Python
docker exec web py-spy top --pid 1
# Node
docker exec web kill -SIGUSR1 1 # signals inspector start
# Then chrome://inspect
# Go
docker exec web go tool pprof http://localhost:6060/debug/pprof/profile
docker compose debugging
docker compose logs -f
docker compose ps
docker compose config # render final compose
docker compose top
Build debugging
docker build --progress=plain . # verbose output
docker build --no-cache . # bypass cache
docker buildx build --target builder . # stop at stage
# Inspect intermediate stage
docker build -t debug --target builder .
docker run --rm -it debug bash
docker debug (Docker Desktop)
docker debug web # attach debug shell with tools
Available in Docker Desktop. Adds tools to any container.
Common issues
“Container exits immediately”
CMD/ENTRYPOINT mismatch. Check docker logs and docker inspect ... .State.Error.
“Connection refused”
App listening on 127.0.0.1 instead of 0.0.0.0.
“Permission denied”
Volume bind-mount UID mismatch. Use --user or chown.
“No such file or directory”
Path inside container doesn’t exist; or COPY missed it (.dockerignore).
Healthcheck flaps
Endpoint slow during boot. Increase start_period.
Common mistakes
- Debugging without checking
docker logsfirst. - Editing in running container — lost on recreate.
- Using
docker attachinstead ofexec. - Forgetting
-i/-tflags for shell. - Confusing build cache for runtime cache.
Read this next
If you want my debug toolkit container, it’s at rajpoot.dev .
Building something AI-, backend-, or data-heavy and want a second pair of eyes? I do consulting and freelance work — see my projects and ways to reach me at rajpoot.dev .