You hard-coded the database password in the Dockerfile. It worked in development. Then someone pushed the image to a public registry. Now your database password is on the internet forever, baked into an immutable image layer that docker history will happily reveal to anyone. Environment variables done right prevent this entire class of mistakes.
30 posts tagged with "Docker"
Container fundamentals with Docker
View All TagsYour container is "running." The process has PID 1, Docker says status is Up 47 minutes, and everything looks fine. Except the application inside crashed 20 minutes ago, the event loop is deadlocked, or the database connection pool is exhausted. Traffic keeps flowing in. Users keep getting 502 errors. Docker has no idea anything is wrong because "running" and "healthy" are not the same thing.
A container is not a security boundary. It shares the host kernel, and a misconfigured container running as root with all capabilities is one exploit away from full host compromise. The good news is that Docker gives you layers of defense — most people just never enable them.
Your production Go binary is 15 MB. Your Docker image is 1.1 GB. That is not a rounding error — it is a sign that you are shipping an entire operating system, a compiler toolchain, and hundreds of packages you will never use at runtime. Multi-stage builds fix this in a way that feels almost too easy.
Your container exits immediately with code 1. Or it starts but the application is unreachable. Or it runs for an hour and then OOMs. Docker gives you powerful debugging tools, but most people only know docker logs. Here is the full toolkit for diagnosing container problems.
You have built a Docker image. Now what? You need somewhere to store it so your CI/CD pipeline, your Kubernetes cluster, or your teammates can pull it. That somewhere is a container registry. But which one? The answer depends on your cloud provider, team size, budget, and how much you enjoy YAML.