You’re staring at a failed container, logs are a mess, and you have no idea if the problem is in your Docker image, the runtime configuration, or somewhere in your orchestration setup. Docker debugging best practices 2025 are here to save you from spending hours guessing. Developers struggle with containerized application debugging more than ever—not because Docker is hard, but because there are so many layers to check. This guide cuts through the noise and shows you exactly where to look first.
The Real Problem: Why Docker Debugging Feels Impossible
Your containerized application works perfectly on your laptop but crashes in production. Your teammate says “it works for me,” but it doesn’t work for anyone else. You’re not losing your mind—you’re dealing with something most developers don’t account for: Docker debugging best practices 2025 requires understanding three separate domains simultaneously.
The image layer (what’s baked into your Docker image), the runtime layer (how Docker executes it), and the environment layer (what your container can actually access) are all different worlds. Most debugging attempts fail because developers try to fix the wrong layer. This multi-layer complexity is why many teams also turn to AI agent frameworks for DevOps automation—to reduce manual troubleshooting across different systems.
Quick Fixes — Start Here (30 Seconds Each)
Before you dig deeper, try these sanity checks:
- Restart the container:
docker restart <container-id>— Solves ~15% of “sudden” failures - Check Docker daemon status:
docker psshould return output instantly. If it hangs, your Docker daemon might be stuck - Verify disk space:
docker system df— Full disks cause mysterious failures - Clear dangling images:
docker system prune -a— Sometimes old, conflicting images cause issues - Check if it’s actually running:
docker inspect <container-id> | grep -i state— Confirms the container is actually running, not just existing
If none of these work, you’re dealing with an actual bug. Let’s find it.
Problem: Application Crashes Immediately After Starting
Symptoms
- Container exits with code 1, 127, or 137
- Logs are empty or just show “killed”
- Works fine when you run the command locally
Cause
Your Docker image doesn’t have the right dependencies installed, the entrypoint command is wrong, or the process is running out of memory. Exit code 137 usually means the container hit memory limits or the OOM killer terminated it. When your application needs to parse or validate environment-specific data, missing structured data extraction techniques in your startup scripts can cause silent failures too.
How to Fix It
Step 1: Check the logs with more context
docker logs --tail 50 <container-id>
If logs are truly empty, your entrypoint command isn’t even executing. Try:
docker run -it <image-id> /bin/bash
This gives you an interactive shell inside the image. Run your app manually to see the actual error.
Step 2: Verify the entrypoint
docker inspect <image-id> | grep -A 5 Entrypoint
Make sure it’s pointing to an executable file that actually exists in the image. Common mistake:
ENTRYPOINT ["python app.py"]
But Python isn’t installed in the image, or the path is wrong.
Step 3: Increase memory limits
If exit code is 137, Docker killed the container for using too much memory:
docker run -m 2g <image-id>
Step 4: Add debugging output
Modify your Dockerfile to add verbose output before your app starts:
RUN echo "Starting app..." && \
ls -la /app && \
env && \
/app/start.shProblem: Port Not Accessible From Host
Symptoms
- Container is running, but
localhost:8080refuses the connection - Works when you SSH into the host and test from there
- Port works fine in another container on the same network
Cause
You forgot the -p flag, mapped to the wrong port, or the application is listening on 127.0.0.1 instead of 0.0.0.0. On some systems, especially with SSL/TLS connections involved, port mapping can fail silently due to certificate validation issues. For API debugging with port issues, reference our SSL certificate errors troubleshooting guide.
How to Fix It
Step 1: Verify the port mapping
docker port <container-id>
This shows which ports are mapped. If it’s empty, you didn’t use -p when starting the container.
Step 2: Make sure your app is listening on 0.0.0.0, not 127.0.0.1
docker exec <container-id> netstat -tlnp
Look for your application’s port. If it shows 127.0.0.1:8080, only localhost inside the container can access it. Fix this in your app config or startup script:
BIND_ADDRESS=0.0.0.0
Step 3: Restart with correct port mapping
docker run -p 8080:8080 <image-id>
The format is -p HOST_PORT:CONTAINER_PORT. If your app listens on port 3000 inside the container but you want to access it on 8080 from your host, use -p 8080:3000.
Problem: Out of Memory Errors or Unexpected Restarts
Symptoms
- Container exits with code 137 (OOM killer)
- Restarts automatically without warning
- Application runs fine at first, then crashes after a few hours
Cause
Your application has a memory leak, Docker’s memory limit is too low, or your container is doing something memory-intensive (like loading large files or models into RAM). AI agent frameworks and automation tools can sometimes cause memory spikes during execution.
How to Fix It
Step 1: Check current memory usage
docker stats <container-id>
Watch for the MEM% column. If it climbs steadily, you have a leak.
Step 2: Increase memory limits
docker run -m 4g --memory-swap 8g <image-id>
This sets hard limit at 4GB and swap at 8GB. Only do this as a temporary fix while you hunt the leak.
Step 3: Profile your application
Use language-specific profilers:
- Python:
python -m memory_profiler your_app.py - Node.js: Use clinic.js or node’s built-in
--inspectflag - Java: JProfiler or YourKit
Step 4: Enable restart policy with limits
docker run --restart=on-failure:3 <image-id>
This restarts the container up to 3 times, then stops. Prevents infinite restart loops while you fix the root cause.
Problem: Network Connection Timeouts or DNS Failures
Symptoms
- Container can’t reach other services, but connection times out instead of failing immediately
- DNS lookups fail for service names
- Works in development, fails in production
Cause
The container is on the wrong network, DNS isn’t configured, or there’s a firewall rule blocking traffic. In Kubernetes or swarm mode, service discovery can fail silently.
How to Fix It
Step 1: Check DNS resolution
docker exec <container-id> cat /etc/resolv.conf
Should show nameserver entries. If it’s empty, DNS isn’t configured.
Step 2: Test connectivity manually
docker exec <container-id> ping google.com
docker exec <container-id> curl -v http://other-service:8080
This tells you if DNS works and if the remote service is actually reachable.
Step 3: Verify network setup
docker network ls
docker network inspect <network-name>
Make sure all services are on the same custom network (not the default bridge, which doesn’t have DNS).
Step 4: Add DNS explicitly if needed
docker run --dns 8.8.8.8 <image-id>
Problem: File Permission Errors or Missing Volume Data
Symptoms
Permission deniedwhen writing to a mounted volume- Files exist on the host but Docker can’t see them
- Volume data disappears after container restarts
Cause
UID/GID mismatch between the Docker process and the host filesystem, volume mounted incorrectly, or the volume isn’t actually persistent (anonymous volumes).
How to Fix It
Step 1: Check who owns the volume on the host
ls -la /host/path/to/volume
Step 2: Check what UID the container process runs as
docker exec <container-id> id
If the container runs as UID 1000 but the volume is owned by UID 0, you’ll get permission errors.
Step 3: Fix with docker run flags
docker run -u 0:0 <image-id> — Run as root (not recommended for security)
Or better: adjust the volume permissions on the host
sudo chown 1000:1000 /host/path/to/volume
Step 4: Use named volumes for persistence
docker volume create my_data
docker run -v my_data:/app/data <image-id>
Named volumes persist across container restarts, unlike anonymous volumes.
Problem: Environment Variables Not Loaded or Accessible
Symptoms
- Variables work locally but not in Docker
- Application config is missing values
- Secrets aren’t being loaded
Cause
You forgot the -e flag, the variable wasn’t exported in your Dockerfile, or the shell isn’t reading your env file.
How to Fix It
Step 1: Verify variables are passed
docker exec <container-id> env | grep YOUR_VAR
Step 2: Pass variables with -e or –env-file
docker run -e DATABASE_URL=postgres://localhost <image-id>
Or from a file:
docker run --env-file .env.prod <image-id>
Step 3: Check your startup script
Make sure it sources the environment before starting your app:
#!/bin/bash
source /app/.env
exec node app.jsProblem: Dockerfile Build Failures or Layer Caching Issues
Symptoms
docker buildfails on a line that worked yesterday- Old version of a dependency is being cached
- Build succeeds locally but fails in CI/CD
Cause
Layer caching caused Docker to reuse an old layer, a dependency was removed from a repository, or the build context includes files you didn’t expect.
How to Fix It
Step 1: Skip cache and rebuild
docker build --no-cache -t my-app:latest .
Step 2: Check build context
Make sure you’re not copying huge directories unintentionally. Use .dockerignore:
.git
node_modules
.env
*.logStep 3: Verify the Dockerfile itself
Run each line manually to see where it actually breaks:
docker run <base-image> apt-get update && apt-get install some-package
Step 4: Pin dependency versions
Don’t rely on latest tags:
RUN apt-get install python3.11 postgresql-client-14Advanced Debugging: Tools and Techniques
If basic debugging isn’t cutting it, you need deeper insight.
1. Docker Debug Container
docker debug <container-id>
Drops you into a special debugging container that shares the target container’s filesystem and process namespace. Extremely useful for live inspection.
2. Inspect Running Processes
docker top <container-id> — See all processes inside the container
3. Copy Files Out for Analysis
docker cp <container-id>:/var/log/app.log ./debug.log
Pull logs or config files out of a running or stopped container.
4. Attach to Running Container
docker attach <container-id>
Live stream logs and see output in real-time. Press Ctrl+C to detach without stopping the container.
5. Rebuild with Debug Layers
Create a debug image that includes curl, netcat, strace, and other tools:
FROM myapp:latest
RUN apt-get update && apt-get install -y curl netcat strace htop vimBuild this as myapp:debug and use it instead of the production image when you need to dig deeper.
The Nuclear Option: When Nothing Works
Sometimes you’ve checked everything and still can’t figure it out. Here’s your last resort:
Option 1: Run with Full Logging
dockerd --debug (on the host, requires Docker restart)
This floods you with Docker daemon logs. Overkill, but you’ll see everything.
Option 2: Rebuild the Image From Scratch
Sometimes corruption or bad caching is the culprit:
docker build --no-cache --rm -t myapp:fresh .
Option 3: Use Docker Inspect to Export the Full Config
docker inspect <container-id> > debug-output.json
Review every single setting: mounts, env vars, exposed ports, labels, everything. Often the problem is hiding in something you didn’t expect to check.
Option 4: Test in Docker Desktop vs. Docker Engine
If you’re on Mac or Windows, Docker Desktop behaves differently than native Docker Engine on Linux. Try your setup on both and compare.
Key Takeaways
- Start simple: Restart, check disk space, and verify basic config before assuming complexity
- Debug layer by layer: Check image → runtime → environment, in that order
- Read the actual logs:
docker logsis your best friend - Use interactive shells:
docker run -itanddocker exec -it /bin/bashlet you test theory in real-time - Check port mapping, DNS, and permissions first: These three cause 80% of mysterious failures
- When stuck, export the full config:
docker inspectoutput often reveals what you missed
Docker debugging gets easier