搵技能.../

Docker | Skills Pool

技能檔案

Docker

Run containers in production avoiding common crashes, security holes, and resource traps.

vibekit-apps0 星標2026年2月10日

職業: 網絡同電腦系統管理員
分類: CI/CD

技能內容

Docker Gotchas

Image Building

apt-get update and apt-get install in separate RUN layers = stale packages weeks later — always combine them
python:latest today is different than python:latest tomorrow — pin versions like python:3.11.5-slim
Multi-stage builds: forgotten --from=builder copies from wrong stage silently
COPY before RUN invalidates cache on every file change — copy requirements first, install, then copy code

Runtime Crashes

Default log driver has no size limit — one chatty container fills disk and crashes host
OOM killer strikes without warning — set memory limits with -m 512m on every container
Container runs as root by default — add USER nonroot or security scans fail and platforms reject
localhost inside container is container's localhost, not host — bind to

相關技能

快速安裝

Docker

npx skills add vibekit-apps/skills-registry

下載 Skill 打開源碼倉庫

作者: vibekit-apps
星標: 0
更新時間: 2026年2月10日
職業

本頁內容

01Docker Gotchas 02

0.0.0.0

Networking

Container DNS only works on custom networks — default bridge can't resolve container names
Published ports bind to 0.0.0.0 by default — use 127.0.0.1:5432:5432 for local-only
Zombie connections from killed containers — set proper health checks and restart policies
Port already in use: previous container still stopping — wait or force remove

Compose Traps

depends_on waits for container start, not service ready — use condition: service_healthy with healthcheck
.env file in wrong directory silently ignored — must be next to docker-compose.yml
Volume mounts overwrite container files — empty host dir = empty container dir
YAML anchors don't work across files — extends deprecated, use multiple compose files

Volumes and Data

Anonymous volumes from Dockerfile VOLUME instruction accumulate silently — use named volumes
Bind mounts have host permission issues — container user must match host user or use :z suffix
docker system prune doesn't remove named volumes — add -volumes flag explicitly
Stopped container data persists until container removed — docker rm deletes data

Resource Leaks

Dangling images grow unbounded — docker image prune regularly
Build cache grows forever — docker builder prune reclaims space
Stopped containers consume disk — docker container prune or --rm on run
Networks pile up from compose projects — docker network prune

Secrets and Security

ENV and COPY bake secrets into layer history permanently — use secrets mount or runtime env
--privileged disables all security — almost never needed, find specific capability instead
Images from unknown registries may be malicious — verify sources
Build args visible in image history — don't use for secrets

Debugging

Exit code 137 = OOM killed, 139 = segfault — check docker inspect --format='{{.State.ExitCode}}'
Container won't start: check logs even for failed containers — docker logs <container>
No shell in distroless images — docker cp files out or use debug sidecar
Inspect filesystem of dead container — docker cp deadcontainer:/path ./local

Image Building

03Runtime Crashes

05Compose Traps

06Volumes and Data

07Resource Leaks

08Secrets and Security

Openclaw Parallels Smoke

End-to-end Parallels smoke, upgrade, and rerun workflow for OpenClaw across macOS, Windows, and Linux guests. Use when Codex needs to run, rerun, debug, or interpret VM-based install, onboarding, gateway smoke tests, latest-release-to-main upgrade checks, fresh snapshot retests, or optional Discord roundtrip verification under Parallels.

Github

GitHub operations via `gh` CLI: issues, PRs, CI runs, code review, API queries. Use when: (1) checking PR status or CI, (2) creating/commenting on issues, (3) listing/filtering PRs or issues, (4) viewing run logs. NOT for: complex web UI interactions requiring manual browser flows (use browser tooling when available), bulk operations across many repos (script with gh api), or when gh auth is not configured.

Azure Pipelines

Use when validating Azure DevOps pipeline changes for the VS Code build. Covers queueing builds, checking build status, viewing logs, and iterating on pipeline YAML changes without waiting for full CI runs.

microsoft184.0k

Update Screenshots

Download screenshot baselines from the latest CI run and commit them. Use when asked to update, accept, or refresh component screenshot baselines from CI, or after the screenshot-test GitHub Action reports differences. This skill should be run as a subagent.

microsoft184.0k

Deployment Patterns

Deployment workflows, CI/CD pipeline patterns, Docker containerization, health checks, rollback strategies, and production readiness checklists for web applications. Use when setting up deployment infrastructure or planning releases.

Django Verification

Verification loop for Django projects: migrations, linting, tests with coverage, security scans, and deployment readiness checks before release or PR.

網絡同電腦系統管理員