Part 3: Security, Registries, Resource Management, Logging, Monitoring, Troubleshooting, CI/CD, ECS, and Kubernetes

At this point you understand:

• Docker Architecture
• Images and Containers
• Dockerfiles
• Layers
• Caching
• Volumes
• Networking
• Docker Compose

Now we move into the topics that a DevOps Engineer with 6 years of experience deals with in production every day.

This is where most interview questions come from.

---

Docker Security

Most Docker breaches are not caused by Docker itself.

They are caused by poor configuration.

A senior DevOps engineer must always think:

How can this container be compromised?

---

Why Security Matters

Imagine you run:

docker run ubuntu

as root.

Inside the container:

Application
|
Root User

If an attacker compromises the application:

Attacker
   |
Application
   |
Root User

the attacker gains full control inside the container.

---

Root User Problem

Many developers create Dockerfiles like this:

FROM node:20

COPY . .

CMD ["npm","start"]

The application runs as:

root

This is dangerous.

---

Running Containers as Non-Root

Better:

FROM node:20

RUN useradd appuser

USER appuser

COPY . .

CMD ["npm","start"]

Now application runs as:

appuser

instead of root.

---

Why Companies Require This

Security teams often scan images.

If image runs as root:

Security Violation

Pipeline may fail.

Many banks require:

No Root Containers

before deployment.

---

Image Vulnerabilities

Imagine your image contains:

OpenSSL
Java
Python
Linux Packages

One package contains a vulnerability.

Your application becomes vulnerable.

---

Image Scanning

DevOps engineers scan images before deployment.

Common tools:

• Trivy
• Docker Scout
• Snyk

Example:

trivy image myapp:v1

Output:

Critical: 2
High: 5
Medium: 14

You must fix vulnerabilities before production.

---

Secrets Management

Never do this:

ENV DB_PASSWORD=password123

or:

password="password123"

inside source code.

---

Why?

Image is stored in:

• Docker Hub
• ECR
• Artifact Registry

Anyone with access can see it.

---

Proper Secret Management

Use:

• AWS Secrets Manager
• AWS Parameter Store
• Kubernetes Secrets
• HashiCorp Vault

A senior DevOps engineer never stores secrets inside images.

---

Docker Registries

What happens after image creation?

Example:

docker build -t app:v1 .

Image exists only locally.

Need centralized storage.

---

Registry Concept

Think:

GitHub → Source Code

Registry → Docker Images

---

Common Registries

Docker Hub

Most popular public registry.

docker pull nginx

actually pulls from Docker Hub.

---

Amazon ECR

Used heavily in AWS.

Amazon Web Services

Example:

docker push account.dkr.ecr.us-east-1.amazonaws.com/app:v1

---

Enterprise Workflow

Developer pushes code:

GitHub

Pipeline builds image:

Docker Build

Pipeline pushes image:

ECR

Deployment platform:

ECS
EKS
Kubernetes

pulls image from ECR.

---

Docker Resource Limits

One container can consume all server resources.

Example:

Container A

starts using:

100% CPU
64 GB RAM

Other applications fail.

---

Limiting CPU

Example:

docker run --cpus="2" nginx

Container can use:

2 CPUs

maximum.

---

Limiting Memory

Example:

docker run -m 2g nginx

Container can use:

2 GB RAM

maximum.

---

Why This Matters

Production server:

64 GB RAM

10 containers.

Without limits:

One container
|
Consumes everything

Server becomes unstable.

---

OOM Killer

Very important interview topic.

OOM:

Out Of Memory

Linux kills processes when memory runs out.

Symptoms:

Container Restarting
Container Crashing
Exit Code 137

Senior engineers immediately recognize:

Memory issue

---

Docker Logging

Applications generate logs.

Examples:

User Login
Database Error
API Request

Need visibility.

---

Viewing Logs

docker logs container_id

Live monitoring:

docker logs -f container_id

---

Production Logging Architecture

Applications write logs:

Container
   |
Docker Logs
   |
Log Aggregation

Common tools:

• Grafana Loki
• Elasticsearch
• Splunk

---

Monitoring Containers

DevOps engineers monitor:

CPU
Memory
Disk
Network
Errors

---

Docker Stats

Quick monitoring:

docker stats

Output:

CPU
Memory
Network
Block IO

for every container.

---

Enterprise Monitoring Stack

Example:

Node Exporter
     |
Prometheus
     |
Grafana

Exactly what you teach in your DevOps bootcamp.

---

Container Troubleshooting

This is where senior engineers spend significant time.

---

Scenario 1

Application not working.

Check:

docker ps

Question:

Is container running?

---

Scenario 2

Container stopped.

Check:

docker ps -a

Output:

Exited (1)

Container crashed.

---

Scenario 3

Find error.

docker logs container_id

Example:

Database connection failed

Root cause found.

---

Scenario 4

Enter container.

docker exec -it container_id bash

Now inspect:

ls
cat
curl
ping
env

---

Scenario 5

Inspect configuration.

docker inspect container_id

Shows:

Networks
Volumes
Mounts
Environment Variables
IP Address

---

CI/CD with Docker

Modern deployment flow:

Developer
   |
GitHub
   |
Jenkins
   |
Docker Build
   |
Image Scan
   |
Push To ECR
   |
Deploy

---

Example Jenkins Pipeline

Stage 1:

npm test

Stage 2:

docker build

Stage 3:

trivy scan

Stage 4:

docker push

Stage 5:

deploy

---

Docker and ECS

A question you often ask students.

Many people misunderstand ECS.

---

What ECS Does

Docker creates container.

Example:

Docker Image

ECS manages container.

Think:

Docker = Container Technology

ECS = Container Management Platform

---

Deployment Flow

Developer:

Build Image

Push:

ECR

ECS:

Pull Image

Launch:

Task

---

ECS Components

Cluster

Logical group of resources.

Example:

Production Cluster

---

Task Definition

Blueprint.

Contains:

Image
CPU
Memory
Ports
Environment Variables

---

Task

Running container instance.

---

Service

Keeps tasks alive.

Example:

Desired:

3 Tasks

One task crashes.

Service automatically starts another.

---

Fargate and Docker

Without Fargate:

EC2
Docker
Containers

You manage servers.

---

With Fargate:

Container
|
Fargate
|
AWS Manages Servers

Huge operational savings.

---

Docker and Kubernetes

Most senior-level interviews include this topic.

---

Relationship

Docker creates container.

Kubernetes manages containers.

Think:

Docker = Engine

Kubernetes = Orchestrator

---

Why Kubernetes Exists

One server:

5 Containers

Easy.

Hundreds of servers:

5000 Containers

Impossible manually.

Kubernetes automates:

Scheduling
Scaling
Recovery
Networking
Updates

---

Real Production Architecture

Users
   |
Load Balancer
   |
Kubernetes / ECS
   |
Frontend Containers
   |
Backend Containers
   |
Database

---

What a 6-Year DevOps Engineer Must Know About Docker

A senior DevOps engineer should be able to explain:

Architecture

• Docker Engine
• Images
• Containers
• Registries

Dockerfile

• Layers
• Caching
• Multi-stage builds

Storage

• Volumes
• Bind mounts
• Persistence

Networking

• Bridge
• Host
• Overlay
• DNS
• Port Mapping

Security

• Non-root containers
• Vulnerability scanning
• Secrets management

Operations

• Logs
• Monitoring
• Troubleshooting
• Resource limits

Cloud Integration

• ECR
• ECS
• Fargate
• EKS
• Kubernetes

CI/CD

• Jenkins
• GitHub Actions
• GitLab CI/CD
• Automated image scanning
• Automated deployments

If a company hires a DevOps engineer with 6 years of experience, they expect that person not only to run Docker containers, but to design, secure, monitor, troubleshoot, and operate containerized applications in production at scale.