BestHub
Sign in
Operations 10 min read

50 Essential Docker Maintenance Commands for Daily Ops and Security

This guide compiles 50 practical Docker commands covering daily status checks, weekly resource cleanup, monthly security hardening, logging and monitoring, image management, high‑availability, and disaster‑recovery, helping operators maintain healthy containers across Rocky, CentOS, and Kylin environments.

Xiao Liu Lab
Xiao Liu Lab
Xiao Liu Lab
50 Essential Docker Maintenance Commands for Daily Ops and Security

1. Status Checks (Daily – 10 commands)

View all container statuses docker ps -a List only exited containers (focus area) docker ps -a --filter "status=exited" Show recently restarted containers (potentially unstable)

docker ps --format "table {{.Names}}	{{.Status}}	{{.RunningFor}}" | grep "Restarting"

Check if Docker service is active systemctl is-active docker Verify image registry mirrors are effective docker info | grep -A 3 "Registry Mirrors" Inspect container CPU/memory usage docker stats --no-stream Detect containers killed by OOM

docker inspect $(docker ps -aq) | jq -r '.[] | select(.State.OOMKilled==true) | .Name'

Show Docker storage driver (performance impact) docker info | grep "Storage Driver" Confirm Compose plugin availability docker compose version Check kernel support for overlay2 (recommended driver)

grep overlay /proc/filesystems

2. Resource Cleanup (Weekly – 10 commands)

Remove dangling images docker image prune -f Remove all unused images docker image prune -af Remove stopped containers docker container prune -f Remove unused networks docker network prune -f Remove unused volumes (use with caution) docker volume prune -f One‑click cleanup of all unused resources (including volumes) docker system prune -f --volumes Delete all resources of a specific Compose project

cd /opt/myapp && docker compose down --volumes --remove-orphans

Clean build cache to save space docker builder prune -f Show detailed disk usage docker system df -v Automatically delete log files older than 7 days (with log rotation)

find /var/lib/docker/containers -name "*.log" -mtime +7 -delete

3. Security Hardening (Monthly – 10 commands)

Check if containers run as root (high risk)

docker inspect $(docker ps -q) | jq -r '.[] | .Name + ": " + (.Config.User // "root")'

Prevent containers from accessing sensitive host directories

# Manual inspection of mount points
docker inspect $(docker ps -q) | jq -r '.[].Mounts[]?.Source'

Ensure containers are not in privileged mode

docker ps --format "table {{.Names}}	{{.Command}}" --filter "publish=22"

Detect exposure of high‑risk ports (e.g., 22, 3306, 5432)

docker ps --format "table {{.Names}}	{{.Ports}}" | grep -E '22|3306|5432'

Update Docker to the latest stable version dnf update docker-ce docker-ce-cli -y Verify TLS is enabled (recommended for production)

ls /etc/docker/*.pem 2>/dev/null || echo "TLS not configured"

Limit container memory usage to mitigate DoS

# Example: start with a 512 MiB limit
docker run -m 512m nginx

Disable default inter‑container communication for stronger isolation

# Add to /etc/docker/daemon.json
{ "icc": false }

Scan images for vulnerabilities (requires tools like Trivy) trivy image nginx:latest Check user group permissions to avoid direct Docker access

getent group docker

4. Logging & Monitoring (Daily/On‑Demand – 8 commands)

View real‑time logs of a container docker logs -f nginx-web Show the last 100 lines of logs docker logs --tail 100 nginx-web Validate that log rotation is effective

docker inspect nginx-web | jq '.[0].HostConfig.LogConfig'

Export container logs to a file for analysis docker logs nginx-web > /tmp/nginx.log Configure centralized log collection (Filebeat example)

# filebeat.yml
filebeat.inputs:
- type: container
  paths: ["/var/lib/docker/containers/*/*.log"]

Monitor container restart counts (anomaly indicator)

docker inspect $(docker ps -q) | jq -r '.[] | "\(.Name): \(.RestartCount)"'

Check that the logging driver is json‑file (good compatibility) docker info | grep "Logging Driver" Set maximum log retention time (supplement log rotation)

// daemon.json
"log-opts": { "max-file": "5", "max-size": "100m", "ttl": "7d" }

5. Image & Deployment Governance (Weekly – 7 commands)

List all local images docker images Find images not used for over 90 days

docker image ls --format "table {{.Repository}}	{{.Tag}}	{{.CreatedAt}}" | awk 'NR>1 && $3 < "$(date -d "90 days ago" +%Y-%m-%d)" {print}'

Pull the latest base image to keep security updates docker pull alpine:latest Verify image signatures (enterprise environments) docker trust inspect nginx:latest Export an image as a tar archive for offline distribution docker save nginx:latest -o nginx.tar Import an image from a tar archive (common in restricted environments)

docker load -i nginx.tar

6. High Availability & Disaster Recovery (Monthly – 5 commands)

Backup critical volume data

tar -czf /backup/vol_nginx_$(date +%F).tar.gz -C /var/lib/docker/volumes nginx_data

Test quick container recovery

docker stop nginx-web && sleep 5 && docker start nginx-web

Export Compose configuration for easy rebuild cp -r /opt/myapp /backup/ Verify Docker systemd service is enabled at boot

systemctl is-enabled docker

Conclusion

The 50 commands are not meant to be run blindly every day; they form a habit of checking, cleaning, defending, and recovering, turning routine operations into a reliable stability moat.

Dockercloud-nativeoperationscontainerMaintenance
Xiao Liu Lab
Written by

Xiao Liu Lab

An operations lab passionate about server tinkering 🔬 Sharing automation scripts, high-availability architecture, alert optimization, and incident reviews. Using technology to reduce overtime and experience to avoid major pitfalls. Follow me for easier, more reliable operations!

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment