How to Track Changes in Docker Containers

If you are struggling to find file changes that happened inside your Docker containers, then try out docker container diff command.

The docker diff command helps us to find all the files that have been added, modified, or deleted within a specific container since it was created or last started.

Using this we can effortlessly monitor and track changes inside our Docker containers, ensuring smooth deployments.

How to use it?

Run the docker container diff [CONTAINER ID/NAME] in your terminal replacing [CONTAINER ID/NAME] with the actual ID or name of your container.

The command will output a list of all the changed files, categorized as follows:

• A for added files or directory
• D for deleted files or directory
• C for modified files or directory

Why use it?

1. Tracking Changes: We can see if any files were added, modified, or deleted since the container was created or last committed.
2. Understanding Impact: It helps us understand how recent changes might be affecting our container's behavior or configuration.
3. Troubleshooting: If something isn't working as expected, we can use this to identify potential causes by seeing what has been altered.
4. Security Auditing: By regularly running this command we can detect any unauthorized or unexpected file changes within our containers.

Example

Run the below command to check for any container:

docker container diff <container-name>/<container-id>

Let's try for one nginx container:

 ➜  docker ps -a
 
CONTAINER ID   IMAGE     COMMAND                  CREATED         STATUS         PORTS     NAMES
adc38d40fa8b   nginx     "/docker-entrypoint.…"   7 minutes ago   Up 7 minutes   80/tcp    hopeful_goldberg

➜  docker container diff adc38d40fa8b

C /tmp
A /tmp/log
A /tmp/log/log.txt
C /etc
C /etc/nginx
C /etc/nginx/conf.d
D /etc/nginx/conf.d/default.conf
D /etc/nginx/mime.types
C /var
C /var/cache
C /var/cache/nginx
A /var/cache/nginx/client_temp
A /var/cache/nginx/fastcgi_temp
A /var/cache/nginx/proxy_temp
A /var/cache/nginx/scgi_temp
A /var/cache/nginx/uwsgi_temp
C /run
A /run/nginx.pid
C /root
A /root/.bash_history

In this example, we can see that a new directory /tmp/log and file log.txt were created inside that directory. The directory /etc, /tmp, /etc/nginx/conf.d got modified. The files /etc/nginx/conf.d/default.conf and /etc/nginx/mime.types got deleted. The others are default files created/modified by the container itself.

Note: docker container diff and docker diff both are the same command.

Give it a try and take control of your containerized environments like a pro.

Real-world scenarios

Here are some real-world scenarios where the docker diff command can be useful.

1. Troubleshooting and debugging: When a container is misbehaving or not functioning as expected, docker diff can help identify any modifications made to the container's filesystem that might be causing the issue.
2. Auditing and compliance: In environments with strict security or compliance requirements, docker diff can be used to audit the changes made to a container's filesystem.

Alternatives

We can manually inspect the file system of a container by running the docker exec command to access the container's shell and then use traditional Unix commands like find, diff, rsync and ls to identify changes. This approach can be more time-consuming and requires manual effort but provides greater flexibility.

Tools like dive (https://github.com/wagoodman/dive) allow you to explore a container image's filesystem layers and contents.

Here is the dive utility demo.