I need to know where is logged when i removed my container.
in my issue want to know when(DATE TIME) and by which user my container removed.
I donât think you can find which user removed it (if it was a user) unless you allow using the docker command with sudo only instead of adding users to the âdockerâ group.
If the user has to run sudo, you should find the logs (on ubuntu) in the auth log.
cat /var/log/auth.log | grep whoami
Mar 29 21:43:09 docker-vm sudo: ubuntu : TTY=pts/0 ; PWD=/home/ubuntu/projects/volumes ; USER=root ; COMMAND=/usr/bin/whoami
It means the user called âubuntuâ used sudo to run the command after COMMAND=
You could also find it in the journal log in case the process manager is systemd. I wasnât able to filter to sudo logs using â-u
â, but you can just run journalctl
and type /COMMAND=
and press enter to jump to the first result and press ânâ to jump to the next.
You can also find other events around it but it is hard to indentify what container was removed unless you know what the ID of that container was or what veth network interface it used.
Unfortunately if someone has access to the docker command it is basically a root access to the machine, so someone could run a container, break out from the container to the host as root even without using any sudo if the user is in the docker group and that person can do anything until the container runs they use to access the host os as root. So unless you also log the SSH connection, it is possible that you will not find out who and why removed the container.
It could have also been done by a process without user interaction if something tries to clean up the host periodically and makes a mistake or if the container is set to be removed automatically after stopping it could have been killed by the OS if there was memory or cpu resource issues.
Since you are specifically searching for a docker container rm command, I guess you found that command in the bash history.
Thank you for the clear answer