✦ For everyone, free.

Practical knowledge for real and everyday life

Home

19.2.6.4 Inspect Environment Output

A focused guide to Inspect Environment Output, connecting core concepts with practical Docker and container operations.

When you run docker inspect on a container and examine the Config.Env field, you get a JSON array of strings representing every environment variable set inside the container at the time it was created. This section of the inspect output documents the full environment context that processes running inside the container see when they start.

Accessing Environment Output

docker inspect <container_name_or_id>

To extract only the environment variables:

docker inspect --format "{{range .Config.Env}}{{println .}}{{end}}" my_container

To get them as a raw JSON array:

docker inspect --format "{{json .Config.Env}}" my_container

Structure of the Env Array

The Config.Env field is a flat JSON array where each element is a string formatted as KEY=VALUE:

"Config": {
  "Env": [
    "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
    "NGINX_VERSION=1.25.3",
    "NJS_VERSION=0.8.2",
    "NJS_RELEASE=2~bookworm",
    "PKG_RELEASE=2~bookworm",
    "APP_ENV=production",
    "DATABASE_URL=postgres://user:password@db:5432/myapp",
    "SECRET_KEY=abc123xyz",
    "PORT=8080"
  ]
}

Each string follows the KEY=VALUE format. The = character separates the key from the value; values can contain spaces, special characters, and even additional = signs, since only the first = is used as the delimiter.

Sources of Environment Variables

Environment variables in the Env array come from multiple sources, combined in order:

From the base image: The Dockerfile of the image used to create the container may declare ENV instructions. These become part of the container configuration and appear in the array.

ENV NGINX_VERSION=1.25.3
ENV PATH=/usr/local/sbin:$PATH

From the run command with -e or --env:

docker run -e APP_ENV=production -e PORT=8080 nginx:latest

From an environment file with --env-file:

docker run --env-file ./app.env nginx:latest

Where app.env contains one KEY=VALUE per line.

From Docker Compose environment declarations:

services:
  web:
    image: nginx:latest
    environment:
      - APP_ENV=production
      - DATABASE_URL=postgres://user:password@db:5432/myapp

All of these sources are merged and flattened into the single Config.Env array shown in inspect output.

Order and Precedence

The array preserves the order in which variables were set, with image-defined variables appearing first and runtime-provided variables appearing afterward. If the same key is defined both in the image and at runtime, the runtime value overrides the image value and only the final effective value appears in the array.

PATH Variable

The PATH variable is always present in the Env array because it is set by the base operating system image layer. It controls which directories are searched when the container runs a command:

"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Custom entries can be prepended to PATH in the Dockerfile or at runtime to make additional binaries available.

Security Considerations

The Config.Env array in inspect output is fully visible to anyone who can run docker inspect on the host. This means that sensitive values like database passwords, API keys, and secret tokens passed as environment variables are exposed in plain text:

"DATABASE_URL=postgres://admin:mysecretpassword@db:5432/production"
"API_KEY=sk-live-abc123xyz456"

This is a well-known limitation of using environment variables for secrets in Docker. For production workloads, Docker Secrets (available in Swarm mode) or external secret managers are recommended instead.

Inspecting a Specific Variable

To check the value of a single environment variable, you can filter the output:

docker inspect --format "{{range .Config.Env}}{{println .}}{{end}}" my_container | grep "DATABASE_URL"

Or use shell processing:

docker inspect my_container | jq -r '.[0].Config.Env[] | select(startswith("APP_ENV"))'

Relationship to Running Environment

The Config.Env array represents the environment as configured at container creation. It does not reflect changes made inside the container after it started (for example, by shell scripts that export new variables or modify existing ones). The running process inside the container inherits this environment as its initial state and may modify it at runtime, but those runtime changes are not reflected back in the inspect output.

Difference from docker exec Environment

When you run a command via docker exec, it does not automatically inherit the same environment variables as the main container process unless explicitly set. The Config.Env values are available to the primary CMD or ENTRYPOINT process but not automatically to docker exec sessions.

Practical Examples

Dumping all environment variables to a file:

docker inspect --format "{{range .Config.Env}}{{println .}}{{end}}" my_container > container.env

Counting how many environment variables are set:

docker inspect my_container | jq '.[0].Config.Env | length'

Checking which image-level variables are present:

docker inspect nginx:latest | jq '.[0].Config.Env'

Comparing environment between two containers:

diff <(docker inspect --format "{{range .Config.Env}}{{println .}}{{end}}" container_a) \
     <(docker inspect --format "{{range .Config.Env}}{{println .}}{{end}}" container_b)

The environment output in docker inspect is the definitive record of the environment configuration a container was started with, making it an essential tool for understanding application configuration, debugging unexpected behavior, and auditing container deployments.

Related content