✦ For everyone, free.

Practical knowledge for real and everyday life

Home

16.3.1.2 Removed Container Data

A focused guide to Removed Container Data, connecting core concepts with practical Docker and container operations.

Removed container data addresses what is and is not actually recoverable after a docker rm has already completed, a question worth understanding precisely because the honest answer is considerably more limited than many people hope, and because the real, practical solution to this problem is almost entirely about what is done before removal, not after.

What docker rm actually does

docker rm deletes the container's writable layer from disk along with its metadata, and unlike many file deletion operations on a traditional filesystem, this is not typically a reversible operation through any Docker-provided mechanism, there is no container recycle bin or undo command:

docker rm my-api

docker start my-api

Error: No such container: my-api

Once removal completes, the container and everything in its writable layer, including anything that was never backed by a volume, is genuinely gone from Docker's own perspective; there is no command that brings it back.

Capturing state before removal, the only reliable safeguard

Because recovery after the fact is unreliable at best, the practical defense against this specific kind of loss is capturing whatever might be needed before ever running docker rm, treating removal as a one-way, final operation:

docker diff my-api

C /app/data
A /app/data/output.txt

docker diff lists exactly what has changed relative to the container's image, additions, modifications, and deletions, which is a useful first check for understanding what unique, non-image-derived content actually exists in a container's writable layer before deciding whether anything there is worth preserving prior to removal.

docker cp my-api:/app/data/output.txt ./output.txt

docker export my-api -o my-api-snapshot.tar

Copying out specific files of interest, or exporting the container's entire filesystem as a tarball, captures exactly the state that would otherwise disappear the moment removal completes; running one of these commands as a deliberate, routine step before removing any container whose state might conceivably matter is the actual, reliable safeguard.

Why forensic recovery after removal is unreliable

In principle, a container's writable layer corresponds to actual files on the host's disk (the UpperDir under overlay2, for instance), and a docker rm removes those files through the host's own filesystem deletion mechanism, which means in the narrow window before the underlying storage is overwritten, raw filesystem recovery tools might theoretically recover some content, in the same way deleted files can sometimes be recovered from any filesystem before being overwritten:

docker inspect my-api --format '{{.GraphDriver.Data.UpperDir}}'

This path is worth knowing for the rare, serious incident where recovering removed container data is genuinely critical, but it requires file-recovery tooling and expertise entirely outside of Docker itself, has no guarantee of success, and depends heavily on how much time and disk activity has occurred since the removal; this is not a practical, reliable recovery path for routine use, only a last resort worth being aware of for a genuinely severe situation with no usable backup or pre-removal export available.

Logs are removed along with the container

Container logs captured by drivers like json-file or local are stored in a location tied to the specific container and are removed along with it; once a container using one of these local drivers is removed, its log history goes with it, unless that output was also captured by a separate, centralized log aggregation pipeline operating independently of the container's own lifecycle:

docker logs my-api > my-api-final-logs.txt
docker rm my-api

Capturing a container's final log output explicitly before removal, the same way docker export captures filesystem state, is a similarly important and easily forgotten step for any container whose final moments might matter for a later investigation.

Image layers are not affected by container removal

It is worth being explicit that removing a container has no effect whatsoever on the image it was created from; the image's own layers remain entirely intact and reusable for creating new containers, which is a meaningfully different lifecycle than the container's own writable layer:

docker rm my-api
docker images

REPOSITORY   TAG      IMAGE ID
my-api       1.4.0    8a1f3c9b2e7d

This distinction matters when reasoning about what was actually lost: removing a container never loses anything about the application code or dependencies baked into the image itself, only whatever runtime state existed specifically in that container's own writable layer and was not otherwise captured.

Volumes survive container removal by design

A volume attached to a removed container is not removed along with it unless explicitly requested; this is the entire point of using a volume for anything that needs to outlive a specific container instance:

docker run -d --name my-api -v app-data:/app/data my-api:1.4.0
docker rm -f my-api
docker volume ls

DRIVER    VOLUME NAME
local     app-data

The volume remains, fully intact, ready to be attached to a new container; this is the practical, reliable answer to the entire category of removed container data concerns, anything genuinely worth preserving across a container's lifecycle should have been on a volume in the first place, making the question of post-removal recovery moot for that specific data.

Building a habit around safe removal

Given how limited reliable post-removal recovery actually is, the practical mitigation is procedural: establishing a habit, or an automated check, of confirming nothing irreplaceable sits unbacked-up in a container's writable layer before removing it, particularly for any container that was running for an extended period or performing work whose output was not obviously and immediately captured elsewhere.

docker diff my-api | grep -v "^C /tmp"

A quick review of docker diff output, filtering out routine, expected temporary file noise, surfaces anything genuinely unexpected or potentially valuable before the removal command is actually run.

Common mistakes

  • Assuming a removed container's data can be reliably recovered after the fact, when no built-in, reliable mechanism exists for this once removal has completed.
  • Not reviewing docker diff or exporting a container's filesystem before removal, missing the only realistic window to capture state that would otherwise be lost permanently.
  • Forgetting that logs captured by a local logging driver are removed along with the container, unless that output was also captured by a separate, centralized aggregation pipeline.
  • Conflating image removal with container removal, when the two have entirely different lifecycles and removing a container never affects the underlying image at all.
  • Attempting raw filesystem-level forensic recovery as a first resort rather than recognizing it as an unreliable, expertise-requiring last resort for only the most severe situations.

Removed container data is, for all practical purposes, gone the moment docker rm completes, which makes the deliberate habit of capturing anything potentially valuable, through docker diff, docker cp, docker export, or simply ensuring genuinely important data was on a volume from the start, the only reliable defense, since recovery after the fact is unreliable at best and entirely unavailable through any tooling Docker itself provides.

Related content