Frequently Asked Questions
To get logs in the Dashboard, including live tailing of logs, toggle observability to true
in your Worker's wrangler config:
{ "observability": { "enabled": true }}[observability]enabled = trueLogs are subject to the same limits as Worker logs, which means that they are retained for 3 days on Free plans and 7 days on Paid plans.
See Workers Logs Pricing for details on cost.
If you are an Enterprise user, you are able to export container logs via Logpush to your preferred destination.
When initially deploying a Container, Cloudflare will select various locations across our network to deploy instances to. These locations will span multiple regions.
When a Container instance is requested with this.ctx.container.start, the nearest free
container instance will be selected from the pre-initialized locations. This will
likely be in the same region as the external request, but may not be. Once the container
instance is running, any future requests will be routed to the initial location.
An Example:
- A user deploys a Container. Cloudflare automatically readies instances across its Network.
- A request is made from a client in Bariloche, Argentina. It reaches the Worker in Cloudflare's location in Neuquen, Argentina.
- This Worker request calls
MY_CONTAINER.get("session-1337")which brings up a Durable Object, which then callsthis.ctx.container.start. - This requests the nearest free Container instance.
- Cloudflare recognizes that an instance is free in Buenos Aires, Argentina, and starts it there.
- A different user needs to route to the same container. This user's request reaches the Worker running in Cloudflare's location in San Diego.
- The Worker again calls
MY_CONTAINER.get("session-1337"). - If the initial container instance is still running, the request is routed to the location in Buenos Aires. If the initial container has gone to sleep, Cloudflare will once again try to find the nearest "free" instance of the Container, likely one in North America, and start an instance there.
See rollout documentation for details.
Containers scale by creating or addressing specific instances. For stateless routing across a
fixed number of interchangeable instances, use the getRandom helper.
Refer to scaling and routing for details.
Not today, though Cloudflare plans to add built-in autoscaling in a future release.
Until then, use getRandom for simple stateless routing and specific instance IDs when you need
explicit control over container lifecycle.
A cold start is when a container instance is started from a completely stopped state.
If you call env.MY_CONTAINER.get(id) with a completely novel ID and launch
this instance for the first time, it will result in a cold start.
This will start the container image from its entrypoint for the first time. Depending on what this entrypoint does, it will take a variable amount of time to start.
Container cold starts can often be in the 1-3 second range, but this is dependent on image size and code execution time, among other factors.
See image management documentation for details.
All disk is ephemeral. When a Container instance goes to sleep, the next time it is started, it will have a fresh disk as defined by its container image.
Snapshots are coming soon, which allow the user to quickly persist and restore the disk from an entire container or a directory.
You can also use FUSE to persist disk to R2 or other object storage backends. Though you should not expect native SSD-like performance while using FUSE.
If you run out of memory, your instance will throw an Out of Memory (OOM) error and will be restarted.
Containers do not use swap memory.
Cloudflare will not actively shut off a container instance after a specific amount of
time. If you do not set sleepAfter on your Container class, or stop the instance
manually, it will continue to run unless its host server is restarted. This
happens on an irregular cadence, but frequently enough where Cloudflare does not
guarantee that any instance will run for any set period of time.
When a container instance is going to be shut down, it is sent a SIGTERM signal,
and then a SIGKILL signal after 15 minutes. You should perform any necessary
cleanup to ensure a graceful shutdown in this time. The container instance
will be rebooted elsewhere shortly after this.
You can use Worker Secrets or the Secrets Store to define secrets for your Workers.
For implementation details, refer to Environment variables and secrets.
Yes. Use the docker:dind-rootless base image since Containers run without root privileges.
You must disable iptables when starting the Docker daemon because Containers do not support iptables manipulation:
FROM docker:dind-rootless
# Start dockerd with iptables disabled, then run your appENTRYPOINT ["sh", "-c", "dockerd-entrypoint.sh dockerd --iptables=false --ip6tables=false & exec /path/to/your-app"]If your application needs to wait for dockerd to become ready before using Docker, use an entrypoint script instead of the inline command above:
#!/bin/shset -eu
# Wait for dockerd to be readyuntil docker version >/dev/null 2>&1; do sleep 0.2done
exec /path/to/your-appFor a complete working example, see the Docker-in-Docker Containers example ↗.
Refer to Handle outbound traffic for how to control outbound traffic and internet access.