Mount Docker container contents in host file system

Question

I want to be able to inspect the contents of a Docker container (read-only). An elegant way of doing this would be to mount the container's contents in a directory. I'm talking about mounting the contents of a container on the host, not about mounting a folder on the host inside a container.

I can see that there are two storage drivers in Docker right now: aufs and btrfs. My own Docker install uses btrfs, and browsing to /var/lib/docker/btrfs/subvolumes shows me one directory per Docker container on the system. This is however an implementation detail of Docker and it feels wrong to mount --bind these directories somewhere else.

Is there a proper way of doing this, or do I need to patch Docker to support these kinds of mounts?

score 21 · Answer 1 · edited Mar 22 '23 at 11:51

Take a look at docker export.

To quickly list the files in your container:

docker export CONTAINER|tar -t

To export:

docker export CONTAINER>snapshot.tar
docker export CONTAINER|tar x PATH-IN-CONTAINER

Or to look at a file:

docker export CONTAINER|tar x --to-stdout PATH-IN-CONTAINER
# e.g. 
docker export consul|tar x --to-stdout etc/profile

Docker 1.8 supports cp:

https://docs.docker.com/engine/reference/commandline/cp/

Usage:  docker cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|-
        docker cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH

update: you should ssh to your docker machine when you run this.

score 3 · Answer 2 · answered Jul 06 '15 at 14:50

You can use docker commit to persist the current state of your container in a new image, and start an interactive container from this image to inspect the contents.

From the documentation :

It can be useful to commit a container’s file changes or settings into a new image. This allows you debug a container by running an interactive shell, or to export a working dataset to another server.

Hope this helps.

score 2 · Answer 3 · answered Jun 26 '20 at 18:14

Podman can run and work with Docker images. You could use it to mount a running or stopped container:

prompt:~ # mnt=`podman mount 26e8b85f7a5c`
prompt:~ # ls $mnt
bin  boot  dev  etc  home  lib  ...  tmp  usr  var

where 26e8b85f7a5c is the ID of the container to be mounted.

score 2 · Answer 4 · answered Oct 14 '14 at 11:22

You can use nsenter to run your inspection program (that probably must be included in the container already) inside a container/namespace. But to mount the container filesystem as is seen inside it you must mount the original image and all the layers if is aufs, or the equivalent action for device mapper, btrfs and the other (future) storage engines used, different in each case. Probably would be more efficient to let docker do the work for you, exactly as is supposed to do, and use nsenter to do the inspection inside the container.

There are other approachs. docker diff will shows what files changed in that container, if you want to see what changed instead of what was in the original image.

And for data that must be persistent and inspectionable, probably a better pattern would be to have it in a volume in the container, and have it either mounted on the real filesystem, or in a pure data container, or in the same container, but that you can launch another container with the inspection program mounting those volumes from it.

mnieber · Answer 5 · 2018-05-12T13:28:13.047

EDIT: I tried the solution below and unfortunately it did not work well for me in practice. The mounted filesystem did not accurately reflect the container's filesystem (even with cache=no). I'm not sure if this is a fundamental problem or me doing something wrong.

You can install sshd in the docker image and use docker exec to run an ssh service (/usr/sbin/sshd -D) on the docker container (note that the SSH port 22 of the docker container needs to be exposed).

Then, use docker cp to copy your public ssh key to the /root/.ssh/authorized_keys directory of the docker container.

Finally, use docker inspect to find the container's IP address and mount the container's filesystem using

sudo sshfs -o allow_other,default_permissions,IdentityFile=/path/to/identityfile  root@xxx.xx.x.x:/ /mnt/my_container

You'd have to write a script to make this work comfortably in practice.

score 1 · Answer 6 · answered Aug 18 '22 at 20:44

1

This is an ancient question, but if someone is still looking for a way to mount (and inspect) a docker filesystem from an arbitrary host, there are 2 projects allowing exactly that:

Dockerfuse
Docker-fs (probably abandonware)

answered Aug 18 '22 at 20:44

dguerri

111

score 1 · Answer 7 · answered Jan 01 '25 at 17:56

I was recently trying to accomplish the same thing, and ended up writing a small utility called docker-mounter to accomplish this: https://github.com/JosephRedfern/docker-mounter.

It works by inspecting image metadata and generating an overlay2 mount command so you can access the image as a filesystem without requiring creation of the container, e.g.:

mkdir /tmp/mountpoint-for-image    
sudo docker-mount --mount --pull --mount-point /tmp/mountpoint-for-image ubuntu:latest

to mount ubuntu:latest at /tmp/mountpoint-for-image.

Mount Docker container contents in host file system

7 Answers7