Learn through the super-clean Baeldung Pro experience:
>> Membership and Baeldung Pro.
No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
1. Introduction
As more applications are deployed to cloud environments, working with Docker is becoming a necessary skill for developers. When debugging applications, it’s often useful to copy files into or out of Docker containers.
In this tutorial, we’ll learn different ways we can copy files to and from Docker containers.
2. Docker cp Command
Usually, the quickest way to copy files to and from a Docker container is to use the docker cp command. It’s similar to the Unix cp command, but with a few key differences.
2.1. Basic Syntax
Let’s take a look at the basic syntax:
$ docker cp <SRC> <DEST>In this format, <SRC> is the source path (either on the host or within a container), and <DEST> is where we want to copy the files. Thus, we can copy files from the local machine into a container or vice-versa.
2.2. Copying Files to a Container
Let’s say we have a container running, called myapp. To copy a file named config.ini from the local /tmp directory into the container’s /app/config/ directory, we can use the respective command:
$ docker cp /tmp/config.ini myapp:/app/config/Alternatively, we can reference the container by its ID if we prefer:
$ docker cp /tmp/config.ini c58513087fa6:/app/config/Both commands above should have the same result.
2.3. Copying Files From a Container to the Host
To copy the same file above from the container back to the local machine, we simply reverse the source and destination:
$ docker cp myapp:/app/config/defaults.ini /tmpWe can also use the container ID as we did above.
2.4. Copying Entire Directories
Further, docker cp is able to copy entire directories.
As an example, let’s copy the /app/config/ path from the container to the /tmp directory of the local machine:
$ docker cp myapp:/app/config/ /tmpSimilarly, we can reverse the <SRC> and <DEST> parameters above to copy an entire directory from the local machine to the container.
2.5. Limitations of docker cp
The docker cp command has a few limitations to keep in mind.
First, we can’t use docker cp to directly transfer files between two containers. To achieve this, we must first copy the files to the local machine and then to the second container.
Additionally, while docker cp uses the same syntax as the Unix cp command, it only supports two flags:
- -a: preserves all uid and gid information in archive mode
- -L: ensures symbolic links are followed
Next, let’s explore more methods for transferring files between the local machine and containers.
3. Volume Mounts
Another way to copy files to and from Docker containers is to use a volume mount. This means we make a directory from the host system available inside the container.
To use volume mounts, we run the container with the -v flag:
$ docker run -d --name=myapp -p 3000:3000 myapp -v /tmp:/transferThe command above runs a myapp container and mounts the /tmp directory from the host machine as a new directory inside the container named /transfer. If desired, we could provide multiple -v flags to create multiple volume mounts inside the container.
There are several advantages to this approach:
- we can use the Unix cp command, which has more flags and options than the docker cp command
- we can create a single shared directory for all Docker containers, so we can copy directly between containers, as long as they all have the same volume mount
Notably, this approach has the disadvantage that all files have to go through the volume mount. Thus, we can’t copy files in a single command. Instead, we first copy files into the mounted directory, and then into their final desired location.
Another drawback to this approach is that we may have issues with file ownership. Docker containers typically only have a root user, which means files created inside the container have root ownership by default. We can use the Unix chown command to restore file ownership at the final destination if needed.
4. Dockerfile Instructions
Dockerfiles serve as the blueprint for building Docker images, which we later use to create containers. They include a set of instructions that define how the image is built and configured, including how to copy files into the image.
Let’s explore two key instructions for achieving this.
4.1. COPY Instruction
The COPY instruction enables us to copy files or directories from the local machine directly into a Docker image during the build process. Once copied, these files become an integral part of any container created from the resulting image.
The syntax for the COPY instruction is similar to other copy commands we saw above:
COPY <SRC> <DEST>
Just like the other copy commands, <SRC> can either be a single file or a directory on the host machine. It can also include wildcard characters to match multiple files.
Let’s look at some examples.
To begin with, we copy a single file from the current Docker build context into the image:
COPY properties.ini /config/Next, we copy all XML files into the Docker image:
COPY *.xml /config/The main downside of this approach is that we can’t use COPY for running Docker containers. Docker images aren’t Docker containers, so this approach only makes sense to use when the set of files needed inside the image is known ahead of time.
4.2. ADD Instruction
The ADD instruction in Dockerfiles works similarly to COPY, but with some extra tricks up its sleeve. It can handle remote URLs and automatically extract compressed files. This makes it more versatile, especially when working with archives or external resources.
The syntax follows the same pattern as COPY:
ADD <SRC> <DEST>For example, to copy a remote file directly into an image, we replace the parameters respectively:
ADD https://example.com/config.tar.gz /config/The ADD instruction downloads and extracts the archive into the specified destination. However, due to this added functionality, it’s generally recommended to use COPY for simple file transfers and avoid unnecessary complexity.
5. Vulnerabilities
While docker cp is a convenient tool, we must be mindful of potential security risks. Let’s explore a few key vulnerabilities to keep in mind.
5.1. File Ownership and Permissions
As mentioned, by default, when we copy files into a container, they become owned by the root user. This can create security issues, especially if a containerized application is designed to run with non-root privileges.
Accidentally copying a malicious file or a file with vulnerabilities could open up a whole can of worms for the security of a container. Now, how do we tackle this?
First, we should always use Docker’s –user flag to specify a non-root user when copying files. This ensures that files aren’t automatically assigned to the root user.
Second, we should never skip file validation. Before copying any files into a container, we must ensure the files are safe and intact.
5.2. Container Isolation Breaches
Docker containers are meant to be isolated sandboxes, keeping them separate from any host system. However, docker cp can sometimes act like a bridge between the two. If we’re not careful, a malicious container could potentially use docker cp to access sensitive files on the local machine.
To prevent this, we should screen what we’re copying and where we’re copying it. In other words, we should only share the absolute minimum necessary between the local machine and the container.
Moreover, it’s a good practice to consider using Docker volumes as a safer way to manage file sharing while maintaining that crucial container isolation.
5.3. Data Exposure
When copying files from a container, it’s important to be cautious about inadvertently exposing sensitive data. Logs, configuration files, or user-generated content within the container might contain information that shouldn’t be readily accessible on the host system.
To prevent this risk, we always review the content of files we’re copying out of the container. We can also consider using tools like grep or other filtering mechanisms to redact or remove sensitive information before transferring the files to the local machine.
6. When to Use Docker cp
The docker cp command is a handy tool for quickly accessing files within running containers. It proves particularly useful during debugging. We can use it to extract logs or configurations for analysis without interrupting the container’s operation.
Additionally, we can leverage docker cp to update configuration files on the fly. This eliminates the need for container restarts. It also serves as a convenient way to create backups of application data or logs.
However, for scenarios that involve frequent file updates or require long-term file consistency between the host and the container, we should consider alternative approaches like volume mounts. This offers a more robust and synchronized solution.
7. Conclusion
In this article, we discussed how to copy files to and from a Docker container.
While docker cp is convenient, volume mounts might be the better method depending on the situation.
In conclusion, each option has some pros and cons, so we must pick the approach that best suits the current requirements.