New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker cp to and from containers #13171
Conversation
658bce0
to
450e672
Compare
Oh my goodness. I wanted this some much last year, but we couldn't agree on the syntax of addresssing src and dest. |
3d410b7
to
677dfc4
Compare
Not sure if it impacts your help comment, but FYI: #11858 |
@duglin I would definitely have to rebase if that gets merged before this ;-) |
16edb82
to
693fbdd
Compare
e34da4b
to
505e798
Compare
Thanks for the work and for the wait @jlhawn, and thanks to all reviewers who participated in this journey. |
docker cp to and from containers
🎉 Thanks everyone! |
Great job @jlhawn 👍 |
😄 |
Wow, it's there!! looks like you need to update your story #13171 (comment) @jlhawn :-) |
Some follow-up... Symlink sources don't seem to rebase properly:
It's because client expects base directory If I run How can we protect this from running containers updating a filesystem/volumes when the request is taking place? I mean we check for breakouts in the beginning of GET/PUT but if a container is using the filesystem it could just flip a symlink in the right time and then we would have full read/write to host. |
// than the name of the directory. This would cause extraction of the | ||
// archive to *not* make another directory, but instead use the current | ||
// directory. | ||
resolvedPath = archive.PreserveTrailingDotOrSeparator(resolvedPath, absPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this correct? GetResourcePath()
should never return a symlink so I don't think this has much effect. Similar logic in ExtractToDir
and comment in ArchivePath
.
When I request stat for a symlink (with or without slash) I always get a directory as a response. AFAIK there isn't actually any harm of runnning Lstat
on a path that is only joined and symlinks aren't evaluated. Reading/writing is different of course.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're right, if FollowSymlinkInScope
resolves all symlinks then that part doesn't matter. But, (It doesn't mention it in the comment), a trailing separator is also important because it asserts that the resource is a directory. The Lstat
a couple of lines below this should capture that error condition (not a directory).
When I request stat for a symlink (with or without slash) I always get a directory as a response.
Is that when you stat a symlink on your local system or using this API?
Stat-ing a symlink with a trailing separator has different behavior depending on the system you're running on. Apparently on darwin
, if a symlink foo
points to a file bar
and you call stat foo/
it will return stat info for bar
even though bar is not a directory. On linux
though, it will say stat: cannot stat 'foo/': Not a directory
which is the error I expect it to pick up here.
Great job @jlhawn I have marked this serious and constructive discussion : ) |
I have tried something like this: $ docker cp 0converted sleepy_rosalind:/home/test/data/aero_spectrum
What is wrong? where 0converted is an directory and aero_spectrum is another directory inside my container. |
@calebebrim Please avoid commenting on closed issues. There are many other avenues to get support on using |
Copy files/folders between containers and the local filesystem.
In the first synopsis form, the
docker cp
utility copies the contents ofPATH
from the filesystem ofCONTAINER
to theLOCALPATH
(or stream asa Tar Archive to
STDOUT
if-
is specified).In the second synopsis form, the contents of
LOCALPATH
(or a Tar Archivestreamed from
STDIN
if-
is specified) are copied from the local machine toPATH
in the filesystem ofCONTAINER
.You can copy to or from either a running or stopped container. The
PATH
canbe a file or directory. The
docker cp
command assumes allCONTAINER:PATH
values are relative to the
/
(root) directory of the container. This meanssupplying the initial forward slash is optional; The command sees
compassionate_darwin:/tmp/foo/myfile.txt
andcompassionate_darwin:tmp/foo/myfile.txt
as identical. If aLOCALPATH
valueis not absolute, is it considered relative to the current working directory.
Behavior is similar to the common Unix utility
cp -a
in that directories arecopied recursively and file mode, permission, and ownership are preserved if
possible.
Assuming a path separator of
/
, a first argument ofSRC_PATH
and secondargument of
DST_PATH
, the behavior is as follows:SRC_PATH
specifies a fileDST_PATH
does not existDST_PATH
DST_PATH
does not exist and ends with/
DST_PATH
exists and is a fileDST_PATH
exists and is a directorySRC_PATH
SRC_PATH
specifies a directoryDST_PATH
does not existDST_PATH
is created as a directory and the contents of the sourcedirectory are copied into this directory
DST_PATH
exists and is a fileDST_PATH
exists and is a directorySRC_PATH
does not end with/.
SRC_PAPTH
does end with/.
directory
The command requires
SRC_PATH
andDST_PATH
to exist according to the aboverules. If
SRC_PATH
is a symbolic link, the symbolic link, not the target, iscopied. If a path separator immediately follows the symbolic link, it will be
resolved to its target and the target resource will be copied.
A colon (
:
) is used as a delimiter betweenCONTAINER
andPATH
, but:
could also be in a valid
LOCALPATH
, likefile:name.txt
. This ambiguity isresolved by requiring a
LOCALPATH
with a:
to be made explicit with arelative or absolute path, for example:
It is not possible to copy certain system files such as resources under
/proc
,/sys
,/dev
, and mounts created by the user in the container.Using
-
as the first argument in place of aLOCALPATH
will stream thecontents of
STDIN
as a Tar Archive which will be extracted to thePATH
inthe filesystem of the destination container. In this case,
PATH
must specifya directory.
Using
-
as the second argument in place of aLOCALPATH
will stream thecontents of the resource from the source container as a Tar Archive to
STDOUT
.docker cp
does not cause a conflict when the archived directory structure replaces a directory with a file or vice versa #10040