Extract file from docker image?

You can extract files from an image with the following commands:

container_id=$(docker create "$image")
docker cp "$container_id:$source_path" "$destination_path"
docker rm "$container_id"

According to the docker create documentation, this doesn't run the container:

The docker create command creates a writeable container layer over the specified image and prepares it for running the specified command. The container ID is then printed to STDOUT. This is similar to docker run -d except the container is never started. You can then use the docker start <container_id> command to start the container at any point.

For reference (my previous answer), a less efficient way of extracting a file from an image is the following:

docker run some_image cat "$file_path" > "$output_path"

• 5
  You might want to over-ride the entrypoint. docker run --entrypoint /bin/sh my_image -c /bin/cat some_file

  – Andrew

  Jun 6, 2018 at 23:52
• 3
  This runs the image, which is specifically what I didn't want to do as stated in my question.

  – BlakBat

  Mar 26, 2019 at 10:49
• 1
  Ah, that's a good point. I agree my current answer isn't satisfactory then.

  – bbc

  Mar 26, 2019 at 17:19
• 2
  @BlakBat Does this updated answer work for you? I guess I should have created a new answer but it's done now.

  – bbc

  Apr 16, 2019 at 12:33
• 2
  @bbc This updated answer does in fact not start a container (the crux of the question), and does not require to be root.

  – BlakBat

  Apr 20, 2019 at 8:17

None of the above worked for me. The complete working command is:

docker run --rm --entrypoint /bin/sh image_name -c "cat /path/filename" > output_filename

Without quotes cat is passed without filename, so it does not know what to show. Also it is a good idea to delete the container after command is finished.

• The command you're referring to will only work depending on the docker and how correctly ENTRYPOINT / CMD was set in the Dockerfile; this has nothing to do with quoting. You also say to delete the container, yet you specify --rm. Lastly, when I had posted my question I specified "without having to run the image" and no answers were a solution taking this into account.

  – BlakBat

  Oct 21, 2018 at 15:41
• 1
  Regardless which CMD and ENTRYPOINT were set in Dockerfile I override both, so it would work always (on Linux of course). What do you mean by "depending on the docker"? Settings, version, env, what? You question is not correct because images cannot be executed, only containers can. I think there is no correct answer, you have to deal with many files or create a temporary container. --rm removes the temporary container, other's answers leave some junk on your disk.

  – sekrett

  Oct 22, 2018 at 10:26
• Can simplify quoting by skipping the shell: docker run --rm --entrypoint /bin/cat image_name /path/filename > output_filename

  – Beni Cherniavsky-Paskin

  Jun 25, 2020 at 21:21
• This answer works, but unfortunately, I came here after figuring out another way, might help someone it's a bit shorter too... docker run --entrypoint /bin/cat image_name /path/filename > filename

  – lauksas

  Sep 9, 2021 at 17:03

I believe that Docker containers store cached files created in the following directory for Ubuntu:

/var/lib/docker/aufs/diff/<container_id>

From there you should be able to access the file system and retrieve your file(s).

• Nope. That directory only contains layersize and json, and is also not user readable (even if user is in docker group). /var/lib/docker/aufs/diff will contain the file that I look for (but is categorized not by container id) and is also not readable.

  – BlakBat

  Dec 20, 2016 at 16:24
• Give me a few and I will look it up. I know for a fact there is a way to retreive the files without entering the container or running it.

  – ryekayo

  Dec 20, 2016 at 18:18
• By not readable, how does it show? I have found an example where you can pull text files from the containers by going to the /var/lib/docker/aufs/diff/* directory

  – ryekayo

  Dec 20, 2016 at 18:49
• My mistake. User can access /var/lib/docker/aufs (but not all other directories in /var/lib/docker/)

  – BlakBat

  Dec 21, 2016 at 9:46
• Can you access as root?

  – ryekayo

  Dec 21, 2016 at 14:17

If storing the full output of docker save isn't an option, you could use pipelines to extract just the needed file from it.

Unfortunately, because the output is a "tar of tars", it can be a slightly iterative process.

What I did when I needed to extract a file just now was:

1. Determine which version of the image the file you are interested in changed most recently (how you do this probably depends on your image), and the date it was created / saved

2. Get the full table of contents from the output of the docker save command with:

   docker save IMAGE_NAME | tar -tvf -

3. Find the layer.tar file(s) in the output of that command that match the date of the image that you determined in step 1. (you can add | grep layer.tar to just show those files)

4. Extract that layer.tar file to standard out, and get the table of contents of it:

   docker save IMAGE_NAME | tar -xf - -O CHECKSUM_FROM_LIST/layer.tar | tar -tvf -

5. Verify the file you want is listed, and extract it once you find the name:

   docker save IMAGE_NAME | tar -xf - -O CHECKSUM_FROM_LIST/layer.tar | tar -xf - PATH/TO/YOUR/FILE

If there are more than one layer.tar files matching the date you are looking for in step 2/3, you may need to repeat step 4 for each one of them until you find the right one

Replace the text in capitals in the commands above with the correct image names, checksums and filenames for your case.