docker cp to and from containers#13171
Conversation
jlhawn
force-pushed
the
archive_copy
branch
7 times, most recently
from
658bce0 to
450e672
Compare
|
Oh my goodness. I wanted this some much last year, but we couldn't agree on the syntax of addresssing src and dest. |
jlhawn
force-pushed
the
archive_copy
branch
4 times, most recently
from
3d410b7 to
677dfc4
Compare
|
Not sure if it impacts your help comment, but FYI: #11858 |
|
@duglin I would definitely have to rebase if that gets merged before this ;-) |
jlhawn
force-pushed
the
archive_copy
branch
5 times, most recently
from
16edb82 to
693fbdd
Compare
jlhawn
force-pushed
the
archive_copy
branch
3 times, most recently
from
e34da4b to
505e798
Compare
Adds http handlers for new API endpoints: GET ContainersArchivePath Return a Tar Archive of the contents at the specified location in a container. Deprecates POST ContainersCopy. Use a HEAD request to stat the resource. PUT ContainersExtractToDir Extract the Tar Archive from the request body to the directory at the specified location inside a container. Docker-DCO-1.1-Signed-off-by: Josh Hawn <[email protected]> (github: jlhawn)
Supports copying things INTO a container from a local file or from a tar archive read from stdin. Docker-DCO-1.1-Signed-off-by: Josh Hawn <[email protected]> (github: jlhawn)
Adds several integration tests for `docker cp` behavior with over a dozen tests for each of: container -> local local -> container Docker-DCO-1.1-Signed-off-by: Josh Hawn <[email protected]> (github: jlhawn)
Documented changes to API to enable new `docker cp` behavior. Added documentation on `docker cp` usage and behavior. Docker-DCO-1.1-Signed-off-by: Josh Hawn <[email protected]> (github: jlhawn)
|
We have "get out of jail" card from @moxiegirl on this one: "why don’t we merge it with the changes he has and I’ll take his initial docs and do a follow on PR with any changes I might have". |
|
Thanks for the work and for the wait @jlhawn, and thanks to all reviewers who participated in this journey. |
|
🎉 Thanks everyone! |
|
Great job @jlhawn 👍 |
|
😄 |
|
Wow, it's there!! looks like you need to update your story #13171 (comment) @jlhawn :-) |
|
Some follow-up... Symlink sources don't seem to rebase properly: It's because client expects base directory If I run How can we protect this from running containers updating a filesystem/volumes when the request is taking place? I mean we check for breakouts in the beginning of GET/PUT but if a container is using the filesystem it could just flip a symlink in the right time and then we would have full read/write to host. |
There was a problem hiding this comment.
Is this correct? GetResourcePath() should never return a symlink so I don't think this has much effect. Similar logic in ExtractToDir and comment in ArchivePath.
When I request stat for a symlink (with or without slash) I always get a directory as a response. AFAIK there isn't actually any harm of runnning Lstat on a path that is only joined and symlinks aren't evaluated. Reading/writing is different of course.
There was a problem hiding this comment.
You're right, if FollowSymlinkInScope resolves all symlinks then that part doesn't matter. But, (It doesn't mention it in the comment), a trailing separator is also important because it asserts that the resource is a directory. The Lstat a couple of lines below this should capture that error condition (not a directory).
When I request stat for a symlink (with or without slash) I always get a directory as a response.
Is that when you stat a symlink on your local system or using this API?
Stat-ing a symlink with a trailing separator has different behavior depending on the system you're running on. Apparently on darwin, if a symlink foo points to a file bar and you call stat foo/ it will return stat info for bar even though bar is not a directory. On linux though, it will say stat: cannot stat 'foo/': Not a directory which is the error I expect it to pick up here.
|
Great job @jlhawn I have marked this serious and constructive discussion : ) |
|
I have tried something like this: $ docker cp 0converted sleepy_rosalind:/home/test/data/aero_spectrum
What is wrong? where 0converted is an directory and aero_spectrum is another directory inside my container. |
|
@calebebrim Please avoid commenting on closed issues. There are many other avenues to get support on using |
20 participants
Copy files/folders between containers and the local filesystem.
In the first synopsis form, the
docker cputility copies the contents ofPATHfrom the filesystem ofCONTAINERto theLOCALPATH(or stream asa Tar Archive to
STDOUTif-is specified).In the second synopsis form, the contents of
LOCALPATH(or a Tar Archivestreamed from
STDINif-is specified) are copied from the local machine toPATHin the filesystem ofCONTAINER.You can copy to or from either a running or stopped container. The
PATHcanbe a file or directory. The
docker cpcommand assumes allCONTAINER:PATHvalues are relative to the
/(root) directory of the container. This meanssupplying the initial forward slash is optional; The command sees
compassionate_darwin:/tmp/foo/myfile.txtandcompassionate_darwin:tmp/foo/myfile.txtas identical. If aLOCALPATHvalueis not absolute, is it considered relative to the current working directory.
Behavior is similar to the common Unix utility
cp -ain that directories arecopied recursively and file mode, permission, and ownership are preserved if
possible.
Assuming a path separator of
/, a first argument ofSRC_PATHand secondargument of
DST_PATH, the behavior is as follows:SRC_PATHspecifies a fileDST_PATHdoes not existDST_PATHDST_PATHdoes not exist and ends with/DST_PATHexists and is a fileDST_PATHexists and is a directorySRC_PATHSRC_PATHspecifies a directoryDST_PATHdoes not existDST_PATHis created as a directory and the contents of the sourcedirectory are copied into this directory
DST_PATHexists and is a fileDST_PATHexists and is a directorySRC_PATHdoes not end with/.SRC_PAPTHdoes end with/.directory
The command requires
SRC_PATHandDST_PATHto exist according to the aboverules. If
SRC_PATHis a symbolic link, the symbolic link, not the target, iscopied. If a path separator immediately follows the symbolic link, it will be
resolved to its target and the target resource will be copied.
A colon (
:) is used as a delimiter betweenCONTAINERandPATH, but:could also be in a valid
LOCALPATH, likefile:name.txt. This ambiguity isresolved by requiring a
LOCALPATHwith a:to be made explicit with arelative or absolute path, for example:
It is not possible to copy certain system files such as resources under
/proc,/sys,/dev, and mounts created by the user in the container.Using
-as the first argument in place of aLOCALPATHwill stream thecontents of
STDINas a Tar Archive which will be extracted to thePATHinthe filesystem of the destination container. In this case,
PATHmust specifya directory.
Using
-as the second argument in place of aLOCALPATHwill stream thecontents of the resource from the source container as a Tar Archive to
STDOUT.docker cpdoes not cause a conflict when the archived directory structure replaces a directory with a file or vice versa #10040