Extracting a container file system with Podman
3 minutes
Learn how to extract and browse a container's file system using Podman (or Docker) without needing an interactive shell. This guide covers the export command and tar extraction methods for debugging container images and examining their contents.
Last week, we had a challenge in my team, that required us to find out what files we actually put in a container image. Although all you need to do this, is built in with the tools, it’s one of the rarer used but very nifty commands, so I wanted to share our learnings with you.
Caveat: I use Podman in my examples, but because Podman is near 100%compatible with Docker, you can simply exchange the podman command with the docker one. Podman, unlike Docker, is a hundred percent free and open source. If you want to give it a spin, I recommend reading Cedric Clyburn ’s excellent article on transitioning from Docker to Podman.
Using an interactive shell
There’s the obvious way of executing the container interactively with a shell of your choice:
podman exec --interactive <container ID> /bin/bash
While this is the easiest one regarding command complexity, it can turn out to be a hassle: For example, for security reasons, some containers may not even include a shell. Furthermore, you always need a running container to be able to execute it interactively. If you need to debug the container because it fails to boot and keep running, this option is only possible if you want to modify the container’s entry point.
I think that this way is also really cumbersome if you want an initial overview of all the files and don’t know yet what you’re looking for. It sure feels better to be able to somehow Browse a Container’s file system. So, this is what we did:
Extracting a Docker container’s file system
For the specific application at Mister Spex, we run GitLab CI builds that result in container images stored in Amazon’s ECR (Elastic Container Registry). So, we first had to pull the version which we though introduced the faulty files:
podman pull your.ecr.location.amazonaws.com/<image>:<image-version>
Once you have the image, start the container. In our case, it doesn’t matter if the startup fails. We only want our container engine to prepare a container from the image and with it its virtual file system.
podman run <image-name>:<image-version>
Once the container has run, we need to find the container’s ID.
podman ps --all
This will bring all the containers that are, or have been, running on your system. It will look a bit like this:
cb993a820886 your-repository-uri/image-name:image-version node dist/bundle…. 6 minutes ago Exited (1) 6 minutes ago reverent_wright
The first value in the line is the container’s ID. So, for our example, we will use cb993a820886. Now we can export the file system tar file to further process or browse it.
podman export --output container-filesystem.tar cb993a820886
We now have a file called container-filesystem.tar in our file system whose content’s we can now print to stdout using
tar -tf container-filesystem.tar
You could also use whatever archive browser you have on your system to sift through the tar. And there you have it: We’ve extracted our containers file system to a tar file for easy access.
See also: podman-exec, podman-pull, podman-ps, podman-export
Originally published on Medium