ExtractFoxHow to extract files from a Docker image or container
docker cp from a running container, dive for digging into image layers, and the few tricks for getting files out of an image you can't run.
Three different tasks share the phrase "extract a file from Docker." Different tools per task — picking the right one saves a lot of confused container starting and stopping.
From a running container: docker cp
If the container is up, this is one command:
docker cp my-container:/etc/nginx/nginx.conf ./nginx.conf
Works in both directions — docker cp ./local.conf my-container:/etc/nginx/local.conf pushes a file in. Containers don't need to be stopped. Good for one-off file grabs and for getting at runtime-generated files (logs, sockets).
From a stopped container
Same command — docker cp also works on stopped containers. The container needs to exist (docker ps -a will show it); only docker rm has actually removed it.
From an image (without running it)
An image isn't a filesystem you can directly cp from. You have to instantiate it — but you don't have to run it:
docker create --name temp my-image:latest docker cp temp:/path/to/file ./file docker rm temp
create makes a container without starting it. Faster than run if you only need files.
Inspecting layers: dive
dive (Wagoodman/dive) is the right tool when you don't know which layer added the file. dive my-image:latest opens an interactive viewer with each layer's filesystem changes. Useful for understanding image bloat, hunting down a misplaced secret, or finding the build step that added a binary you didn't expect.
Without Docker installed: skopeo + tar
If you can't run Docker locally (CI runner, restricted host) but need files from a registry image:
skopeo copy docker://my-image:latest dir:./image-dir cd image-dir && for layer in *.tar; do tar -tf "$layer"; done
Each .tar in the result is one layer. Find the one with your file, tar -xf to extract.
Common case: the file is in /app or /usr/local
Most application images put your code in /app and dependencies in /usr/local. docker cp my-container:/app ./local-app gives you the entire build artifact — useful for debugging a build that works locally but breaks in the container.