How to take docker snapshots from within a container?

Question

What would be a good way to take snapshots of a container from within the container itself?

Context:

I have a container Foo

When certain events happen on container Foo, I want to take a snapshot of container Foo, label the image, and optionally push that snapshot to a repository.

I've seen this answer which would let me run arbitrary commands from the container to the host system, but I'd prefer to avoid that since that gives Foo too much freedom on the host system.

I'm hoping you all can provide a simpler option.

Regarding security: For my scenario, security issues are not too much of a concern (trust me on this), but I would like not not make it easy for my users to shoot themselves in the foot.

Answer 1

Mount docker socket into your container (-v /var/run/docker.sock:/var/run/docker.sock) and use docker api.

From inside the container create an image from your container by calling the commit api:

curl -v --unix-socket /var/run/docker.sock -X POST "http:/v1.40/commit?container=[YOUR CONTAINER NAME OR ID]&repo=[IMAGE NAME]&tag=[IMAGE TAG]&pause=false"

for example:

curl -v --unix-socket /var/run/docker.sock -X POST "http:/v1.40/commit?container=dummy&repo=my-dummy-image-2&tag=1&pause=false"

You can then use the push api to push that image to a repository:

curl -v --unix-socket /var/run/docker.sock -X POST "http:/v1.40/images/[IMAGE NAME]/push"

Answer 2

You could just implement the solution suggested in the answer to which you linked, but instead of blinding executing everything, parse the commands and only respond to certain strings. E.g., when the container writes "snapshot" to the named pipe, perform whatever logic is necessary to create the snapshot. If the container writes "rm -rf /" to the pipe, just ignore it.