This is not fully true. Surely, a software running within a container should not modify the host configuration as long as the container is not in privileged mode, and this is good. But as a docker user you do have control over your host, e.g. you can create networks and port mappings which are directly visible on the host, or even run an image with uid=0 and bind-mounting any host partition. From the security perspective there shouldn’t be a difference, if you are already entitled to use docker then you can do a lot with your host anyway, mounting a read-only slice of a container would be one of most harmless things.

i disagree… as an example, in one of my deployments, the docker container was deployed on a random cloud of hosts to run a short server process during some software testing… the ‘user’ was a jenkins server, and had NO authority over the host machine…

technically adding a network doesn’t modify the host as the connection still goes thru the normal network stack.

but… net, there is no mechanism to do what you want… you submit an enhancement request.

I built a tool that does exactly what you’re attempting to do. I built it to get around the osxfs host bind mount performance issue, however it’ll accomplish what you need.

What you do is run a quick-bind-sync container and have it use a bind mount for an empty dir on your host to /host and attach your existing container’s volume to /volume. It’ll establish a two-way sync between the volume and your host directory.

It’s quite hilarious to learn that people start using unison to overcome deficiencies of docker. Thanks for your suggestion, maybe I’ll resort to your tool later. For the time being a plain docker cp would suffice, because the files to be exported are not going to change during container run.

If you don’t need an ongoing sync I’d definitely go with docker cp as well.

You can start the container with the volume from host mounted in the container by using -v flag. It maps one directory from host to container.

docker run -v “/path/to/host/directory:/path/inside/container” <image_name>

If you need to make more mappings use multiple -v flags.