Find Out What Files A Command Changes With Docker

So, what did this command just do?

Have you always wondered what files change on disk when you update your OS package information? Would you like to know what files were added after you installed a particular package or ran a script?

Docker can help you to be nosy about what files changed due to a particular command you ran.

Two Approaches

You can go about it in two ways. One is less permanent, the other involves building an image layer for the command you’re curious about.

Let’s start with the simple method.

Container File System Changes

This one will work if the changes don’t happen in a mounted volume.

An example will make the approach clear. First, we run a container. I’ll go with a plain Ubuntu image, not even tagged to a particular version. The --rm is to make sure the container is cleaned up once we’re done.

$ docker run --rm -it ubuntu

Inside the container bash session, we’ll excecute the commands we’re curious about. Today, I’d like to see what an apt-get update does.

# inside the container
$ apt-get update

Now, after the command finished, we’ll open another terminal outside the running container, and ask Docker what changed in the container file system using:

# to find the id of the running container
$ docker ps
# with the id from above
$ docker diff $THE_ID

The result looks as follows for me:

C /var
C /var/lib
C /var/lib/apt
C /var/lib/apt/lists
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic-backports_InRelease
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic-updates_multiverse_binary-amd64_Packages.lz4
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic_restricted_binary-amd64_Packages.lz4
A /var/lib/apt/lists/auxfiles
A /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_multiverse_binary-amd64_Packages.lz4
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic-backports_universe_binary-amd64_Packages.lz4
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic-updates_InRelease
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic-updates_restricted_binary-amd64_Packages.lz4
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic_multiverse_binary-amd64_Packages.lz4
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic_universe_binary-amd64_Packages.lz4
A /var/lib/apt/lists/lock
A /var/lib/apt/lists/partial
A /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_InRelease
A /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_main_binary-amd64_Packages.lz4
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic-backports_main_binary-amd64_Packages.lz4
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic-updates_main_binary-amd64_Packages.lz4
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic-updates_universe_binary-amd64_Packages.lz4
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic_InRelease
A /var/lib/apt/lists/archive.ubuntu.com_ubuntu_dists_bionic_main_binary-amd64_Packages.lz4
A /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_restricted_binary-amd64_Packages.lz4
A /var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_bionic-security_universe_binary-amd64_Packages.lz4
C /var/cache
C /var/cache/apt
D /var/cache/apt/pkgcache.bin
D /var/cache/apt/srcpkgcache.bin

The letters in the beginning of each line indicate what happened to the particular file. C is for changed, D for deleted, A is for added. You can read more about the command in the docs.

Inspecting Docker Image Layer Changes

Another method to find out what a particular command did, is to make it part of a layer in a Docker image build.

Apart from writing a Dockerfile (or using an existing one), there’s a neat tool you can use - dive. It can help you to explore each layer of your Dockerfile (given, it’s still present in the final image), and find out even more than the above approach.

I think this approach, and dive in particular, deserve an own little article - stay tuned for it in the future!

In Conclusion

I hope you’ll find this approach useful, to quickly investigate file changes made by a command of your choice. It’s simple, the results are useful and it’s a neat way to use Docker for a slightly unusual purpose.