How to see docker image contents

前端未结

关注

 9  1144

I did a docker pull and can list the image that\'s downloaded. I want to see the contents of this image. Did a search on the net but no straight answer.

相关标签:

9条回答

無奈伤痛

2020-11-30 16:50
You should not start a container just to see the image contents. For instance, you might want to look for malicious content, not run it. Use "create" instead of "run";
```
docker create --name="tmp_$$" image:tag
docker export tmp_$$ | tar t
docker rm tmp_$$
```
0 讨论(0)
发布评论:

提交评论
- 加载中...
谎友^

2020-11-30 16:53
The accepted answer here is problematic, because there is no guarantee that an image will have any sort of interactive shell. For example, the drone/drone image contains on a single command /drone, and it has an ENTRYPOINT as well, so this will fail:
```
$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured        
```
And this will fail:
```
$ docker run --rm -it --entrypoint sh drone/drone
docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "exec: \"sh\": executable file not found in $PATH".
```
This is not an uncommon configuration; many minimal images contain only the binaries necessary to support the target service. Fortunately, there are mechanisms for exploring an image filesystem that do not depend on the contents of the image. The easiest is probably the docker export command, which will export a container filesystem as a tar archive. So, start a container (it does not matter if it fails or not):
```
$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured        
```
Then use docker export to export the filesystem to tar:
```
$ docker export $(docker ps -lq) | tar tf -
```
The docker ps -lq there means "give me the id of the most recent docker container". You could replace that with an explicit container name or id.
0 讨论(0)
发布评论:

提交评论
- 加载中...
耶瑟儿～

2020-11-30 16:53
EXPLORING DOCKER IMAGE!
1. Figure out what kind of shell is in there bash or sh...
Inspect the image first: docker inspect name-of-container-or-image

Look for entrypoint or cmd in the JSON return.
1. Then do: docker run --rm -it --entrypoint=/bin/bash name-of-image
once inside do: ls -lsa or any other shell command like: cd ..

The -it stands for interactive... and TTY. The --rm stands for remove container after run.

If there are no common tools like ls or bash present and you have access to the Dockerfile simple add the common tool as a layer.
example (alpine Linux):
```
RUN apk add --no-cache bash
```
And when you don't have access to the Dockerfile then just copy/extract the files from a newly created container and look through them:
```
docker create <image>  # returns container ID the container is never started.
docker cp <container ID>:<source_path> <destination_path>
docker rm <container ID>
cd <destination_path> && ls -lsah
```
0 讨论(0)
发布评论:

提交评论
- 加载中...

上一页 1 2