How to see docker image contents

I did a docker pull and can list the image that's downloaded. I want to see the contents of this image. Did a search on the net but no straight answer.

You can just run an interactive shell container using that image and explore whatever content that image has.

For instance:

docker run -it image_name sh

Or following for images with an entrypoint

docker run -it --entrypoint sh image_name

Or, if you want to see how the image was build, meaning the steps in its Dockerfile, you can:

docker image history --no-trunc image_name > image_history

The steps will be logged into the image_history file.

The accepted answer here is problematic, because there is no guarantee that an image will have any sort of interactive shell. For example, the drone/drone image contains on a single command /drone, and it has an ENTRYPOINT as well, so this will fail:

$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured        

And this will fail:

$ docker run --rm -it --entrypoint sh drone/drone
docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "exec: \"sh\": executable file not found in $PATH".

This is not an uncommon configuration; many minimal images contain only the binaries necessary to support the target service. Fortunately, there are mechanisms for exploring an image filesystem that do not depend on the contents of the image. The easiest is probably the docker export command, which will export a container filesystem as a tar archive. So, start a container (it does not matter if it fails or not):

$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured        

Then use docker export to export the filesystem to tar:

$ docker export $(docker ps -lq) | tar tf -

The docker ps -lq there means "give me the id of the most recent docker container". You could replace that with an explicit container name or id.

You should not start a container just to see the image contents. For instance, you might want to look for malicious content, not run it. Use "create" instead of "run";

docker create --name="tmp_$$" image:tag
docker export tmp_$$ | tar t
docker rm tmp_$$

docker save nginx > nginx.tar
tar -xvf nginx.tar

Following files are present:

• manifest.json – Describes filesystem layers and name of json file that has the Container properties.
• .json – Container properties
• – Each “layerid” directory contains json file describing layer property and filesystem associated with that layer. Docker stores Container images as layers to optimize storage space by reusing layers across images.

https://sreeninet.wordpress.com/2016/06/11/looking-inside-container-images/

OR

you can use dive to view the image content interactively with TUI

https://github.com/wagoodman/dive

EXPLORING DOCKER IMAGE!

1. Figure out what kind of shell is in there bash or sh...

Inspect the image first: docker inspect name-of-container-or-image

Look for entrypoint or cmd in the JSON return.

2. Then do: docker run --rm -it --entrypoint=/bin/bash name-of-image

once inside do: ls -lsa or any other shell command like: cd ..

The -it stands for interactive... and TTY. The --rm stands for remove container after run.

If there are no common tools like ls or bash present and you have access to the Dockerfile simple add the common tool as a layer.
example (alpine Linux):

RUN apk add --no-cache bash

And when you don't have access to the Dockerfile then just copy/extract the files from a newly created container and look through them:

docker create <image>  # returns container ID the container is never started.
docker cp <container ID>:<source_path> <destination_path>
docker rm <container ID>
cd <destination_path> && ls -lsah

To list the detailed content of an image you have to run docker run --rm image/name ls -alR where --rm means remove as soon as exits form a container.

We can try a simpler one as follows:

docker image inspect image_id

This worked in Docker version:

DockerVersion": "18.05.0-ce"

There is a free open source tool called Anchore that you can use to scan container images. This command will allow you to list all files in a container image

anchore-cli image content myrepo/app:latest files

https://anchore.com/opensource/

Perhaps this is nota very straight forward approach but this one worked for me. I had an ECR Repo (Amazon Container Service Repository) whose code i wanted to see.

1. First we need to save the repo you want to access as a tar file. In my case the command went like - docker save .dkr.ecr.us-east-1.amazonaws.com/:image-tag > saved-repo.tar
2. UNTAR the file using the command - tar -xvf saved-repo.tar. You could see many folders and files
3. Now try to find the file which contain the code you are looking for (if you know some part of the code) Command for searching the file - grep -iRl "string you want to search" ./

This will make you reach the file. It can happen that even that file is tarred, so untar it using the command mentioned in step 2.

If you dont know the code you are searching for, you will need to go through all the files that you got after step 2 and this can be bit tiring.

All the Best !

You can penetrate inside a running image, that is in its container, then - find a base Dockerfile there, and finally read it. Three steps:

docker exec -i -t <containerId> bash
ls
cat Dockerfile  

With Docker EE for Windows (17.06.2-ee-6 on Hyper-V Server 2016) all contents of Windows Containers can be examined at C:\ProgramData\docker\windowsfilter\ path of the host OS.

No special mounting needed.

Folder prefix can be found by container id from docker ps -a output.