How to see docker image contents
DockerDocker Problem Overview
I did a docker pull and can list the image that's downloaded. I want to see the contents of this image. Did a search on the net but no straight answer.
Docker Solutions
Solution 1 - Docker
You can just run an interactive shell container using that image and explore whatever content that image has.
For instance:
docker run -it image_name sh
Or following for images with an entrypoint
docker run -it --entrypoint sh image_name
Or, if you want to see how the image was build, meaning the steps in its Dockerfile
, you can:
docker image history --no-trunc image_name > image_history
The steps will be logged into the image_history
file.
Solution 2 - Docker
The accepted answer here is problematic, because there is no guarantee that an image will have any sort of interactive shell. For example, the drone/drone image contains on a single command /drone
, and it has an ENTRYPOINT
as well, so this will fail:
$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured
And this will fail:
$ docker run --rm -it --entrypoint sh drone/drone
docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "exec: \"sh\": executable file not found in $PATH".
This is not an uncommon configuration; many minimal images contain only the binaries necessary to support the target service. Fortunately, there are mechanisms for exploring an image filesystem that do not depend on the contents of the image. The easiest is probably the docker export
command, which will export a container filesystem as a tar archive. So, start a container (it does not matter if it fails or not):
$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured
Then use docker export
to export the filesystem to tar
:
$ docker export $(docker ps -lq) | tar tf -
The docker ps -lq
there means "give me the id of the most recent docker container". You could replace that with an explicit container name or id.
Solution 3 - Docker
You should not start a container just to see the image contents. For instance, you might want to look for malicious content, not run it. Use "create" instead of "run";
docker create --name="tmp_$$" image:tag
docker export tmp_$$ | tar t
docker rm tmp_$$
Solution 4 - Docker
docker save nginx > nginx.tar
tar -xvf nginx.tar
Following files are present:
- manifest.json – Describes filesystem layers and name of json file that has the Container properties.
.json – Container properties – Each “layerid” directory contains json file describing layer property and filesystem associated with that layer. Docker stores Container images as layers to optimize storage space by reusing layers across images.
https://sreeninet.wordpress.com/2016/06/11/looking-inside-container-images/
OR
you can use dive to view the image content interactively with TUI
Solution 5 - Docker
EXPLORING DOCKER IMAGE!
- Figure out what kind of shell is in there
bash
orsh
...
Inspect the image first: docker inspect name-of-container-or-image
Look for entrypoint
or cmd
in the JSON return.
- Then do:
docker run --rm -it --entrypoint=/bin/bash name-of-image
once inside do: ls -lsa
or any other shell command like: cd ..
The -it
stands for interactive... and TTY. The --rm
stands for remove container after run.
If there are no common tools like ls
or bash
present and you have access to the Dockerfile
simple add the common tool as a layer.
example (alpine Linux):
RUN apk add --no-cache bash
And when you don't have access to the Dockerfile
then just copy/extract the files from a newly created container and look through them:
docker create <image> # returns container ID the container is never started.
docker cp <container ID>:<source_path> <destination_path>
docker rm <container ID>
cd <destination_path> && ls -lsah
Solution 6 - Docker
To list the detailed content of an image you have to run docker run --rm image/name ls -alR
where --rm
means remove as soon as exits form a container.
Solution 7 - Docker
We can try a simpler one as follows:
docker image inspect image_id
This worked in Docker version:
DockerVersion": "18.05.0-ce"
Solution 8 - Docker
There is a free open source tool called Anchore that you can use to scan container images. This command will allow you to list all files in a container image
anchore-cli image content myrepo/app:latest files
Solution 9 - Docker
Perhaps this is nota very straight forward approach but this one worked for me. I had an ECR Repo (Amazon Container Service Repository) whose code i wanted to see.
- First we need to save the repo you want to access as a tar file. In my case the command went like - docker save
.dkr.ecr.us-east-1.amazonaws.com/ :image-tag > saved-repo.tar - UNTAR the file using the command - tar -xvf saved-repo.tar. You could see many folders and files
- Now try to find the file which contain the code you are looking for (if you know some part of the code) Command for searching the file - grep -iRl "string you want to search" ./
This will make you reach the file. It can happen that even that file is tarred, so untar it using the command mentioned in step 2.
If you dont know the code you are searching for, you will need to go through all the files that you got after step 2 and this can be bit tiring.
All the Best !
Solution 10 - Docker
You can penetrate inside a running image, that is in its container, then - find a base Dockerfile there, and finally read it. Three steps:
docker exec -i -t <containerId> bash
ls
cat Dockerfile
Solution 11 - Docker
With Docker EE for Windows (17.06.2-ee-6 on Hyper-V Server 2016) all contents of Windows Containers can be examined at C:\ProgramData\docker\windowsfilter\
path of the host OS.
No special mounting needed.
Folder prefix can be found by container id from docker ps -a
output.