I did a docker pull and can list the image that's downloaded. I want to see the contents of this image. Did a search on the net but no straight answer.
-
5Possible duplicate of Exploring Docker container's file system– VadzimCommented Nov 4, 2018 at 23:36
-
83Not a dupe. Viewing the container and the image are not the same thing. You may want to view the initial filesystem or even validate that there is nothing malicious inside the image before it gets a chance to run.– KeilaronCommented Feb 26, 2019 at 18:05
-
8if you could not run the image as container you can use a tool like drive (github.com/wagoodman/dive) or you can use docker save to export the image as tar file. Then you can explore the tar or with dive you can asap explore the image.– Huluvu424242Commented Mar 13, 2019 at 22:57
-
1Not a dupe but you can find the answer here: stackoverflow.com/a/40324326/5641227– Khalil GharbaouiCommented Oct 6, 2019 at 9:33
Add a comment
|
17 Answers
If the image contains a shell, you can run an interactive shell container using that image and explore whatever content that image has. If sh is not available, the busybox ash shell might be.
For instance:
docker run -it image_name sh
Or following for images with an entrypoint
docker run -it --entrypoint sh image_name
Or if you want to see how the image was built, meaning the steps in its Dockerfile, you can:
docker image history --no-trunc image_name > image_history
The steps will be logged into the image_history file.
Thorbjørn Ravn Andersen
74.7k34 gold badges197 silver badges349 bronze badges
answered Jun 26, 2017 at 22:16
-
116I'm trying to see the contents of an image that is created using "FROM scratch" and there is no shell available. Is there any other way to see the contents? The image I'm trying to see is portainer/portainer. Commented Nov 30, 2017 at 10:21
-
9Is it possible that someone see the contents of the image without spawning a container? Or can we assume that it is safe from all unless they have rights to spawn a container from it? Commented Dec 30, 2017 at 21:03
-
4combining what's told before "for a windows container with entrypoint":
docker run -it --entrypoint cmd <image_name>will work. Commented Nov 1, 2018 at 15:41 -
6@JuanHernandez, yes, you can dump the full contents of the image as indicated in stackoverflow.com/a/42677219/320594. Commented Nov 24, 2018 at 22:35
-
29This answer is not good because it depends on having a shell inside the image, which is not always the case. The
docker createanswer is the best one for the question if you're not interested in the examination of each image layer independently. Commented May 22, 2020 at 0:12
You should not start a container just to see the image contents. For instance, you might want to look for malicious content, not run it. Use "create" instead of "run";
docker create --name="tmp_$$" image:tag
docker export tmp_$$ | tar t
docker rm tmp_$$
-
78The 2nd line above just lists the file-system content. If you want to get all the files as a tar you can replace it with something like
docker export tmp_$$ > image-fs.tar.– PinoCommented Jul 5, 2019 at 10:29 -
7What will be the 2nd line for Windows OS? The
docker export tmp_$$ | tar twill not work.– user9608133Commented Aug 29, 2019 at 10:38 -
13This also works if there is no shell in the container Commented Oct 8, 2019 at 13:33
-
15@AlexeiMarinichenko you can use the
-oparameter to specify the file to write to. E.g.docker export -o c:\temp\tmp_$$.tar tmp_$$. Commented Oct 16, 2019 at 21:27 -
9The docker create command errors for me with a
No command specified. putting a dummy command likelsat the end (even if the command would fail if the container were started) seems to work.docker create --name="tmp_$$" image:tag ls– paboCommented Sep 2, 2020 at 17:10
The accepted answer here is problematic, because there is no guarantee that an image will have any sort of interactive shell. For example, the drone/drone image contains on a single command /drone, and it has an ENTRYPOINT as well, so this will fail:
$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured
And this will fail:
$ docker run --rm -it --entrypoint sh drone/drone
docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "exec: \"sh\": executable file not found in $PATH".
This is not an uncommon configuration; many minimal images contain only the binaries necessary to support the target service. Fortunately, there are mechanisms for exploring an image filesystem that do not depend on the contents of the image. The easiest is probably the docker export command, which will export a container filesystem as a tar archive. So, start a container (it does not matter if it fails or not):
$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured
Then use docker export to export the filesystem to tar:
$ docker export $(docker ps -lq) | tar tf -
The docker ps -lq there means "give me the id of the most recent docker container". You could replace that with an explicit container name or id.
-
31You can also use the out parameter as in
docker export $(docker ps -lq) -o foo.tar– LiamCommented Dec 7, 2020 at 12:56 -
7If you are like me, wondering what the
-means intar tf -: it's to tell tar that the "file" (f flag) to read isstdinCommented Jan 5, 2022 at 0:32 -
3This should be the accepted answer. Although it should lead with the proper command. Commented May 5, 2022 at 20:10
-
3This works on a container, not an image. Trivially fixed:
docker image save $IMAGE | tar -tf -. The logic is the same: Docker needs to combine layers, higher-level layers can overwrite files from lower layers.– MSaltersCommented Aug 9, 2022 at 12:00
docker save nginx > nginx.tar
tar -xvf nginx.tar
Following files are present:
- manifest.json – Describes filesystem layers and name of json file that has the Container properties.
- .json – Container properties
- – Each “layerid” directory contains json file describing layer property and filesystem associated with that layer. Docker stores Container images as layers to optimize storage space by reusing layers across images.
https://sreeninet.wordpress.com/2016/06/11/looking-inside-container-images/
OR
you can use dive to view the image content interactively with TUI
-
29This seems like the most useful answer to me, as you don't have to start a container to get the files. Commented Feb 27, 2019 at 0:14
-
5Absolutely agree @AlecThomas - and to take it a step further, why do I even need
dockerjust to see the contents of what is, essentially, just a different type of archive file. Commented Mar 17, 2019 at 10:54 -
11good answer, I would also specify the tag:
docker save --output nginx.tar nginx:latest, otherwise, according to the doc, it will contain "all parent layers, and all tags + versions"– TarekCommented Jul 16, 2019 at 17:33 -
3This should be upvoted as this is probably the only way to explore internals if you don't have any of Unix utils inside. Also this way doesn't require the creation of a container. Commented Jul 19, 2019 at 9:08
-
how did I survive without this tool in the last 5 years ? Commented Sep 3, 2021 at 9:51
EXPLORING DOCKER IMAGE!
- Figure out what kind of shell is in there
bashorsh...
Inspect the image first: docker inspect name-of-container-or-image
Look for entrypoint or cmd in the JSON return.
- Then do:
docker run --rm -it --entrypoint=/bin/bash name-of-image
once inside do: ls -lsa or any other shell command like: cd ..
The -it stands for interactive... and TTY. The --rm stands for remove container after run.
If there are no common tools like ls or bash present and you have access to the Dockerfile simple add the common tool as a layer.
example (alpine Linux):
RUN apk add --no-cache bash
And when you don't have access to the Dockerfile then just copy/extract the files from a newly created container and look through them:
docker create <image> # returns container ID the container is never started.
docker cp <container ID>:<source_path> <destination_path>
docker rm <container ID>
cd <destination_path> && ls -lsah
answered Oct 6, 2019 at 9:50
-
13The problem with this answer is that, as discussed in the accepted answer, there's no guarantee that your image has any shell in it. Or
ls. Or really any common tools at all.– larsksCommented Jan 7, 2020 at 17:31 -
1Yes, this assumes common tools are in there. You could of course always add a shell if you are allowed to ill add that layer to the answer and explain how to extract the files otherwise. Commented Nov 5, 2020 at 0:57
-
docker cp <container ID>:<source_path> <destination_path> what do you mean by source path? as the assumption here is that we haven't run the container and do not know its full contents.– JasonCommented Nov 9, 2022 at 10:32
If you want to list the files in an image without starting a container :
docker create --name listfiles <image name>
docker export listfiles | tar -t
docker rm listfiles
I tried this tool - https://github.com/wagoodman/dive I found it quite helpful to explore the content of the docker image.
To list the detailed content of an image you have to run docker run --rm image/name ls -alR where --rm means remove as soon as exits form a container.
-
19This assumes that the image has
lsavailable and in thePATHCommented Dec 10, 2018 at 8:46
Oneliner, no docker run (based on responses above)
IMAGE=your_image docker create --name filelist $IMAGE command && docker export filelist | tar tf - | tree --fromfile . && docker rm filelist
Same, but report tree structure to result.txt
IMAGE=your_image docker create --name filelist $IMAGE command && docker export filelist | tar tf - | tree --noreport --fromfile . | tee result.txt && docker rm filelist
I usually do the following dirty way to get the contents.
save the image
docker save imagename > imagename.tar
Open imagename.tar with any of the un archiving tools.
Viola!!
if you want to check the image contents without running it you can do this:
$ sudo bash
...
$ cd /var/lib/docker # default path in most installations
$ find . -iname a_file_inside_the_image.ext
... (will find the base path here)
This works fine with the current default BTRFS storage driver.
It is commonly said you need to make a container from an image before you can export it, however there are other ways.
One of such ways is exporting the image using the build command.
By default the build command makes another image, which is not useful for us, instead, we can use the --output to specify that we want a folder or a .tar of the contents of the image:
echo 'from node:18-alpine' | docker build --output type=tar,dest=test-docker.tar -
You now get a tar file in the directory the docker build command is run, containing the exact file structure of your image, including the file owner information and original timestamps:
$ tar -tvf test-docker.tar | grep node | head
drwxr-sr-x 1000/1000 0 2024-03-16 04:31 home/node/
drwxr-xr-x 0/0 0 2024-03-16 04:32 tmp/v8-compile-cache-0/10.2.154.26-node.28/
-rw-r--r-- 0/0 2200240 2024-03-16 04:32 tmp/v8-compile-cache-0/10.2.154.26-node.28/zSoptzSyarn-v1.22.19zSbinzSyarn.js.BLOB
-rw-r--r-- 0/0 88 2024-03-16 04:32 tmp/v8-compile-cache-0/10.2.154.26-node.28/zSoptzSyarn-v1.22.19zSbinzSyarn.js.MAP
lrwxrwxrwx 0/0 0 2024-03-16 04:31 usr/local/bin/corepack -> ../lib/node_modules/corepack/dist/corepack.js
-rwxr-xr-x 0/0 94888944 2024-02-15 13:51 usr/local/bin/node
lrwxrwxrwx 0/0 0 2024-03-16 04:31 usr/local/bin/nodejs -> /usr/local/bin/node
lrwxrwxrwx 0/0 0 2024-03-16 04:31 usr/local/bin/npm -> ../lib/node_modules/npm/bin/npm-cli.js
lrwxrwxrwx 0/0 0 2024-03-16 04:31 usr/local/bin/npx -> ../lib/node_modules/npm/bin/npx-cli.js
drwxr-sr-x 0/0 0 2024-03-16 04:31 usr/local/include/node/
...
Perhaps this is nota very straight forward approach but this one worked for me. I had an ECR Repo (Amazon Container Service Repository) whose code i wanted to see.
- First we need to save the repo you want to access as a tar file. In my case the command went like - docker save .dkr.ecr.us-east-1.amazonaws.com/<name_of_repo>:image-tag > saved-repo.tar
- UNTAR the file using the command - tar -xvf saved-repo.tar. You could see many folders and files
- Now try to find the file which contain the code you are looking for (if you know some part of the code) Command for searching the file - grep -iRl "string you want to search" ./
This will make you reach the file. It can happen that even that file is tarred, so untar it using the command mentioned in step 2.
If you dont know the code you are searching for, you will need to go through all the files that you got after step 2 and this can be bit tiring.
All the Best !
-
When I try to do this, I get the following error: Error response from daemon: mkdir /var/lib/docker/tmp/docker-export-385434031: read-only file system. Is that complaining about my local file system, or something about the image I've just pulled from ECR? Commented May 27, 2022 at 6:46
There is a free open source tool called Anchore-CLI that you can use to scan container images. This command will allow you to list all files in a container image
anchore-cli image content myrepo/app:latest files
https://anchore.com/opensource/
EDIT: not available from anchore.com anymore, It's a python program you can install from https://github.com/anchore/anchore-cli
We can try a simpler one as follows:
docker image inspect image_id
This worked in Docker version:
DockerVersion": "18.05.0-ce"
-
33This doesn't show the contents; it only shows the layers, etc., that went into building the image. Commented Jan 4, 2019 at 14:22
With Docker EE for Windows (17.06.2-ee-6 on Hyper-V Server 2016) all contents of Windows Containers can be examined at C:\ProgramData\docker\windowsfilter\ path of the host OS.
No special mounting needed.
Folder prefix can be found by container id from docker ps -a output.
You can just run the following code to see the content of docker image:
docker exec -it <image_id> sh
