如何提取指定镜像的 Dockerfile

文章目录

    • @[toc]
    • Docker history
      • docker
      • containerd
      • 总结
    • dfimage
      • 构建 whaler 镜像
      • 使用 dfimage 或 whaler
        • docker 的方式
        • containerd 的方式

  • 前期没有归档 Dockerfile
  • 亦或者 Dockerfile 维护不积极,有版本差异?
  • 亦或者别人给的镜像,我不知道是否安全?

so,如何才能从镜像中获取 Dockerfile

  • 当然,这个其实只是一个学习的文章;很多时候,我们从 dockerhub 上面获取镜像的时候,能看到不同 tag 的镜像的构建过程,可是当别人给了一个私有或者他自己构建的镜像,我们并不知道他是否安全,又不好意思直接找别人要 Dockerfile,那么,这篇文章或许可以给你灵光一闪
  • 翻阅了一些资料,目前也只找到了这两种方式

Docker history

docker history 命令会有一个局限性,镜像必须是本地存在的,所以镜像需要提前先 pull 下来,下面操作中出现的镜像本地没有的话,可以换成自己本地已有镜像,或者手动 pull 一下

docker

容器运行时 使用的是 docker 时,可以使用 docker history 命令来获取镜像被创建时的过程

如果镜像本地不存在会报错:Error response from daemon: No such image: xxx

docker history nginx:1.16

但是输出的内容并不完整, CREATED BY 有很多内容都被挡住了

IMAGE          CREATED       CREATED BY                                      SIZE      COMMENT
dfcfd8e9a5d3   2 years ago   /bin/sh -c #(nop)  CMD ["nginx" "-g" "daemon…   0B
      2 years ago   /bin/sh -c #(nop)  STOPSIGNAL SIGTERM           0B
      2 years ago   /bin/sh -c #(nop)  EXPOSE 80                    0B
      2 years ago   /bin/sh -c ln -sf /dev/stdout /var/log/nginx…   22B
      2 years ago   /bin/sh -c set -x     && addgroup --system -…   57.5MB
      2 years ago   /bin/sh -c #(nop)  ENV PKG_RELEASE=1~buster     0B
      2 years ago   /bin/sh -c #(nop)  ENV NJS_VERSION=0.3.8        0B
      2 years ago   /bin/sh -c #(nop)  ENV NGINX_VERSION=1.16.1     0B
      2 years ago   /bin/sh -c #(nop)  LABEL maintainer=NGINX Do…   0B
      2 years ago   /bin/sh -c #(nop)  CMD ["bash"]                 0B
      2 years ago   /bin/sh -c #(nop) ADD file:9b8be2b52ee0fa31d…   69.2MB

使用 --format 参数来获取完整的内容

docker history nginx:1.16 --format '{{json .}}'

会以 json 的格式输出内容,这个时候 CreatedBy 后面的内容就完整了

{"Comment":"","CreatedAt":"2020-04-23T21:04:39+08:00","CreatedBy":"/bin/sh -c #(nop)  CMD [\"nginx\" \"-g\" \"daemon…","CreatedSince":"2 years ago","ID":"dfcfd8e9a5d3","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:38+08:00","CreatedBy":"/bin/sh -c #(nop)  STOPSIGNAL SIGTERM","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:38+08:00","CreatedBy":"/bin/sh -c #(nop)  EXPOSE 80","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:38+08:00","CreatedBy":"/bin/sh -c ln -sf /dev/stdout /var/log/nginx…","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"22B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:37+08:00","CreatedBy":"/bin/sh -c set -x     \u0026\u0026 addgroup --system -…","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"57.5MB"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:08+08:00","CreatedBy":"/bin/sh -c #(nop)  ENV PKG_RELEASE=1~buster","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:08+08:00","CreatedBy":"/bin/sh -c #(nop)  ENV NJS_VERSION=0.3.8","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:08+08:00","CreatedBy":"/bin/sh -c #(nop)  ENV NGINX_VERSION=1.16.1","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:02:24+08:00","CreatedBy":"/bin/sh -c #(nop)  LABEL maintainer=NGINX Do…","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T08:20:32+08:00","CreatedBy":"/bin/sh -c #(nop)  CMD [\"bash\"]","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T08:20:32+08:00","CreatedBy":"/bin/sh -c #(nop) ADD file:9b8be2b52ee0fa31d…","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"69.2MB"}

containerd

容器运行时 使用的是 containerd 时,自带的 ctr 命令没有 history 参数可以使用,这个时候,可以安装一个 nerdctl 命令来实现 docker 命令的习惯

关于 nerdctl 的安装,可以看我另一篇博客:containerd 镜像构建工具 – nerdctl 和 buildkit

docker history 命令一样,镜像是需要本地存在的,不然会报错:FATA[0000] 1 errors: [no such object: xxx]

nerdctl history alpine/dfimage:1.1
  • docker history 的区别在于
    • docker history 输出的第一列为 IMAGE
    • nerdctl history 输出的第一列为 SNAPSHOT
  • 而其他的输出都是一样的,包括 CREATED 也是不完整输出
SNAPSHOT                                                                   CREATED        CREATED BY                                       SIZE        COMMENT
<missing>                                                                  2 years ago    /bin/sh -c #(nop)  ENTRYPOINT ["./Whaler"]       0.0 B
sha256:83adc3c3d0f7a262d81eea224265d62381454ea94a2af480e77a57ceb2f3abf2    2 years ago    /bin/sh -c #(nop) COPY file:9cdb17dd7bf71ba8…    14.0 MiB
<missing>                                                                  2 years ago    /bin/sh -c #(nop) WORKDIR /root/                 0.0 B
<missing>                                                                  2 years ago    /bin/sh -c #(nop)  CMD ["/bin/sh"]               0.0 B
sha256:50644c29ef5a27c9a40c393a73ece2479de78325cae7d762ef3cdc19bf42dd0a    2 years ago    /bin/sh -c #(nop) ADD file:c92c248239f8c7b9b…    5.9 MiB

同样可以使用 --format 来格式化输出

nerdctl history alpine/dfimage:1.1 --format '{{json .}}'

同样也是以 json 的格式输出

{"Snapshot":"","CreatedSince":"2 years ago","CreatedBy":"/bin/sh -c #(nop)  ENTRYPOINT [\"./Whaler\"]","Size":"0.0 B","Comment":""}
{"Snapshot":"sha256:83adc3c3d0f7a262d81eea224265d62381454ea94a2af480e77a57ceb2f3abf2","CreatedSince":"2 years ago","CreatedBy":"/bin/sh -c #(nop) COPY file:9cdb17dd7bf71ba8…","Size":"14.0 MiB","Comment":""}
{"Snapshot":"","CreatedSince":"2 years ago","CreatedBy":"/bin/sh -c #(nop) WORKDIR /root/","Size":"0.0 B","Comment":""}
{"Snapshot":"","CreatedSince":"2 years ago","CreatedBy":"/bin/sh -c #(nop)  CMD [\"/bin/sh\"]","Size":"0.0 B","Comment":""}
{"Snapshot":"sha256:50644c29ef5a27c9a40c393a73ece2479de78325cae7d762ef3cdc19bf42dd0a","CreatedSince":"2 years ago","CreatedBy":"/bin/sh -c #(nop) ADD file:c92c248239f8c7b9b…","Size":"5.9 MiB","Comment":""}

总结

如果只是单纯的查看构建的过程,history 参数已经足够了,只是他没能生成一个 Dockerfile,如果想要修改再构建,就会多一道工时,下面看看 dfimage

dfimage

  • dfimage 只是一个镜像的名称,由 alpine 官方制作的,其实里面运行了一个工具,叫做 Whaler,这个工具的 github 地址

  • Whaler 是一个 Go 程序,旨在将 docker 镜像逆向工程到创建它的 Dockerfile

  • 它当前执行以下操作

    • 镜像生成 Dockerfile
    • 搜索添加的文件名以查找潜在的机密文件
    • 提取由 DockerADD/COPY 指令添加的文件
    • 它还显示其他信息,例如:打开的端口运行的用户环境变量
  • 如果想要自己构建 whaler 镜像,whalergithub 项目里面也提供了 Dockerfile,只需要下载好 whaler 的源码包,稍稍修改一下就可以构建了
  • 已经构建好的镜像,也可以直接拿来用
    • pegleg/whaler
    • alpine/dfimage
  • 想自己构建一波的,可以看下面的内容,想快速使用的,可以直接跳到下面的 使用 dfimage 或 whaler

构建 whaler 镜像

wget https://github.com/P3GLEG/Whaler/archive/refs/heads/master.zip
unzip master.zip
vim Dockerfile
FROM golang:1.14.4 AS builder
# 官方这里的 ADD 本地路径直接写了 ./ 所以会有问题,
## 只需要改成解压出来的目录名称就可以了,后面的都可以不做修改
ADD ./Whaler-master /root/whaler_build
WORKDIR /root/whaler_build
RUN export CGO_ENABLED=0 && go build .
RUN cp whaler /root/whaler

FROM alpine:3.12.0
WORKDIR /root/
COPY --from=builder /root/whaler .
ENTRYPOINT ["./whaler"]

构建镜像,这里我用的是 containerd ,如果大家用的是 docker,只需要将 nerdctl 换成 docker 就可以了

nerdctl build -t whaler:latest .

使用 dfimage 或 whaler

  • 无论是 dfimage 还是 whaler ,这个全凭各自的喜好了,使用的方法其实是一致的,都是通过 alias 生成别名来指定使用的镜像,然后带上需要导出 Dockerfile 的镜像名称和 tag 就可以了
  • 如果自己构建的了 whaler 工具的镜像,需要把下面的 alias 命令里面指定的镜像名称和 tag 改成自己构建的镜像名称和 tag

docker 的方式

alias dfimage="docker run -t --rm -v /var/run/docker.sock:/var/run/docker.sock:ro alpine/dfimage"
alias whaler="docker run -t --rm -v /var/run/docker.sock:/var/run/docker.sock:ro pegleg/whaler"

当我本地有一个 nginx:1.16 镜像,无论是 dfimage 还是 whaler ,结果是一致的,因为镜像内都是使用的 whaler 这个程序

dfimage nginx:1.16
whaler nginx:1.16
  • 输出的信息分别为:
    • 镜像名称和 tag
    • 编译镜像使用的 docker 版本
    • 使用的驱动类型
    • 镜像的 env 变量
    • 镜像放开的端口
    • 镜像内的用户
Analyzing nginx:1.16
Docker Version: 18.09.7
GraphDriver: overlay2
Environment Variables
|PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|NGINX_VERSION=1.16.1
|NJS_VERSION=0.3.8
|PKG_RELEASE=1~buster

Open Ports
|80

Image user
|User is root

Potential secrets:
Dockerfile:
CMD ["bash"]
LABEL maintainer=NGINX Docker Maintainers <[email protected]>
ENV NGINX_VERSION=1.16.1
ENV NJS_VERSION=0.3.8
ENV PKG_RELEASE=1~buster
RUN set -x  \
        && addgroup --system --gid 101 nginx  \
        && adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx  \
        && apt-get update  \
        && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates  \
        && NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; found=''; for server in ha.pool.sks-keyservers.net hkp://keyserver.ubuntu.com:80 hkp://p80.pool.sks-keyservers.net:80 pgp.mit.edu ; do echo "Fetching GPG key $NGINX_GPGKEY from $server"; apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY"  \
        && found=yes  \
        && break; done; test -z "$found"  \
        && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY"  \
        && exit 1; apt-get remove --purge --auto-remove -y gnupg1  \
        && rm -rf /var/lib/apt/lists/*  \
        && dpkgArch="$(dpkg --print-architecture)"  \
        && nginxPackages=" nginx=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-${PKG_RELEASE} "  \
        && case "$dpkgArch" in amd64|i386) echo "deb https://nginx.org/packages/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list  \
        && apt-get update ;; *) echo "deb-src https://nginx.org/packages/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list  \
        && tempDir="$(mktemp -d)"  \
        && chmod 777 "$tempDir"  \
        && savedAptMark="$(apt-mark showmanual)"  \
        && apt-get update  \
        && apt-get build-dep -y $nginxPackages  \
        && ( cd "$tempDir"  \
        && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" apt-get source --compile $nginxPackages )  \
        && apt-mark showmanual | xargs apt-mark auto > /dev/null  \
        && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; }  \
        && ls -lAFh "$tempDir"  \
        && ( cd "$tempDir"  \
        && dpkg-scanpackages . > Packages )  \
        && grep '^Package: ' "$tempDir/Packages"  \
        && echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list  \
        && apt-get -o Acquire::GzipIndexes=false update ;; esac  \
        && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages gettext-base  \
        && apt-get remove --purge --auto-remove -y ca-certificates  \
        && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list  \
        && if [ -n "$tempDir" ]; then apt-get purge -y --auto-remove  \
        && rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; fi
RUN ln -sf /dev/stdout /var/log/nginx/access.log  \
        && ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 80
STOPSIGNAL SIGTERM
CMD ["nginx" "-g" "daemon off;"]

Dockerfile:

CMD ["bash"]
LABEL maintainer=NGINX Docker Maintainers 
ENV NGINX_VERSION=1.16.1
ENV NJS_VERSION=0.3.8
ENV PKG_RELEASE=1~buster
RUN set -x  \
        && addgroup --system --gid 101 nginx  \
        && adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx  \
        && apt-get update  \
        && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates  \
        && NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; found=''; for server in ha.pool.sks-keyservers.net hkp://keyserver.ubuntu.com:80 hkp://p80.pool.sks-keyservers.net:80 pgp.mit.edu ; do echo "Fetching GPG key $NGINX_GPGKEY from $server"; apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY"  \
        && found=yes  \
        && break; done; test -z "$found"  \
        && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY"  \
        && exit 1; apt-get remove --purge --auto-remove -y gnupg1  \
        && rm -rf /var/lib/apt/lists/*  \
        && dpkgArch="$(dpkg --print-architecture)"  \
        && nginxPackages=" nginx=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-${PKG_RELEASE} "  \
        && case "$dpkgArch" in amd64|i386) echo "deb https://nginx.org/packages/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list  \
        && apt-get update ;; *) echo "deb-src https://nginx.org/packages/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list  \
        && tempDir="$(mktemp -d)"  \
        && chmod 777 "$tempDir"  \
        && savedAptMark="$(apt-mark showmanual)"  \
        && apt-get update  \
        && apt-get build-dep -y $nginxPackages  \
        && ( cd "$tempDir"  \
        && DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" apt-get source --compile $nginxPackages )  \
        && apt-mark showmanual | xargs apt-mark auto > /dev/null  \
        && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; }  \
        && ls -lAFh "$tempDir"  \
        && ( cd "$tempDir"  \
        && dpkg-scanpackages . > Packages )  \
        && grep '^Package: ' "$tempDir/Packages"  \
        && echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list  \
        && apt-get -o Acquire::GzipIndexes=false update ;; esac  \
        && apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages gettext-base  \
        && apt-get remove --purge --auto-remove -y ca-certificates  \
        && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list  \
        && if [ -n "$tempDir" ]; then apt-get purge -y --auto-remove  \
        && rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; fi
RUN ln -sf /dev/stdout /var/log/nginx/access.log  \
        && ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 80
STOPSIGNAL SIGTERM
CMD ["nginx" "-g" "daemon off;"]

containerd 的方式

  • 目前这个工具还不支持 containerd ,目前只支持 docker
  • 直接编译后,使用 二进制 文件运行的时候,会有如下的报错:
    • Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

你可能感兴趣的:(Docker,docker,运维,容器)