- 前期没有归档
Dockerfile
?- 亦或者
Dockerfile
维护不积极,有版本差异?- 亦或者别人给的镜像,我不知道是否安全?
so,如何才能从镜像中获取
Dockerfile
?
- 当然,这个其实只是一个学习的文章;很多时候,我们从
dockerhub
上面获取镜像的时候,能看到不同 tag 的镜像的构建过程,可是当别人给了一个私有或者他自己构建的镜像,我们并不知道他是否安全,又不好意思直接找别人要Dockerfile
,那么,这篇文章或许可以给你灵光一闪- 翻阅了一些资料,目前也只找到了这两种方式
docker history
命令会有一个局限性,镜像必须是本地存在的,所以镜像需要提前先pull
下来,下面操作中出现的镜像本地没有的话,可以换成自己本地已有镜像,或者手动pull
一下
当
容器运行时
使用的是docker
时,可以使用docker history
命令来获取镜像被创建时的过程如果镜像本地不存在会报错:
Error response from daemon: No such image: xxx
docker history nginx:1.16
但是输出的内容并不完整,
CREATED BY
有很多内容都被挡住了
IMAGE CREATED CREATED BY SIZE COMMENT
dfcfd8e9a5d3 2 years ago /bin/sh -c #(nop) CMD ["nginx" "-g" "daemon… 0B
2 years ago /bin/sh -c #(nop) STOPSIGNAL SIGTERM 0B
2 years ago /bin/sh -c #(nop) EXPOSE 80 0B
2 years ago /bin/sh -c ln -sf /dev/stdout /var/log/nginx… 22B
2 years ago /bin/sh -c set -x && addgroup --system -… 57.5MB
2 years ago /bin/sh -c #(nop) ENV PKG_RELEASE=1~buster 0B
2 years ago /bin/sh -c #(nop) ENV NJS_VERSION=0.3.8 0B
2 years ago /bin/sh -c #(nop) ENV NGINX_VERSION=1.16.1 0B
2 years ago /bin/sh -c #(nop) LABEL maintainer=NGINX Do… 0B
2 years ago /bin/sh -c #(nop) CMD ["bash"] 0B
2 years ago /bin/sh -c #(nop) ADD file:9b8be2b52ee0fa31d… 69.2MB
使用
--format
参数来获取完整的内容
docker history nginx:1.16 --format '{{json .}}'
会以 json 的格式输出内容,这个时候
CreatedBy
后面的内容就完整了
{"Comment":"","CreatedAt":"2020-04-23T21:04:39+08:00","CreatedBy":"/bin/sh -c #(nop) CMD [\"nginx\" \"-g\" \"daemon…","CreatedSince":"2 years ago","ID":"dfcfd8e9a5d3","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:38+08:00","CreatedBy":"/bin/sh -c #(nop) STOPSIGNAL SIGTERM","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:38+08:00","CreatedBy":"/bin/sh -c #(nop) EXPOSE 80","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:38+08:00","CreatedBy":"/bin/sh -c ln -sf /dev/stdout /var/log/nginx…","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"22B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:37+08:00","CreatedBy":"/bin/sh -c set -x \u0026\u0026 addgroup --system -…","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"57.5MB"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:08+08:00","CreatedBy":"/bin/sh -c #(nop) ENV PKG_RELEASE=1~buster","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:08+08:00","CreatedBy":"/bin/sh -c #(nop) ENV NJS_VERSION=0.3.8","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:04:08+08:00","CreatedBy":"/bin/sh -c #(nop) ENV NGINX_VERSION=1.16.1","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T21:02:24+08:00","CreatedBy":"/bin/sh -c #(nop) LABEL maintainer=NGINX Do…","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T08:20:32+08:00","CreatedBy":"/bin/sh -c #(nop) CMD [\"bash\"]","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2020-04-23T08:20:32+08:00","CreatedBy":"/bin/sh -c #(nop) ADD file:9b8be2b52ee0fa31d…","CreatedSince":"2 years ago","ID":"\u003cmissing\u003e","Size":"69.2MB"}
当
容器运行时
使用的是containerd
时,自带的ctr
命令没有history
参数可以使用,这个时候,可以安装一个nerdctl
命令来实现docker
命令的习惯关于
nerdctl
的安装,可以看我另一篇博客:containerd 镜像构建工具 – nerdctl 和 buildkit和
docker history
命令一样,镜像是需要本地存在的,不然会报错:FATA[0000] 1 errors: [no such object: xxx]
nerdctl history alpine/dfimage:1.1
- 和
docker history
的区别在于
docker history
输出的第一列为IMAGE
nerdctl history
输出的第一列为SNAPSHOT
- 而其他的输出都是一样的,包括
CREATED
也是不完整输出
SNAPSHOT CREATED CREATED BY SIZE COMMENT
<missing> 2 years ago /bin/sh -c #(nop) ENTRYPOINT ["./Whaler"] 0.0 B
sha256:83adc3c3d0f7a262d81eea224265d62381454ea94a2af480e77a57ceb2f3abf2 2 years ago /bin/sh -c #(nop) COPY file:9cdb17dd7bf71ba8… 14.0 MiB
<missing> 2 years ago /bin/sh -c #(nop) WORKDIR /root/ 0.0 B
<missing> 2 years ago /bin/sh -c #(nop) CMD ["/bin/sh"] 0.0 B
sha256:50644c29ef5a27c9a40c393a73ece2479de78325cae7d762ef3cdc19bf42dd0a 2 years ago /bin/sh -c #(nop) ADD file:c92c248239f8c7b9b… 5.9 MiB
同样可以使用
--format
来格式化输出
nerdctl history alpine/dfimage:1.1 --format '{{json .}}'
同样也是以 json 的格式输出
{"Snapshot":"" ,"CreatedSince":"2 years ago","CreatedBy":"/bin/sh -c #(nop) ENTRYPOINT [\"./Whaler\"]","Size":"0.0 B","Comment":""}
{"Snapshot":"sha256:83adc3c3d0f7a262d81eea224265d62381454ea94a2af480e77a57ceb2f3abf2","CreatedSince":"2 years ago","CreatedBy":"/bin/sh -c #(nop) COPY file:9cdb17dd7bf71ba8…","Size":"14.0 MiB","Comment":""}
{"Snapshot":"" ,"CreatedSince":"2 years ago","CreatedBy":"/bin/sh -c #(nop) WORKDIR /root/","Size":"0.0 B","Comment":""}
{"Snapshot":"" ,"CreatedSince":"2 years ago","CreatedBy":"/bin/sh -c #(nop) CMD [\"/bin/sh\"]","Size":"0.0 B","Comment":""}
{"Snapshot":"sha256:50644c29ef5a27c9a40c393a73ece2479de78325cae7d762ef3cdc19bf42dd0a","CreatedSince":"2 years ago","CreatedBy":"/bin/sh -c #(nop) ADD file:c92c248239f8c7b9b…","Size":"5.9 MiB","Comment":""}
如果只是单纯的查看构建的过程,
history
参数已经足够了,只是他没能生成一个Dockerfile
,如果想要修改再构建,就会多一道工时,下面看看dfimage
dfimage
只是一个镜像的名称,由alpine
官方制作的,其实里面运行了一个工具,叫做Whaler
,这个工具的 github 地址
Whaler
是一个Go
程序,旨在将docker 镜像
逆向工程到创建它的Dockerfile
中它当前执行以下操作
- 从
镜像
生成Dockerfile
- 搜索添加的文件名以查找潜在的机密文件
- 提取由
Docker
的ADD/COPY
指令添加的文件- 它还显示其他信息,例如:
打开的端口
、运行的用户
和环境变量
whaler
镜像,whaler
的 github
项目里面也提供了 Dockerfile
,只需要下载好 whaler
的源码包,稍稍修改一下就可以构建了使用 dfimage 或 whaler
wget https://github.com/P3GLEG/Whaler/archive/refs/heads/master.zip
unzip master.zip
vim Dockerfile
FROM golang:1.14.4 AS builder
# 官方这里的 ADD 本地路径直接写了 ./ 所以会有问题,
## 只需要改成解压出来的目录名称就可以了,后面的都可以不做修改
ADD ./Whaler-master /root/whaler_build
WORKDIR /root/whaler_build
RUN export CGO_ENABLED=0 && go build .
RUN cp whaler /root/whaler
FROM alpine:3.12.0
WORKDIR /root/
COPY --from=builder /root/whaler .
ENTRYPOINT ["./whaler"]
构建镜像,这里我用的是
containerd
,如果大家用的是docker
,只需要将nerdctl
换成docker
就可以了
nerdctl build -t whaler:latest .
- 无论是
dfimage
还是whaler
,这个全凭各自的喜好了,使用的方法其实是一致的,都是通过alias
生成别名来指定使用的镜像,然后带上需要导出Dockerfile
的镜像名称和tag
就可以了- 如果自己构建的了
whaler
工具的镜像,需要把下面的alias
命令里面指定的镜像名称和 tag 改成自己构建的镜像名称和 tag
alias dfimage="docker run -t --rm -v /var/run/docker.sock:/var/run/docker.sock:ro alpine/dfimage"
alias whaler="docker run -t --rm -v /var/run/docker.sock:/var/run/docker.sock:ro pegleg/whaler"
当我本地有一个
nginx:1.16
镜像,无论是dfimage
还是whaler
,结果是一致的,因为镜像内都是使用的whaler
这个程序
dfimage nginx:1.16
whaler nginx:1.16
- 输出的信息分别为:
镜像名称和 tag
编译镜像使用的 docker 版本
使用的驱动类型
镜像的 env 变量
镜像放开的端口
镜像内的用户
Analyzing nginx:1.16
Docker Version: 18.09.7
GraphDriver: overlay2
Environment Variables
|PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|NGINX_VERSION=1.16.1
|NJS_VERSION=0.3.8
|PKG_RELEASE=1~buster
Open Ports
|80
Image user
|User is root
Potential secrets:
Dockerfile:
CMD ["bash"]
LABEL maintainer=NGINX Docker Maintainers <[email protected]>
ENV NGINX_VERSION=1.16.1
ENV NJS_VERSION=0.3.8
ENV PKG_RELEASE=1~buster
RUN set -x \
&& addgroup --system --gid 101 nginx \
&& adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; found=''; for server in ha.pool.sks-keyservers.net hkp://keyserver.ubuntu.com:80 hkp://p80.pool.sks-keyservers.net:80 pgp.mit.edu ; do echo "Fetching GPG key $NGINX_GPGKEY from $server"; apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" \
&& found=yes \
&& break; done; test -z "$found" \
&& echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" \
&& exit 1; apt-get remove --purge --auto-remove -y gnupg1 \
&& rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
&& nginxPackages=" nginx=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-${PKG_RELEASE} " \
&& case "$dpkgArch" in amd64|i386) echo "deb https://nginx.org/packages/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list \
&& apt-get update ;; *) echo "deb-src https://nginx.org/packages/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list \
&& tempDir="$(mktemp -d)" \
&& chmod 777 "$tempDir" \
&& savedAptMark="$(apt-mark showmanual)" \
&& apt-get update \
&& apt-get build-dep -y $nginxPackages \
&& ( cd "$tempDir" \
&& DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" apt-get source --compile $nginxPackages ) \
&& apt-mark showmanual | xargs apt-mark auto > /dev/null \
&& { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; } \
&& ls -lAFh "$tempDir" \
&& ( cd "$tempDir" \
&& dpkg-scanpackages . > Packages ) \
&& grep '^Package: ' "$tempDir/Packages" \
&& echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list \
&& apt-get -o Acquire::GzipIndexes=false update ;; esac \
&& apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages gettext-base \
&& apt-get remove --purge --auto-remove -y ca-certificates \
&& rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
&& if [ -n "$tempDir" ]; then apt-get purge -y --auto-remove \
&& rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; fi
RUN ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 80
STOPSIGNAL SIGTERM
CMD ["nginx" "-g" "daemon off;"]
Dockerfile:
CMD ["bash"]
LABEL maintainer=NGINX Docker Maintainers
ENV NGINX_VERSION=1.16.1
ENV NJS_VERSION=0.3.8
ENV PKG_RELEASE=1~buster
RUN set -x \
&& addgroup --system --gid 101 nginx \
&& adduser --system --disabled-login --ingroup nginx --no-create-home --home /nonexistent --gecos "nginx user" --shell /bin/false --uid 101 nginx \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; found=''; for server in ha.pool.sks-keyservers.net hkp://keyserver.ubuntu.com:80 hkp://p80.pool.sks-keyservers.net:80 pgp.mit.edu ; do echo "Fetching GPG key $NGINX_GPGKEY from $server"; apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" \
&& found=yes \
&& break; done; test -z "$found" \
&& echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" \
&& exit 1; apt-get remove --purge --auto-remove -y gnupg1 \
&& rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
&& nginxPackages=" nginx=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-xslt=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-geoip=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-image-filter=${NGINX_VERSION}-${PKG_RELEASE} nginx-module-njs=${NGINX_VERSION}.${NJS_VERSION}-${PKG_RELEASE} " \
&& case "$dpkgArch" in amd64|i386) echo "deb https://nginx.org/packages/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list \
&& apt-get update ;; *) echo "deb-src https://nginx.org/packages/debian/ buster nginx" >> /etc/apt/sources.list.d/nginx.list \
&& tempDir="$(mktemp -d)" \
&& chmod 777 "$tempDir" \
&& savedAptMark="$(apt-mark showmanual)" \
&& apt-get update \
&& apt-get build-dep -y $nginxPackages \
&& ( cd "$tempDir" \
&& DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" apt-get source --compile $nginxPackages ) \
&& apt-mark showmanual | xargs apt-mark auto > /dev/null \
&& { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; } \
&& ls -lAFh "$tempDir" \
&& ( cd "$tempDir" \
&& dpkg-scanpackages . > Packages ) \
&& grep '^Package: ' "$tempDir/Packages" \
&& echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list \
&& apt-get -o Acquire::GzipIndexes=false update ;; esac \
&& apt-get install --no-install-recommends --no-install-suggests -y $nginxPackages gettext-base \
&& apt-get remove --purge --auto-remove -y ca-certificates \
&& rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
&& if [ -n "$tempDir" ]; then apt-get purge -y --auto-remove \
&& rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; fi
RUN ln -sf /dev/stdout /var/log/nginx/access.log \
&& ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 80
STOPSIGNAL SIGTERM
CMD ["nginx" "-g" "daemon off;"]
- 目前这个工具还不支持
containerd
,目前只支持docker
- 直接编译后,使用
二进制
文件运行的时候,会有如下的报错:
Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?