How to see docker image contents

You should not start a container just to see the image contents. For instance, you might want to look for malicious content, not run it. Use "create" instead of "run";

docker create --name="tmp_$$" image:tag
docker export tmp_$$ | tar t
docker rm tmp_$$

The accepted answer here is problematic, because there is no guarantee that an image will have any sort of interactive shell. For example, the drone/drone image contains on a single command /drone, and it has an ENTRYPOINT as well, so this will fail:

$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured        

And this will fail:

$ docker run --rm -it --entrypoint sh drone/drone
docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "exec: \"sh\": executable file not found in $PATH".

This is not an uncommon configuration; many minimal images contain only the binaries necessary to support the target service. Fortunately, there are mechanisms for exploring an image filesystem that do not depend on the contents of the image. The easiest is probably the docker export command, which will export a container filesystem as a tar archive. So, start a container (it does not matter if it fails or not):

$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured        

Then use docker export to export the filesystem to tar:

$ docker export $(docker ps -lq) | tar tf -

The docker ps -lq there means "give me the id of the most recent docker container". You could replace that with an explicit container name or id.

docker save nginx > nginx.tar
tar -xvf nginx.tar

Following files are present:

• manifest.json – Describes filesystem layers and name of json file that has the Container properties.
• .json – Container properties
• – Each “layerid” directory contains json file describing layer property and filesystem associated with that layer. Docker stores Container images as layers to optimize storage space by reusing layers across images.

https://sreeninet.wordpress.com/2016/06/11/looking-inside-container-images/

OR

you can use dive to view the image content interactively with TUI

https://github.com/wagoodman/dive

EXPLORING DOCKER IMAGE!

1. Figure out what kind of shell is in there bash or sh...

Inspect the image first: docker inspect name-of-container-or-image

Look for entrypoint or cmd in the JSON return.

2. Then do: docker run --rm -it --entrypoint=/bin/bash name-of-image

once inside do: ls -lsa or any other shell command like: cd ..

The -it stands for interactive... and TTY. The --rm stands for remove container after run.

If there are no common tools like ls or bash present and you have access to the Dockerfile simple add the common tool as a layer.
example (alpine Linux):

RUN apk add --no-cache bash

And when you don't have access to the Dockerfile then just copy/extract the files from a newly created container and look through them:

docker create <image>  # returns container ID the container is never started.
docker cp <container ID>:<source_path> <destination_path>
docker rm <container ID>
cd <destination_path> && ls -lsah

If you want to list the files in an image without starting a container :

docker create --name listfiles <image name>
docker export listfiles | tar -t
docker rm listfiles

I tried this tool - https://github.com/wagoodman/dive I found it quite helpful to explore the content of the docker image.

To list the detailed content of an image you have to run docker run --rm image/name ls -alR where --rm means remove as soon as exits form a container.

It is commonly said you need to make a container from an image before you can export it, however there are other ways.

One of such ways is exporting the image using the build command.

By default the build command makes another image, which is not useful for us, instead, we can use the --output to specify that we want a folder or a .tar of the contents of the image:

echo 'from node:18-alpine' | docker build --output type=tar,dest=test-docker.tar -

You now get a tar file in the directory the docker build command is run, containing the exact file structure of your image, including the file owner information and original timestamps:

$ tar -tvf test-docker.tar | grep node | head
drwxr-sr-x 1000/1000         0 2024-03-16 04:31 home/node/
drwxr-xr-x 0/0               0 2024-03-16 04:32 tmp/v8-compile-cache-0/10.2.154.26-node.28/
-rw-r--r-- 0/0         2200240 2024-03-16 04:32 tmp/v8-compile-cache-0/10.2.154.26-node.28/zSoptzSyarn-v1.22.19zSbinzSyarn.js.BLOB
-rw-r--r-- 0/0              88 2024-03-16 04:32 tmp/v8-compile-cache-0/10.2.154.26-node.28/zSoptzSyarn-v1.22.19zSbinzSyarn.js.MAP
lrwxrwxrwx 0/0               0 2024-03-16 04:31 usr/local/bin/corepack -> ../lib/node_modules/corepack/dist/corepack.js
-rwxr-xr-x 0/0        94888944 2024-02-15 13:51 usr/local/bin/node
lrwxrwxrwx 0/0               0 2024-03-16 04:31 usr/local/bin/nodejs -> /usr/local/bin/node
lrwxrwxrwx 0/0               0 2024-03-16 04:31 usr/local/bin/npm -> ../lib/node_modules/npm/bin/npm-cli.js
lrwxrwxrwx 0/0               0 2024-03-16 04:31 usr/local/bin/npx -> ../lib/node_modules/npm/bin/npx-cli.js
drwxr-sr-x 0/0               0 2024-03-16 04:31 usr/local/include/node/
...

Oneliner, no docker run (based on responses above)

IMAGE=your_image docker create --name filelist $IMAGE command && docker export filelist | tar tf - | tree --fromfile . && docker rm filelist

Same, but report tree structure to result.txt

IMAGE=your_image docker create --name filelist $IMAGE command && docker export filelist | tar tf - | tree --noreport --fromfile . | tee result.txt && docker rm filelist

I usually do the following dirty way to get the contents.

1. save the image

   docker save imagename > imagename.tar

2. Open imagename.tar with any of the un archiving tools.

3. Viola!!

if you want to check the image contents without running it you can do this:

$ sudo bash
...
$ cd /var/lib/docker  # default path in most installations
$ find . -iname a_file_inside_the_image.ext
... (will find the base path here)

This works fine with the current default BTRFS storage driver.

Perhaps this is nota very straight forward approach but this one worked for me. I had an ECR Repo (Amazon Container Service Repository) whose code i wanted to see.

1. First we need to save the repo you want to access as a tar file. In my case the command went like - docker save .dkr.ecr.us-east-1.amazonaws.com/<name_of_repo>:image-tag > saved-repo.tar
2. UNTAR the file using the command - tar -xvf saved-repo.tar. You could see many folders and files
3. Now try to find the file which contain the code you are looking for (if you know some part of the code) Command for searching the file - grep -iRl "string you want to search" ./

This will make you reach the file. It can happen that even that file is tarred, so untar it using the command mentioned in step 2.

If you dont know the code you are searching for, you will need to go through all the files that you got after step 2 and this can be bit tiring.

All the Best !

There is a free open source tool called Anchore-CLI that you can use to scan container images. This command will allow you to list all files in a container image

anchore-cli image content myrepo/app:latest files

https://anchore.com/opensource/

EDIT: not available from anchore.com anymore, It's a python program you can install from https://github.com/anchore/anchore-cli

We can try a simpler one as follows:

docker image inspect image_id

This worked in Docker version:

DockerVersion": "18.05.0-ce"

With Docker EE for Windows (17.06.2-ee-6 on Hyper-V Server 2016) all contents of Windows Containers can be examined at C:\ProgramData\docker\windowsfilter\ path of the host OS.

No special mounting needed.

Folder prefix can be found by container id from docker ps -a output.

You can just run the following code to see the content of docker image:

docker exec -it <image_id> sh