The tar will include a manifest.json file, describing the image’s layers, and a set of directories containing the content of all the individual layers.
#Docker run image keep running archive#
This method produces an archive that’s focused on the image, not containers created from it. docker image save suspect-image:latest > suspect-image.tar This command directly saves an image’s data to a tar archive. Using “docker image save”Ī variation on this technique is using docker image save. You’ll end up with a list of everything in your image inside suspect-container-files.txt. Tar t lists the contents of the input archive. If you don’t need to save or open the archive, instead preferring to get the file list in your terminal, modify the tar command: docker export suspect-container | tar t > suspect-container-files.txt
#Docker run image keep running software#
Open or extract this archive using your favorite software to browse the image’s directories and list and view files. You’ll end up with a tar archive in your working directory that contains everything inside your image. docker export suspect-container > suspect-container.tar As the container’s never been started, you can be sure the export accurately represents the filesystem defined by your image’s layers. Now you’ve got a valid but stopped container, you can export its filesystem using the docker export command. The command above creates a new container called suspect-container that will be based on the suspect-image:latest image. docker create -name suspect-container suspect-image:latest Even if it’s set to boot from a tainted operating system ISO, you’re not going to cause any damage to your environment. You can roughly liken it to defining the config settings for a VM which you don’t use. You could launch it later on with the docker start command.Ĭreating a new container isn’t dangerous as it’ll stay inert until it’s run. It creates a new container atop a given image without starting it. Creating a Container Without Starting Itĭocker create is a lesser-known counterpart to docker run. Here are techniques you can use to inspect an image’s files without starting a container. This isn’t ideal in security-critical environments though – creating a container with an unknown image could expose you to a malicious entrypoint script. The easiest way to explore an image’s content involves starting a container, getting a shell session, and then using regular terminal commands like ls and cd to view its directory structure from within. Inspecting what’s actually inside an image helps you assess its suitability and identify any security hazards. Docker images can bundle arbitrary binaries and libraries into a single blob of data.
0 kommentar(er)
