如何在 docker 集线器中检查 docker 图像?
How to inspect a docker image in docker hub?
有没有办法对存在于 docker 集线器上且未在本地提取的图像执行 docker inspect?
当谈到 docker 集线器时,我对 docker cli 的用法有点困惑。我可以 docker login,但不能使用该登录名执行除拉取或推送之外的任何远程操作。
根据 docker 集线器文档 -
Docker itself provides access to Docker Hub services via the docker
search, pull, login, and push commands.
看起来你无法在不拉取一张图像的情况下进行 docker 检查
有一个 API 可以做到这一点。 Docker 提供了他们的 registry 2 API, and more recently, the OCI distribution-spec was released. This covers how to query the registry for the manifest and blobs. And in the registry, what you are most likely looking for is in the config blob,它是 json 格式的并且几乎具有您在 docker inspect.
中看到的所有相同字段
较少涉及的是身份验证,这可能会变得有点复杂,具体取决于注册表。 Docker Hub 使用不记名令牌,因此拉取清单的示例脚本然后使用匿名不记名令牌的配置如下所示:
#!/bin/sh
ref="${1:-library/ubuntu:latest}"
repo="${ref%:*}"
tag="${ref##*:}"
token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull"
\
| jq -r '.token')
digest=$(curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-H "Authorization: Bearer $token" \
-s "https://registry-1.docker.io/v2/${repo}/manifests/${tag}" \
| jq -r .config.digest)
curl -H "Accept: application/vnd.docker.container.image.v1+json" \
-H "Authorization: Bearer $token" \
-s -L "https://registry-1.docker.io/v2/${repo}/blobs/${digest}" | jq .
有多种工具可以为您完成所有这些 API 调用。我的头顶是:
- RedHat 的 Skopeo
- go-containerregistry 的 crane CLI
- regclient 的 regctl CLI
作为 regclient 的作者,我有点偏见。结果命令看起来像:
$ regctl image inspect localhost:5000/library/alpine:latest
{
"created": "2021-08-27T17:19:45.758611523Z",
"architecture": "amd64",
"os": "linux",
"config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh"
]
},
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:e2eb06d8af8218cfec8210147357a68b7e13f7c485b991c288c2d01dc228bb68"
]
},
"history": [
{
"created": "2021-08-27T17:19:45.553092363Z",
"created_by": "/bin/sh -c #(nop) ADD file:aad4290d27580cc1a094ffaf98c3ca2fc5d699fe695dfb8e6e9fac20f1129450 in / "
},
{
"created": "2021-08-27T17:19:45.758611523Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
]
}
有没有办法对存在于 docker 集线器上且未在本地提取的图像执行 docker inspect?
当谈到 docker 集线器时,我对 docker cli 的用法有点困惑。我可以 docker login,但不能使用该登录名执行除拉取或推送之外的任何远程操作。
根据 docker 集线器文档 -
Docker itself provides access to Docker Hub services via the docker search, pull, login, and push commands.
看起来你无法在不拉取一张图像的情况下进行 docker 检查
有一个 API 可以做到这一点。 Docker 提供了他们的 registry 2 API, and more recently, the OCI distribution-spec was released. This covers how to query the registry for the manifest and blobs. And in the registry, what you are most likely looking for is in the config blob,它是 json 格式的并且几乎具有您在 docker inspect.
较少涉及的是身份验证,这可能会变得有点复杂,具体取决于注册表。 Docker Hub 使用不记名令牌,因此拉取清单的示例脚本然后使用匿名不记名令牌的配置如下所示:
#!/bin/sh
ref="${1:-library/ubuntu:latest}"
repo="${ref%:*}"
tag="${ref##*:}"
token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull"
\
| jq -r '.token')
digest=$(curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-H "Authorization: Bearer $token" \
-s "https://registry-1.docker.io/v2/${repo}/manifests/${tag}" \
| jq -r .config.digest)
curl -H "Accept: application/vnd.docker.container.image.v1+json" \
-H "Authorization: Bearer $token" \
-s -L "https://registry-1.docker.io/v2/${repo}/blobs/${digest}" | jq .
有多种工具可以为您完成所有这些 API 调用。我的头顶是:
- RedHat 的 Skopeo
- go-containerregistry 的 crane CLI
- regclient 的 regctl CLI
作为 regclient 的作者,我有点偏见。结果命令看起来像:
$ regctl image inspect localhost:5000/library/alpine:latest
{
"created": "2021-08-27T17:19:45.758611523Z",
"architecture": "amd64",
"os": "linux",
"config": {
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh"
]
},
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:e2eb06d8af8218cfec8210147357a68b7e13f7c485b991c288c2d01dc228bb68"
]
},
"history": [
{
"created": "2021-08-27T17:19:45.553092363Z",
"created_by": "/bin/sh -c #(nop) ADD file:aad4290d27580cc1a094ffaf98c3ca2fc5d699fe695dfb8e6e9fac20f1129450 in / "
},
{
"created": "2021-08-27T17:19:45.758611523Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
}
]
}