获取远程 docker 图片的标签
Get labels of remote docker image
我试图在不拉取图像的情况下获取图像的标签。
例如:在 docker-hub 中,在我的用户名 (stavalfi) 中,在 repo 中:projecty: https://hub.docker.com/v2/repositories/stavalfi/projecty/tags
我想获取这张图片的所有标签。
遵循本指南:https://hackernoon.com/inspecting-docker-images-without-pulling-them-4de53d34a604
还有这个:https://docs.docker.com/registry/spec/api/#pulling-a-layer
我试图到达:http://$REGISTRY_ADDRESS/v2/$image/blobs/$digest:
但结果是 404。
有什么问题?
我无法使用 skopeo,因为它无法使用 HTTP 连接检查注册表(不安全)。
这对我有用,你可以试试这个
curl 'https://registry.hub.docker.com/v2/repositories/< username>/<repo>/tags/'|jq '."results"[]["name"]'
关于 blob,需要生成令牌然后将此令牌用于 blob
export TOKEN=\
"$(curl \
--silent \
--header 'GET' \
"https://auth.docker.io/token?
service=registry.docker.io&scope=repository:<username>/<repo>:pull,push" \
| jq -r '.token' \
)"
现在获取镜像清单
curl \
--silent \
--request 'GET' \
--header "Authorization: Bearer ${TOKEN}" \
'https://registry-1.docker.io/v2/<username>/<repo>/manifests/<latest>' \
| jq '.'
现在获取该图像的 blob
curl \
--silent \
--request 'GET' \
--header "Authorization: Bearer ${TOKEN}" \
"https://registry-1.docker.io/v2/<username>/<repo>/manifests/19" \
| jq -r '.fsLayers[].blobSum'
上面的命令给出了可用于获取图像的摘要列表
设置以下变量
DIGEST=<SHA:somevalue>
curl \
--silent \
--location \
--request GET \
--header "Authorization: Bearer ${TOKEN}" \
"https://registry-1.docker.io/v2/<username>/<repo>/blobs/${DIGEST}" >
"${DIGEST/*:/}.gz"
您可以在 docker 清单的第一层找到标签:
$ repo=stavalfi/k8test-monitoring
$ token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" \
| jq -r '.token')
$ curl -s -H "Authorization: Bearer $token" "https://registry-1.docker.io/v2/${repo}/manifests/latest" \
| jq ".history[0].v1Compatibility" -r | jq .config.Labels
{
"latest-hash": "dc971f310bd0b172fd0379cc9a1810f209c9a9604a28da14cef36457",
"latest-tag": "1.3.4"
}
更新:v2 注册表 API 更干净一些,但还需要一个 curl:
$ repo=stavalfi/k8test-monitoring
$ token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" \
| jq -r '.token')
$ digest=$(curl -s -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -H "Authorization: Bearer $token" "https://registry-1.docker.io/v2/${repo}/manifests/latest" \
| jq .config.digest -r)
$ curl -s -L -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -H "Authorization: Bearer $token" "https://registry-1.docker.io/v2/${repo}/blobs/$digest" \
| jq .config.Labels
{
"latest-hash": "dc971f310bd0b172fd0379cc9a1810f209c9a9604a28da14cef36457",
"latest-tag": "1.3.4"
}
对于更通用的用例,这里有一个脚本,用于在 docker 集线器上提取任何 public 图像的配置,而无需下载完整图像:
#!/bin/sh
repo=${1:-library/ubuntu}
tag=${2:-latest}
token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" \
| jq -r '.token')
digest=$(curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-H "Authorization: Bearer $token" \
-s "https://registry-1.docker.io/v2/${repo}/manifests/${tag}" | jq -r .config.digest)
curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-H "Authorization: Bearer $token" \
-s -L "https://registry-1.docker.io/v2/${repo}/blobs/${digest}" | jq .
只需确保为官方图片添加“库”前缀即可:
$ ./get-config-v2.sh library/alpine 3.9
{
"architecture": "amd64",
"config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh"
],
"ArgsEscaped": true,
"Image": "sha256:186eda4636e895d982896312666e472a2d62aab1490608701e1b3438ac6649e7",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": null
},
....
自首次发布此答案以来,我还创建了 regclient,其中包含命令 regctl。这可以处理身份验证,允许您在没有 TLS 或自签名证书的情况下配置注册表,解析多平台图像,并包括对 Go 模板的支持以提取您想要的特定字段:
$ regctl image config regclient/regsync:latest --format '{{ jsonPretty .Config.Labels }}'
{
"maintainer": "",
"org.opencontainers.image.authors": "Regclient contributors",
"org.opencontainers.image.created": "2021-04-02T18:55:09Z",
"org.opencontainers.image.description": "",
"org.opencontainers.image.documentation": "https://github.com/regclient/regclient",
"org.opencontainers.image.licenses": "Apache 2.0",
"org.opencontainers.image.revision": "5a6a1d95524b9c1c2d38a5af7ab744742f8d55e9",
"org.opencontainers.image.source": "git://github.com/regclient/regclient.git",
"org.opencontainers.image.title": "regsync",
"org.opencontainers.image.url": "https://github.com/regclient/regclient",
"org.opencontainers.image.vendor": "",
"org.opencontainers.image.version": "v0.3.0"
}
我试图在不拉取图像的情况下获取图像的标签。
例如:在 docker-hub 中,在我的用户名 (stavalfi) 中,在 repo 中:projecty: https://hub.docker.com/v2/repositories/stavalfi/projecty/tags
我想获取这张图片的所有标签。
遵循本指南:https://hackernoon.com/inspecting-docker-images-without-pulling-them-4de53d34a604
还有这个:https://docs.docker.com/registry/spec/api/#pulling-a-layer
我试图到达:http://$REGISTRY_ADDRESS/v2/$image/blobs/$digest:
但结果是 404。
有什么问题?
我无法使用 skopeo,因为它无法使用 HTTP 连接检查注册表(不安全)。
这对我有用,你可以试试这个
curl 'https://registry.hub.docker.com/v2/repositories/< username>/<repo>/tags/'|jq '."results"[]["name"]'
关于 blob,需要生成令牌然后将此令牌用于 blob
export TOKEN=\
"$(curl \
--silent \
--header 'GET' \
"https://auth.docker.io/token?
service=registry.docker.io&scope=repository:<username>/<repo>:pull,push" \
| jq -r '.token' \
)"
现在获取镜像清单
curl \
--silent \
--request 'GET' \
--header "Authorization: Bearer ${TOKEN}" \
'https://registry-1.docker.io/v2/<username>/<repo>/manifests/<latest>' \
| jq '.'
现在获取该图像的 blob
curl \
--silent \
--request 'GET' \
--header "Authorization: Bearer ${TOKEN}" \
"https://registry-1.docker.io/v2/<username>/<repo>/manifests/19" \
| jq -r '.fsLayers[].blobSum'
上面的命令给出了可用于获取图像的摘要列表
设置以下变量
DIGEST=<SHA:somevalue>
curl \
--silent \
--location \
--request GET \
--header "Authorization: Bearer ${TOKEN}" \
"https://registry-1.docker.io/v2/<username>/<repo>/blobs/${DIGEST}" >
"${DIGEST/*:/}.gz"
您可以在 docker 清单的第一层找到标签:
$ repo=stavalfi/k8test-monitoring
$ token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" \
| jq -r '.token')
$ curl -s -H "Authorization: Bearer $token" "https://registry-1.docker.io/v2/${repo}/manifests/latest" \
| jq ".history[0].v1Compatibility" -r | jq .config.Labels
{
"latest-hash": "dc971f310bd0b172fd0379cc9a1810f209c9a9604a28da14cef36457",
"latest-tag": "1.3.4"
}
更新:v2 注册表 API 更干净一些,但还需要一个 curl:
$ repo=stavalfi/k8test-monitoring
$ token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" \
| jq -r '.token')
$ digest=$(curl -s -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -H "Authorization: Bearer $token" "https://registry-1.docker.io/v2/${repo}/manifests/latest" \
| jq .config.digest -r)
$ curl -s -L -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -H "Authorization: Bearer $token" "https://registry-1.docker.io/v2/${repo}/blobs/$digest" \
| jq .config.Labels
{
"latest-hash": "dc971f310bd0b172fd0379cc9a1810f209c9a9604a28da14cef36457",
"latest-tag": "1.3.4"
}
对于更通用的用例,这里有一个脚本,用于在 docker 集线器上提取任何 public 图像的配置,而无需下载完整图像:
#!/bin/sh
repo=${1:-library/ubuntu}
tag=${2:-latest}
token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" \
| jq -r '.token')
digest=$(curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-H "Authorization: Bearer $token" \
-s "https://registry-1.docker.io/v2/${repo}/manifests/${tag}" | jq -r .config.digest)
curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-H "Authorization: Bearer $token" \
-s -L "https://registry-1.docker.io/v2/${repo}/blobs/${digest}" | jq .
只需确保为官方图片添加“库”前缀即可:
$ ./get-config-v2.sh library/alpine 3.9
{
"architecture": "amd64",
"config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh"
],
"ArgsEscaped": true,
"Image": "sha256:186eda4636e895d982896312666e472a2d62aab1490608701e1b3438ac6649e7",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": null
},
....
自首次发布此答案以来,我还创建了 regclient,其中包含命令 regctl。这可以处理身份验证,允许您在没有 TLS 或自签名证书的情况下配置注册表,解析多平台图像,并包括对 Go 模板的支持以提取您想要的特定字段:
$ regctl image config regclient/regsync:latest --format '{{ jsonPretty .Config.Labels }}'
{
"maintainer": "",
"org.opencontainers.image.authors": "Regclient contributors",
"org.opencontainers.image.created": "2021-04-02T18:55:09Z",
"org.opencontainers.image.description": "",
"org.opencontainers.image.documentation": "https://github.com/regclient/regclient",
"org.opencontainers.image.licenses": "Apache 2.0",
"org.opencontainers.image.revision": "5a6a1d95524b9c1c2d38a5af7ab744742f8d55e9",
"org.opencontainers.image.source": "git://github.com/regclient/regclient.git",
"org.opencontainers.image.title": "regsync",
"org.opencontainers.image.url": "https://github.com/regclient/regclient",
"org.opencontainers.image.vendor": "",
"org.opencontainers.image.version": "v0.3.0"
}