795

I did a docker pull and can list the image that's downloaded. I want to see the contents of this image. Did a search on the net but no straight answer.

Dharman
  • 30,962
  • 25
  • 85
  • 135
pylearn
  • 8,119
  • 4
  • 11
  • 12
  • 4
    Possible duplicate of [Exploring Docker container's file system](https://stackoverflow.com/questions/20813486/exploring-docker-containers-file-system) – Vadzim Nov 04 '18 at 23:36
  • 69
    Not a dupe. Viewing the container and the image are not the same thing. You may want to view the initial filesystem or even validate that there is nothing malicious inside the image before it gets a chance to run. – Keilaron Feb 26 '19 at 18:05
  • 6
    if you could not run the image as container you can use a tool like drive (https://github.com/wagoodman/dive) or you can use docker save to export the image as tar file. Then you can explore the tar or with dive you can asap explore the image. – Huluvu424242 Mar 13 '19 at 22:57
  • 1
    Not a dupe but you can find the answer here: https://stackoverflow.com/a/40324326/5641227 – Khalil Gharbaoui Oct 06 '19 at 09:33

15 Answers15

956

If the image contains a shell, you can run an interactive shell container using that image and explore whatever content that image has. If sh is not available, the busybox ash shell might be.

For instance:

docker run -it image_name sh

Or following for images with an entrypoint

docker run -it --entrypoint sh image_name

Or if you want to see how the image was built, meaning the steps in its Dockerfile, you can:

docker image history --no-trunc image_name > image_history

The steps will be logged into the image_history file.

Thorbjørn Ravn Andersen
  • 73,784
  • 33
  • 194
  • 347
Ayman Nedjmeddine
  • 11,521
  • 1
  • 20
  • 31
  • 1
    Thanks. First one is what I am looking for. Basically explore the folders. – pylearn Jun 27 '17 at 03:14
  • 92
    I'm trying to see the contents of an image that is created using "FROM scratch" and there is no shell available. Is there any other way to see the contents? The image I'm trying to see is portainer/portainer. – Juan Hernandez Nov 30 '17 at 10:21
  • 8
    Is it possible that someone see the contents of the image without spawning a container? Or can we assume that it is safe from all unless they have rights to spawn a container from it? – Shabirmean Dec 30 '17 at 21:03
  • 4
    combining what's told before "for a windows container with entrypoint": `docker run -it --entrypoint cmd ` will work. – Beytan Kurt Nov 01 '18 at 15:41
  • 4
    @JuanHernandez, yes, you can dump the full contents of the image as indicated in https://stackoverflow.com/a/42677219/320594. – Jaime Hablutzel Nov 24 '18 at 22:35
  • 1
    Can I double like this? – eco Jan 23 '20 at 00:55
  • 17
    This answer is not good because it depends on having a shell inside the image, which is not always the case. The `docker create` answer is the best one for the question if you're not interested in the examination of each image layer independently. – Telegrapher May 22 '20 at 00:12
  • Hi after `docker run it xxx` I'm able to get an interactive shell, just wondering what's the command to print out all the folder/contents in this image? – wawawa Feb 02 '21 at 09:19
  • @JuanHernandez the "scratch" image in docker is empty, it is meant to start a new image from nothing. – Nicolas Feb 15 '21 at 16:45
  • 3
    The first two solutions do not work with images that do not have a shell. The exact reason why I want to list image contents is that I can't find a shell executable in the image... – SOFe Feb 17 '21 at 03:26
493

You should not start a container just to see the image contents. For instance, you might want to look for malicious content, not run it. Use "create" instead of "run";

docker create --name="tmp_$$" image:tag
docker export tmp_$$ | tar t
docker rm tmp_$$
Iulian Onofrei
  • 9,188
  • 10
  • 67
  • 113
lgekman
  • 5,451
  • 1
  • 13
  • 13
  • 59
    The 2nd line above just lists the file-system content. If you want to get all the files as a tar you can replace it with something like `docker export tmp_$$ > image-fs.tar`. – Pino Jul 05 '19 at 10:29
  • 3
    What will be the 2nd line for Windows OS? The `docker export tmp_$$ | tar t` will not work. – Nairum Aug 29 '19 at 10:38
  • @Alexei Marinichenko `tar` might not installed on your machine. Try `tar --help` for checking it. – Abdurrahman I. Sep 03 '19 at 07:44
  • 12
    This also works if there is no shell in the container – Peter Dotchev Oct 08 '19 at 13:33
  • 10
    @AlexeiMarinichenko you can use the `-o` parameter to specify the file to write to. E.g. `docker export -o c:\temp\tmp_$$.tar tmp_$$`. – John Mills Oct 16 '19 at 21:27
  • Still it will not work (on Windows containers): "the daemon on this operating system does not support exporting Windows containers" `docker save -o image.tar` does work however. – Michel de Ruiter Jan 29 '20 at 12:45
  • This solution works better than `docker export` or `docker save` when there is no interest in examining every layer of the image independently. This is the correct answer to the OP question. – Telegrapher May 22 '20 at 00:08
  • 6
    The docker create command errors for me with a `No command specified`. putting a dummy command like `ls` at the end (even if the command would fail if the container were started) seems to work. ```docker create --name="tmp_$$" image:tag ls``` – pabo Sep 02 '20 at 17:10
  • 1
    You don't need to assign a name for the created container. `docker create` will generate and output container id to stdout and this can be used as argument to `docker export` and `docker rm`. – Mike Jan 26 '21 at 19:04
  • hi `docker export tmp_$$ > image-fs.tar` after this command, is this tar file been exported on my local machine? Or do I need an extra command to download it to my local machine so that I can browse? – wawawa Feb 02 '21 at 09:25
  • 1
    I confirm this is the best working solution. It gives you all the files inside the container without running it!! – hzitoun Dec 06 '21 at 15:28
  • 1
    I just see half a dozen "layer.tar" files (docker 20.10, API 1.41). The command only goes down one level. – MSalters Apr 29 '22 at 09:52
395

The accepted answer here is problematic, because there is no guarantee that an image will have any sort of interactive shell. For example, the drone/drone image contains on a single command /drone, and it has an ENTRYPOINT as well, so this will fail:

$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured

And this will fail:

$ docker run --rm -it --entrypoint sh drone/drone
docker: Error response from daemon: oci runtime error: container_linux.go:247: starting container process caused "exec: \"sh\": executable file not found in $PATH".

This is not an uncommon configuration; many minimal images contain only the binaries necessary to support the target service. Fortunately, there are mechanisms for exploring an image filesystem that do not depend on the contents of the image. The easiest is probably the docker export command, which will export a container filesystem as a tar archive. So, start a container (it does not matter if it fails or not):

$ docker run -it drone/drone sh
FATA[0000] DRONE_HOST is not properly configured

Then use docker export to export the filesystem to tar:

$ docker export $(docker ps -lq) | tar tf -

The docker ps -lq there means "give me the id of the most recent docker container". You could replace that with an explicit container name or id.

Antimony
  • 37,781
  • 10
  • 100
  • 107
larsks
  • 277,717
  • 41
  • 399
  • 399
  • 27
    You can also use the out parameter as in `docker export $(docker ps -lq) -o foo.tar` – Liam Dec 07 '20 at 12:56
  • 5
    If you are like me, wondering what the `-` means in `tar tf -` : it's to tell tar that the "file" (*f flag*) to read is `stdin` – jumping_monkey Jan 05 '22 at 00:32
  • 3
    This should be the accepted answer. Although it should lead with the proper command. – Capi Etheriel May 05 '22 at 20:10
  • This works on a container, not an image. Trivially fixed: `docker image save $IMAGE | tar -tf -`. The logic is the same: Docker needs to combine layers, higher-level layers can overwrite files from lower layers. – MSalters Aug 09 '22 at 12:00
224
docker save nginx > nginx.tar
tar -xvf nginx.tar

Following files are present:

  • manifest.json – Describes filesystem layers and name of json file that has the Container properties.
  • .json – Container properties
  • – Each “layerid” directory contains json file describing layer property and filesystem associated with that layer. Docker stores Container images as layers to optimize storage space by reusing layers across images.

https://sreeninet.wordpress.com/2016/06/11/looking-inside-container-images/

OR

you can use dive to view the image content interactively with TUI

enter image description here

https://github.com/wagoodman/dive

Andy Wong
  • 3,676
  • 1
  • 21
  • 18
  • 27
    This seems like the most useful answer to me, as you don't have to start a container to get the files. – Alec Thomas Feb 27 '19 at 00:14
  • 5
    Absolutely agree @AlecThomas - and to take it a step further, why do I even need `docker` just to see the contents of what is, essentially, just a different type of archive file. – Ed Randall Mar 17 '19 at 10:54
  • 11
    good answer, I would also specify the tag: `docker save --output nginx.tar nginx:latest`, otherwise, according to the doc, it will contain "all parent layers, and all tags + versions" – Tarek Jul 16 '19 at 17:33
  • 3
    This should be upvoted as this is probably the only way to explore internals if you don't have any of Unix utils inside. Also this way doesn't require the creation of a container. – Stanislav German-Evtushenko Jul 19 '19 at 09:08
  • how did I survive without this tool in the last 5 years ? – nils petersohn Sep 03 '21 at 09:51
  • is it possible to see the content? like the script in the docker using Dive? – Amzar Sep 04 '22 at 03:24
  • `is it possible to see the content? like the script in the docker using Dive?` Not yet, see related feature request https://github.com/wagoodman/dive/issues/224 – Guillaume Berche Nov 15 '22 at 16:39
  • I only see lots of layers.tar file not the actual content – mukesh.kumar May 23 '23 at 10:03
40

EXPLORING DOCKER IMAGE!

  1. Figure out what kind of shell is in there bash or sh...

Inspect the image first: docker inspect name-of-container-or-image

Look for entrypoint or cmd in the JSON return.

  1. Then do: docker run --rm -it --entrypoint=/bin/bash name-of-image

once inside do: ls -lsa or any other shell command like: cd ..

The -it stands for interactive... and TTY. The --rm stands for remove container after run.

If there are no common tools like ls or bash present and you have access to the Dockerfile simple add the common tool as a layer.
example (alpine Linux):

RUN apk add --no-cache bash

And when you don't have access to the Dockerfile then just copy/extract the files from a newly created container and look through them:

docker create <image>  # returns container ID the container is never started.
docker cp <container ID>:<source_path> <destination_path>
docker rm <container ID>
cd <destination_path> && ls -lsah
Khalil Gharbaoui
  • 6,557
  • 2
  • 19
  • 26
  • 11
    The problem with this answer is that, as discussed in the accepted answer, there's no guarantee that your image has *any* shell in it. Or `ls`. Or really any common tools at all. – larsks Jan 07 '20 at 17:31
  • 1
    Yes, this assumes common tools are in there. You could of course always add a shell if you are allowed to ill add that layer to the answer and explain how to extract the files otherwise. – Khalil Gharbaoui Nov 05 '20 at 00:57
  • docker cp : what do you mean by source path? as the assumption here is that we haven't run the container and do not know its full contents. – Jason Nov 09 '22 at 10:32
16

To list the detailed content of an image you have to run docker run --rm image/name ls -alR where --rm means remove as soon as exits form a container.

enter image description here

Serge V.
  • 3,377
  • 3
  • 20
  • 28
14

If you want to list the files in an image without starting a container :

docker create --name listfiles <image name>
docker export listfiles | tar -t
docker rm listfiles
dieter
  • 1,213
  • 11
  • 17
9

I tried this tool - https://github.com/wagoodman/dive I found it quite helpful to explore the content of the docker image.

enter image description here

sarawgeek
  • 451
  • 6
  • 10
2

if you want to check the image contents without running it you can do this:

$ sudo bash
...
$ cd /var/lib/docker  # default path in most installations
$ find . -iname a_file_inside_the_image.ext
... (will find the base path here)

This works fine with the current default BTRFS storage driver.

eadmaster
  • 1,347
  • 13
  • 23
2

Oneliner, no docker run (based on responses above)

IMAGE=your_image docker create --name filelist $IMAGE command && docker export filelist | tar tf - | tree --fromfile . && docker rm filelist

Same, but report tree structure to result.txt

IMAGE=your_image docker create --name filelist $IMAGE command && docker export filelist | tar tf - | tree --noreport --fromfile . | tee result.txt && docker rm filelist
Serhii Khachko
  • 69
  • 1
  • 4
1

We can try a simpler one as follows:

docker image inspect image_id

This worked in Docker version:

DockerVersion": "18.05.0-ce"
Pang
  • 9,564
  • 146
  • 81
  • 122
Subham Chowdhury
  • 131
  • 1
  • 4
1

There is a free open source tool called Anchore-CLI that you can use to scan container images. This command will allow you to list all files in a container image

anchore-cli image content myrepo/app:latest files

https://anchore.com/opensource/

EDIT: not available from anchore.com anymore, It's a python program you can install from https://github.com/anchore/anchore-cli

Franklin Piat
  • 3,952
  • 3
  • 32
  • 45
user11845290
  • 39
  • 2
1

Perhaps this is nota very straight forward approach but this one worked for me. I had an ECR Repo (Amazon Container Service Repository) whose code i wanted to see.

  1. First we need to save the repo you want to access as a tar file. In my case the command went like - docker save .dkr.ecr.us-east-1.amazonaws.com/<name_of_repo>:image-tag > saved-repo.tar
  2. UNTAR the file using the command - tar -xvf saved-repo.tar. You could see many folders and files
  3. Now try to find the file which contain the code you are looking for (if you know some part of the code) Command for searching the file - grep -iRl "string you want to search" ./

This will make you reach the file. It can happen that even that file is tarred, so untar it using the command mentioned in step 2.

If you dont know the code you are searching for, you will need to go through all the files that you got after step 2 and this can be bit tiring.

All the Best !

kartik
  • 79
  • 3
  • When I try to do this, I get the following error: Error response from daemon: mkdir /var/lib/docker/tmp/docker-export-385434031: read-only file system. Is that complaining about my local file system, or something about the image I've just pulled from ECR? – David Keaveny May 27 '22 at 06:46
1

You can just run the following code to see the content of docker image:

docker exec -it <image_id> sh
amir tbi
  • 320
  • 2
  • 14
-3

With Docker EE for Windows (17.06.2-ee-6 on Hyper-V Server 2016) all contents of Windows Containers can be examined at C:\ProgramData\docker\windowsfilter\ path of the host OS.

No special mounting needed.

Folder prefix can be found by container id from docker ps -a output.

Vadzim
  • 24,954
  • 11
  • 143
  • 151