6

Sometimes running the docker image fails so ssh’ing into the container is not an option. in that cases how do we see the content inside container?

There is a existing question but mistakenly marked as duplicate. how to browse docker image without running it?

NOTE: To stupid Moderators with stupid EGO, Please read the question PROPERLY before making judgement about closing the problem. Don't think you know better than others.

Mahes
  • 3,938
  • 1
  • 34
  • 39
  • The duplicate target of the question you cited has a couple of examples that don't involve running the container (`docker export` trying to examine the `/var/lib/docker` content directly). Mostly, though, you do need to actually run the image in some form to look around. – David Maze Feb 10 '21 at 18:19
  • 4
    Also consider `docker run --rm -it imagename bash` to get a temporary container, running an interactive shell instead of the default image `CMD`. This will let you explore things, and also try just running what the standard command should have been and see how it fails. – David Maze Feb 10 '21 at 18:20
  • 1. I correctly stated that the question stated as duplicate is not a duplicate. – Mahes Mar 04 '21 at 16:32
  • 2. the intention of this question IS TO EXAMINE WITHOUT RUNNING THE DOCKER CONTAINER – Mahes Mar 04 '21 at 16:33

1 Answers1

1

Answering my own question.

you can add something like to override the entry point in the Dockerfile and run ls or cat command to see inside.

ENTRYPOINT ls /etc/fluentd
Mahes
  • 3,938
  • 1
  • 34
  • 39
  • 4
    You can also `docker run --rm --entrypoint ls imagename /etc/fluentd` without modifying the Dockerfile. This is kind of awkward, and you might update the Dockerfile to use `CMD` instead of `ENTRYPOINT`; then you could `docker run --rm imagename ls /etc/fluentd`. – David Maze Feb 10 '21 at 18:17
  • How is this "not running the container"? You're setting up all the namespaces -- the filesystem namespace, the user namespace, the PID namespace -- and invoking a process inside it. That's running the container. In particular, if the container contains a compromised `ls` executable, you just invoked that executable. (Even worse, if it contains a compromised `/bin/sh` executable, you just ran _that_, because this is really running `sh -c 'ls /etc/fluentd'` in the container). – Charles Duffy Mar 07 '23 at 18:37
  • Whereas the `docker export` answer in the linked duplicate **really is** operating without running the container at all, and -- unlike the answer here -- works even if the container doesn't have `sh` or `ls` executables inside it. So that duplicate genuinely does have a legitimate answer to your question as you asked it, whereas the answer you added yourself doesn't meet your own specification. – Charles Duffy Mar 07 '23 at 18:40