Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Project idea: a Google for docker images.

Search for files by hash within all public docker images.

Find images that contain a certain piece of code.

Reverse engineering Dockerfiles for those that were built without.



The latter can be easily done in a few hours by inspecting the image layer metadata.

Every layer understands the command it was run in the Dockerfile to create itself. Just look at `docker history` and have a look at the "CREATED BY" field for human-readable output of the layer metadata, or depending on your graph driver have a look in /var/lib/docker/image/overlay2/imagedb/content/sha256. From there you can reverse-engineer a Dockerfile.

For layers that were not built using `docker build` (e.g. `docker commit`, OCI-compatible image builders), re-creating the exact command that generated that layer is much harder to do. The only information most tools will give you might just be the diff itself.


> Every layer understands the command it was run in the Dockerfile to create itself

How reliable is this? Can it be modified after creation by a malicious party?

That is, if I get a wild docker image, can I trust the results of `docker history`?


Cool!

New project idea ... Crawl a large set of popular docker images lacking Dockerfiles and attempt to recreate the dockerfile with this technique.


DockerSlim will reverse engineer / auto-generate a Dockerfile for you :)


A GitHub for Docker images might be the better analogy.

Docker the company could, I imagine, add deep search and browsing as enhancements to their existing Docker Hub.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: