dockerdockerfiledocker-registrycontainer-image

Fetch single layer from image repository using docker or other tooling?


Our build creates temporary images which we store to the repository for caching purposes as subsequent images are relying on them.

The images are untagged afterwards. The layer ID I can get from the build log.

But as they might contain credentials in some layers (set in Dockerfile via "ENV API_KEY=$API_KEY) I just want to fetch these layers and make sure that nobody can extract the credentials.

Is there an easy way of doing so?


Solution

  • I am unsure if you are actually referencing whole image ID or single layer ID. Usually you should see whole digest of image as well. With whole image digest you can do following. Also final steps can be done for single layers if you don't know specific layer of configuration file layer.

    But in general, this depends on the manifest schema version. With schema version 1, you can see environment variables on manifest. With schema version 2 it is two step process. Examples are based on Docker Hub registry, but same API is applied elsewhere.

    In both cases, you need authentication token at first, which can be acquired:

    curl -sSL "https://auth.docker.io/token?service=registry.docker.io&scope=repository:<repository>:pull" > auth.json
    

    Then pull manifest in version 1 schema and get history section which contains environment variables:

    curl --request GET -sLH "Authorization: Bearer `jq -r '.token' auth.json`" -H "Accept: application/vnd.docker.distribution.manifest.v1+json”" "https://index.docker.io/v2/<repository>/manifests/latest" | jq ".history"
    

    Manifest v2 schema uses different Accept header and is more supported in these days and provides more information:

    curl --request GET -sLH "Authorization: Bearer `jq -r '.token' auth.json`" -H "Accept: application/vnd.docker.distribution.manifest.v2+json" "https://index.docker.io/v2/<repository>/manifests/latest"
    

    On response there is config section:

    "config": {
          "mediaType": "application/vnd.docker.container.image.v1+json",
          "size": 5802,
          "digest": "sha256:2ff217b387d7bbc0ad3fb1cbb2cdae9f7e562f26065f847a1b69964fcb71108"
       }
    

    And finally download whole blob:

    curl --request GET -LOH "Authorization: Bearer `jq -r '.token' auth.json`" "https://index.docker.io/v2/<repository>/blobs/sha256:2ff217b387d7bbc0ad3fb1cbb2cdae9f7e562f26065f847a1b69964fcb71108"
    

    See contents of whole configuration file which contains environment variables with included history:

    jq . sha256:2ff217b387d7bbc0ad3fb1cbb2cdae9f7e562f26065f847a1b69964fcb71108