|
|
|
|
|
|
by bacongobbler
2765 days ago
|
|
|
The latter can be easily done in a few hours by inspecting the image layer metadata. Every layer understands the command it was run in the Dockerfile to create itself. Just look at `docker history` and have a look at the "CREATED BY" field for human-readable output of the layer metadata, or depending on your graph driver have a look in /var/lib/docker/image/overlay2/imagedb/content/sha256. From there you can reverse-engineer a Dockerfile. For layers that were not built using `docker build` (e.g. `docker commit`, OCI-compatible image builders), re-creating the exact command that generated that layer is much harder to do. The only information most tools will give you might just be the diff itself. |
|
|
How reliable is this? Can it be modified after creation by a malicious party?
That is, if I get a wild docker image, can I trust the results of `docker history`?