08容器反查Dockerfile

## 概述

从容器镜像反查（还原）原始 Dockerfile 是一个常见需求，但由于 Docker 镜像的分层存储特性（只保留最终文件系统状态，不直接存储构建指令的完整上下文），无法 100% 精确还原原始 Dockerfile（例如注释、构建参数的默认值、临时文件操作等信息会丢失）。

可以通过工具和镜像的元数据，尽可能还原构建步骤和核心指令。

## 导出解压镜像

通过docker save的方式导出镜像为tar包，尝试通过解压tar包的方式查看每层发生了什么。

> 实验

```bash
root@ubuntu:~/df# ls
dockerfile
root@ubuntu:~/df# docker image ls
REPOSITORY   TAG       IMAGE ID       CREATED          SIZE
mathiasssh   latest    9d7dc7e7c07d   24 minutes ago   467MB
top          latest    1c983a8c0d28   4 years ago      204MB
root@ubuntu:~/df# docker save 9d7dc7e7c07d > mathias.tar
root@ubuntu:~/df# ls
dockerfile  mathias.tar
root@ubuntu:~/df# mkdir mathias
root@ubuntu:~/df# cd mathias
root@ubuntu:~/df/mathias# mv ../mathias.tar ./
root@ubuntu:~/df/mathias# ls
mathias.tar

root@ubuntu:~/df/mathias# tar -xvf mathias.tar 
blobs/
blobs/sha256/
blobs/sha256/0c877c6968cf142b32399d9af34b693acfc238a6ffb135435de7645427411629
blobs/sha256/0e78870f1ee53264456f587e71f3e411e67ad754df0fade65fcab68acbac1a7f
blobs/sha256/1079cc3eb5d3a691f02540dba1dfbcaf7f29cb2f681aac8084d6c61fe817ff21
blobs/sha256/174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02
blobs/sha256/376b11d7bdf4967ea44551a9551c4c03e4e34733306bae55f5a03d78f12eccd8
blobs/sha256/37aa2a11dc33424a0d38e6ff17d15bb3de59abf3cc325aa0e822f41b66549234
blobs/sha256/4dc2472f2ef71d5e8a234fa89c15bc0bb9274d1f17e05303ce458ba2e9cdb2ad
blobs/sha256/5f0d45536ed1582da9642351d1d73b563a3843e029eefa4473618a57ed390f4d
blobs/sha256/689516d93b5a9eae1a398edeab28162192d95317b944ae2586e80a985c6b5cfe
blobs/sha256/8d90c566f85bb713084a6d5e95b83eb745b08dfee141d4792bbf137a42517bf6
blobs/sha256/9d7dc7e7c07d24ee5f03035dfcfd0a8c8dba29d04f3bcbea3e0bef540ef90f59
blobs/sha256/a97d993d31121ca86eed25a0de5d4cdc830188782e480dee9cd93c1f7c60674a
blobs/sha256/b7b09299bcbd35cf5cabc500e08c738827f6b63f2ee22530ae42dfef09c0eb6d
blobs/sha256/db165cfd687fff7f748019b9ba6d0805e777c36179fbc9462e830e156e2c1d59
blobs/sha256/e1fb8ab3ffa45887de52d2406561da4818f6762d8af5e92daa0ef5309679d538
blobs/sha256/e358c7557f03e458d7d3864e81c8449cdbcf379051d1bc80baae845bbfac4765
blobs/sha256/e78ca537395f7c09e551ce177e2846429ca2c9091742d7eaec1d819e8f59267e
blobs/sha256/f28a0830a4d6705e97ec0182e066e857f537d17c195b64b224d7c5599ee21268
index.json
manifest.json
oci-layout

```

查看manife.json文件

```json
[
  {
    "Config": "blobs/sha256/9d7dc7e7c07d24ee5f03035dfcfd0a8c8dba29d04f3bcbea3e0bef540ef90f59",
    "RepoTags": null,
    "Layers": [
      "blobs/sha256/174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02",
      "blobs/sha256/5f0d45536ed1582da9642351d1d73b563a3843e029eefa4473618a57ed390f4d",
      "blobs/sha256/4dc2472f2ef71d5e8a234fa89c15bc0bb9274d1f17e05303ce458ba2e9cdb2ad",
      "blobs/sha256/e358c7557f03e458d7d3864e81c8449cdbcf379051d1bc80baae845bbfac4765",
      "blobs/sha256/376b11d7bdf4967ea44551a9551c4c03e4e34733306bae55f5a03d78f12eccd8",
      "blobs/sha256/0c877c6968cf142b32399d9af34b693acfc238a6ffb135435de7645427411629",
      "blobs/sha256/e78ca537395f7c09e551ce177e2846429ca2c9091742d7eaec1d819e8f59267e",
      "blobs/sha256/37aa2a11dc33424a0d38e6ff17d15bb3de59abf3cc325aa0e822f41b66549234"
    ],
    "LayerSources": {
      "sha256:0c877c6968cf142b32399d9af34b693acfc238a6ffb135435de7645427411629": {
        "mediaType": "application/vnd.oci.image.layer.v1.tar",
        "size": 3072,
        "digest": "sha256:0c877c6968cf142b32399d9af34b693acfc238a6ffb135435de7645427411629"
      },
      "sha256:174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02": {
        "mediaType": "application/vnd.oci.image.layer.v1.tar",
        "size": 211685376,
        "digest": "sha256:174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02"
      },
      "sha256:376b11d7bdf4967ea44551a9551c4c03e4e34733306bae55f5a03d78f12eccd8": {
        "mediaType": "application/vnd.oci.image.layer.v1.tar",
        "size": 1536,
        "digest": "sha256:376b11d7bdf4967ea44551a9551c4c03e4e34733306bae55f5a03d78f12eccd8"
      },
      "sha256:37aa2a11dc33424a0d38e6ff17d15bb3de59abf3cc325aa0e822f41b66549234": {
        "mediaType": "application/vnd.oci.image.layer.v1.tar",
        "size": 3072,
        "digest": "sha256:37aa2a11dc33424a0d38e6ff17d15bb3de59abf3cc325aa0e822f41b66549234"
      },
      "sha256:4dc2472f2ef71d5e8a234fa89c15bc0bb9274d1f17e05303ce458ba2e9cdb2ad": {
        "mediaType": "application/vnd.oci.image.layer.v1.tar",
        "size": 263938048,
        "digest": "sha256:4dc2472f2ef71d5e8a234fa89c15bc0bb9274d1f17e05303ce458ba2e9cdb2ad"
      },
      "sha256:5f0d45536ed1582da9642351d1d73b563a3843e029eefa4473618a57ed390f4d": {
        "mediaType": "application/vnd.oci.image.layer.v1.tar",
        "size": 2048,
        "digest": "sha256:5f0d45536ed1582da9642351d1d73b563a3843e029eefa4473618a57ed390f4d"
      },
      "sha256:e358c7557f03e458d7d3864e81c8449cdbcf379051d1bc80baae845bbfac4765": {
        "mediaType": "application/vnd.oci.image.layer.v1.tar",
        "size": 6144,
        "digest": "sha256:e358c7557f03e458d7d3864e81c8449cdbcf379051d1bc80baae845bbfac4765"
      },
      "sha256:e78ca537395f7c09e551ce177e2846429ca2c9091742d7eaec1d819e8f59267e": {
        "mediaType": "application/vnd.oci.image.layer.v1.tar",
        "size": 3072,
        "digest": "sha256:e78ca537395f7c09e551ce177e2846429ca2c9091742d7eaec1d819e8f59267e"
      }
    }
  }
]
```

很明显，最底层是：

```bash
blobs/sha256/174f5685490326fc0a1c0f5570b8663732189b327007e47ff13d2ca59673db02
```

可通过解压每一层查看做了什么：
![image-20251019170643138](https://oss.maolin101.com/image-20251019170643138.png-101.webp)

## dfimage反查

dfimage（全称 dockerfile-from-image）是一个轻量工具，专门用于从 Docker 镜像反查（还原）近似的 Dockerfile。它通过解析镜像的分层历史、元数据（如环境变量、暴露端口等），自动生成接近原始构建步骤的 Dockerfile 内容。

```bash
root@ubuntu:~/df/mathias#docker pull alpine/dfimage
root@ubuntu:~/df/mathias#alias dfimage="docker run -v /var/run/docker.sock:/var/run/docker.sock --rm alpine/dfimage"
root@ubuntu:~/df/mathias# docker image ls
REPOSITORY       TAG       IMAGE ID       CREATED          SIZE
mathiasssh       latest    9d7dc7e7c07d   45 minutes ago   467MB
alpine/dfimage   latest    c2eebfb73055   8 months ago     24.3MB
top              latest    1c983a8c0d28   4 years ago      204MB
root@ubuntu:~/df/mathias# dfimage  9d7dc7e7c07d
Analyzing 9d7dc7e7c07d
Docker Version: 
GraphDriver: overlay2
Environment Variables
|PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Open Ports
|22

Image user
|User is root

Potential secrets:
unable to parse history from json file 
root@ubuntu:~/df/mathias#

```

## history

docker history 是 Docker 自带的核心命令，用于查看镜像的分层构建历史，展示镜像每层的创建时间、构建指令、大小等信息。

基础语法：
```bash
docker history [选项] <镜像名:标签 或 镜像ID>
常用选项：
    --no-trunc：不截断输出的命令（默认会截断长命令，加此选项可显示完整指令）。
    --format：自定义输出格式（如只显示构建指令、大小等）。
    --human（默认开启）：以人类可读的单位显示大小（如 1.2MB）；加 --no-human 则显示字节数。
```

![image-20251019172627499](https://oss.maolin101.com/image-20251019172627499.png-101.webp)

## dive反查

dive 是一款实用的开源工具，用于交互式分析 Docker 镜像的分层结构，可以直观查看每一层的文件变化（新增、删除、修改的文件）以及对应的构建指令。

```bash
docker pull wagoodman/dive
alias dive="docker run -ti --rm -v /var/run/docker.sock:/var/run/docker.sock wagoodman/dive"
dive image ID
```

![image-20251019172850462](https://oss.maolin101.com/image-20251019172850462.png-101.webp)