docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cc03e43a052a lamp-wordpress "./run.sh" 2 minutes ago Up 2 minutes 80/tcp wordpress
您可以轻松地使用以下命令查找有关此容器对镜像所做修改:
docker diff wordpress
C /var
C /var/lib
C /var/lib/mysql
A /var/lib/mysql/ib_logfile0
A /var/lib/mysql/ib_logfile1
A /var/lib/mysql/ibdata1
A /var/lib/mysql/mysql
A /var/lib/mysql/mysql/time_zone_leap_second.MYI
A /var/lib/mysql/mysql/general_log.CSV
...
docker run -d lamp-wordpress
docker cp b5d53e8b468e:/etc/shadow original_shadow #Get the file from the newly created container
diff original_shadow shadow
如果发现添加了一些可疑文件,您可以访问容器并进行检查:
docker exec -it wordpress bash
图像修改
docker save <image> > image.tar #Export the image to a .tar file
container-diff analyze -t sizelayer image.tar
container-diff analyze -t history image.tar
container-diff analyze -t metadata image.tar
然后,您可以解压图像并访问 blobs,以搜索您在更改历史记录中发现的可疑文件:
tar -xf image.tar
基本分析
您可以从运行的镜像中获取基本信息:
docker inspect <image>
您还可以使用以下命令获取更改历史记录摘要:
docker history --no-trunc <image>
您还可以使用以下命令从镜像生成dockerfile:
alias dfimage="docker run -v /var/run/docker.sock:/var/run/docker.sock --rm alpine/dfimage"
dfimage -sV=1.36 madhuakula/k8s-goat-hidden-in-layers>
Dive
#First you need to load the image in your docker repo
sudo docker load < image.tar 1 ⨯
Loaded image: flask:latest
#And then open it with dive:
sudo dive flask:latest