If you are just looking to run a common Linux application such as Tomcat or WordPress it’s far simpler to download a pre-packaged image from DockerHub than to install the application from scratch. But with tens of thousands of images on DockerHub you are likely to find many variations of the application in question, even with official repositories you may find multiple different versions of an application.
In previous blog posts, we have introduced the Anchore open source project which provides a rich toolset to allow developers, operations, and security teams to maintain full visibility of the ‘chain of custody’ as containers move through the development lifecycle.
In our last blog, we covered a couple of simple use cases, allowing a user to dig into the contents of a container looking at specific files or packages. In this blog post, I wanted to introduce you to three interesting features within Anchore.
There are seven top-level commands within the Anchore command-line tools. These can be seen by running the
anchore command with no other options:
|Perform analysis on specified image IDs|
|Search, report and query specified image IDs|
|Perform and view gate evaluation on selected images|
|Manage local subscriptions|
|Synchronize images and metadata|
|Anchore system-level operations|
|Useful tools and operations on images and containers|
In previous blog posts, we have presented the
gate commands, but in this blog post, we wanted to highlight a couple of the lesser-known features in the toolbox that we found very useful in our day to day use of containers.
anchore toolbox will show the sub-commands available:
|Setup a module development environment|
|Show image summary information|
|Generate (or display actual) image Dockerfile|
|Show image family tree image IDs|
|Show image layer IDs|
|Show history of all known repo/tags for image|
|Unpack and Squash image to local filesystem|
While Docker allows applications to be packaged as easily distributed containers, transparently providing both the underlying operating system and the application, you often need to know exactly what operating system this application is built upon. This information may be required to fulfill compliance or audit requirements in your organization or to ensure that you are only deploying operating systems for which you have commercial support agreements.
If you are lucky then the full description of the container on the DockerHub portal contains details about the operating system used. But in many cases, this information isn’t presented.
One way to ascertain what operating system is used is to download and run the image and inspect the file system however that’s a manual and time-consuming process. The
show command presents a simple way to retrieve this information.
Taking a look at nginx, the most popular image on DockerHub:
IMAGEID='0d409d33b27e47423b049f7f863faa08655a8c901749c2b25b93ca67d01a470d' REPOTAGS='docker.io/nginx:latest' DISTRO='debian' DISTROVERS='8' SHORTID='0d409d33b27e' PARENTID='' BASEID='0d409d33b27e47423b049f7f863faa08655a8c901749c2b25b93ca67d01a470d'
Here we see the latest image is built on Debian version
Using another useful toolbox function is show-tag history, which shows the known tags for a given image. Here we can see that the latest image is also tagged as
+--------------+---------------------+-------------------------+ | ImageId | Date | KnownTags | +--------------+---------------------+-------------------------+ | 0d409d33b27e | Wed Jun 15 14:37:03 | nginx:1.11,nginx:1.11.1 | | | 2016 | ,nginx:latest | | 0d409d33b27e | Wed Jul 13 15:57:51 | nginx:1.11,nginx:1.11.1 | | | 2016 | ,nginx:latest | | 0d409d33b27e | Wed Jul 13 16:35:14 | docker.io/nginx:latest | | | 2016 | | +--------------+---------------------+-------------------------+
The final toolbox feature I want to highlight is a feature that many users do not know is available, that is the ability to retrieve the dockerfile for a given image. The
show-dockerfile command will either display the dockerfile, if it was available during the image analysis phase, or will generate the dockerfile from the image.
This information may be useful if you wish to look under the covers to understand how the container was created or to check for any potential issues with the container content. The contents of the dockerfile may also be used within our ‘gates’ feature, for example allowing you to specify that specific ports may not be exposed.
# anchore toolbox --image=nginx:latest show-dockerfile --- ImageId --- 0d409d33b27e --- Mode --- Guessed
Here the mode
Guessed indicates that the dockerfile was generated by the tool during image analysis.
There are other toolbox commands that include the ability to show the family tree of an image, display the image layers, or unpack the image to the local filesystem.
If you haven’t already installed Anchore and begun scanning your container images, take a look at our installation and quick-start guides at our wiki below or by going to https://github.com/anchore/anchore/wiki.