1

我拥有对 ECR 注册表的相关访问权限,但是我无法通过运行 Docker 检查命令来获取图像元数据。我正在尝试 

docker inspect ecrregistryurl/dockerimage:imageversion
4

3 回答 3

2

如果不下载,您将无法获得有关此类图像的信息。您需要先提取图像,然后进行检查

没有相同的命令。但是可能有相同的 api 可用。对于 dockerhub 类似下面的工作

curl \
    --silent \
    --header "Accept: application/vnd.docker.distribution.manifest.v2+json" \
    "http://$REGISTRY_ADDRESS/v2/$image/manifests/$tag" |
    jq -r '.config.digest'

有关更多详细信息,请参阅下面的文章

https://hackernoon.com/inspecting-docker-images-without-pulling-them-4de53d34a604

于 2018-06-27T13:23:51.617 回答
2

更新

正如@Tarun 提到的,我试过了,但它没有给我与 docker inspect 相同的输出。这是文档中的链接。 https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth_http

#!/bin/bash
TOKEN=$(aws ecr get-authorization-token --output text --query authorizationData[].authorizationToken)
curl -i -H "Authorization: Basic $TOKEN" https://account_id.dkr.ecr.us-west-2.amazonaws.com/v2/redis/manifests/latest

但是检查输出它与 docker inspect 不同。

Docker inspect image_name

此命令将仅检查您的本地图像而不是您的注册表。

您可以做些什么来仅获取提供 ECR 的相关元数据。

aws ecr list-images --repository-name redis

它会给你一个图像标签和图像ID。

aws ecr describe-images --repository-name redis

这将在这个名为 redis 的 repo 中提供所有图像和更多细节。

现在,对于 docker 检查,首先拉取该图像。

aws ecr get-login --no-include-email

运行此命令的输出。您将使用令牌登录。

docker pull account_id.dkr.ecr.us-west-2.amazonaws.com/redis:latest

然后运行

docker pull account_id.dkr.ecr.us-west-2.amazonaws.com/redis:latest

你会得到你正在寻找的东西。

或者,如果您已经在某个 ec2 实例上运行此映像,然后在该 ec2 实例上运行,您将获得所需的结果。

docker inspect account_id.dkr.ecr.us-west-2.amazonaws.com/redis:latest

https://docs.aws.amazon.com/cli/latest/reference/ecr/index.html

于 2018-06-27T13:25:13.010 回答
0

是的,这是可行的。不过,您必须直接与注册表 API 交谈。

尽管 pull-then-inspect 方法在短期内可能会更慢且效率较低,但它使用比注册表 API 更稳定的接口,因此长期坚持 pull-then-inspect 可能更易于维护。

import argparse
import json
import re
from pathlib import Path

import requests


def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('image')
    args = parser.parse_args()

    # TODO: this is quick and dirty, check what the actual requirements are. In
    # particular, can image contain /, or tag contain :, maybe with escapes?
    RE_DOCKER_VERSION = re.compile(r"(?P<host>[^/]+)/(?P<image>[^:]+):(?P<tag>[^:]*)")

    if (match := RE_DOCKER_VERSION.fullmatch(args.image)) is None:
        raise Exception(f"Couldn’t parse {args.image}")

    host, image, tag = match["host"], match["image"], match["tag"]

    # If you are definitely using AWS ECR, you should use boto3 to get the login
    # password directly. But this should work for any registry requiring auth,
    # not just for ECR.
    docker_config = json.loads(Path("~/.docker/config.json").expanduser().read_text())
    # If you b64decode the following value, you will see for ECR it is `AWS:xxxx…`
    auth = docker_config["auths"][host]["auth"]

    response = requests.get(
        f"https://{host}/v2/{image}/manifests/{tag}",
        headers={
            "Authorization": f"Basic {auth}",
            # https://docs.docker.com/registry/spec/api/#pulling-an-image says we
            # need to pass this, though ECR seems to ignore it.
            # https://docs.docker.com/registry/spec/manifest-v2-2/ is supposed to
            # document the various manifest specs but I found it confusing.
            "Accept": "application/vnd.docker.distribution.manifest.v2+json"
        },
    )
    print('request 1 headers', response.headers)
    response.raise_for_status()
    print(response.text)
    manifest = response.json()
    digest = manifest["config"]["digest"]

    response = requests.get(
        f"https://{host}/v2/{image}/blobs/{digest}",
        headers={"Authorization": f"Basic {auth}"},
    )
    print('request 2 headers', response.headers)
    response.raise_for_status()
    print(json.dumps(response.json(), indent=2, ensure_ascii=False))

if __name__ == "__main__":
    main()

对我来说,跑步

python script.py 503014274146.dkr.ecr.us-east-1.amazonaws.com/foo:latest

印刷

request 1 headers {'Content-Type': 'application/vnd.docker.distribution.manifest.v2+json', 'Docker-Distribution-Api-Version': 'registry/2.0', 'Sizes': '', 'Content-Length': '1329'}
{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "config": {
      "mediaType": "application/vnd.docker.container.image.v1+json",
      "size": 14512,
      "digest": "sha256:587ad9ba921cfa176f2e8fba84f7e78f1c38ef6ee147b5b2bd78ca46c66c973e"
   },
   "layers": [
      {
         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
         "size": 2683875,
         "digest": "sha256:f2fd7513120f741931f5aa402fb8270465150e0bcd16e0b398a7cb394c2b8593"
      },
      ⋮
   ]
}

这就是注册表拥有的关于图像的信息。如果我们检索配置 blob,我们将得到什么docker inspect报告:

request 2 headers {'Last-Modified': 'Wed 24 Apr 2021 06:12:27 AM MDT', 'ETag': '"e5c907c0e39e44db69f5c361c8d46996-1"', 'x-amz-server-side-encryption': 'AES256', 'Accept-Ranges': 'bytes', 'Content-Type': 'application/octet-stream', 'Server': 'AmazonS3', 'Content-Length': '19351'}
{
  "architecture": "amd64",
  "config": {
    "Hostname": "",
    "Domainname": "",
    "User": "",
    "AttachStdin": false,
    "AttachStdout": false,
    "AttachStderr": false,
    "Tty": false,
    "OpenStdin": false,
    "StdinOnce": false,
    ⋮

还有很多我已经剪掉的东西,比如环境变量和入口点以及图层历史。

于 2022-01-14T04:21:15.900 回答