Explore Docker image hidden file


I want to explore what’s in this docker command / file

RUN /bin/sh -c bash /run/secrets/secretxt # buildkit

Can anyone help me how to explore it thank you

Since you expect a secret to be present during build, I assume you pass it in as argument during build time and your question is: how do I access a secret I passed in into the build during the build?

Note: during build, each instruction creates a new container that uses the outcome of the previous instruction. Between instruction no process will remain running. Secrets are not persisted in the image, so if you didn’t pass a secret as argument into the build, there will be no secret available.

So I can’t inspect that secret?

Uhm, can you put in your own words what I wrote about secrets in my last response?

Buildkit actually supports secrets without environment variables:Build images with BuildKit | Docker Documentation

Ya, but I feel @amirulandalib seem to expect that it’s possible to extract secrets from an existing image…
You still need to configure a secret to use it, don’t you?

Yes, I realized I wrote too quickly :slight_smile:

I am just curious how this one plays out… still waiting for @amirulandalib to enlighten us with details :slight_smile:

Sorry I am Brazilian don’t understand much of English But I need to Figure out how to Extract that secret at any cost please help me out

I guess I can’t extract it after googling it I found that it is encrypted :frowning: I just wanted to check if it that dockerfile has any miners loggers stealers etc

To be honest, it is completly unclear what you want, as your posts are too ambigous (at least for me) and you don’t respond to any input. Have you tried to use google translate to translate the input to your native language - usualy the translation is good enough to get a fair understand.

If you just want to explore/browser an image, use GitHub - wagoodman/dive: A tool for exploring each layer in a docker image.

This will be my last response in this topic, because it is getting nowhere.

Good luck!

I want to see that secret that’s all

The problem is that we don’t know anything about how you created that secret. @meyay had questions that you have not answered. Since our answers depend on your answers to our questions, we can’t answer yours.

  • If the image is yours and you defined that secret, you should know what it was
  • If the image is not yours or you did not define the secret, because you ran a script downloaded from the internet, then you will not be able to get its value, since the secret does not exist anymore.

The instruction you quoted before

seems strange, since it wants to execute the secret. I guess it was an attempt to get the value, however, the secret will exist only in the container when you define it in the Dockerfile like this:

RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret

and also define the source in command line.

DOCKER_BUILDKIT=1 BUILDKIT_PROGRESS=plain docker build --secret id=mysecret,src=file.txt .

Otherwise that secret will not exist. Unless you save a file directly in a previous layer which is not really a secret

Here you can read about secrets: Build images with BuildKit | Docker Documentation

This secret I wrote about is not that kind of secret. There is an other secret which is not used during build.

And it just says it is encrypted when Docker sends the secret to a machine on the network. You need to be able to read it in the container

All of my above comments are guesses, possible scenarios. Since we don’t know how you defined that secret, this is probably all that we can answer.

1 Like

Very much agreed, and I can understand why the OP may be curious/worried about that smelly line, thinking /run/secrets/ would be part of the image, so thinking it was going to execute something they could not see nor control. But indeed the following is key in understanding it’s not part of the image at all:

So, I feel this from the current latest is an error, or needs some documentation from the image maintainer?

RUN |1 DEBIAN_FRONTEND=noninteractive /bin/sh -c bash /run/secrets/secretxt # buildkit

Aside, I think there is no way to tell if https://hub.docker.com/u/anasty17 ir really related to https://github.com/anasty17/? Though the Dockerfile on GitHub suggests it does.

Ah, I fooled myself into assuming the last line was the ENTRYPOINT used when running the container. It’s not :slight_smile: So, the RUN command is really just an instruction to run when creating the image. I did not know /run/secrets would be available during creation of an image too, but why not. Still smelly, I feel!

(To see what is in the image simply run it using docker run -it anasty17/mltb and then browse around in the Bash shell you’ll get. To use it as intended see the Dockerfile on GitHub.)

Personaly; I would stay away from that image, as the whole magic is hidden away in a bash script handed into the container as secret during build time.

Something seems to make it necessary to obfuscate the image creation…

1 Like

Curious: is there an easy way to see the difference between a previous layer and the final one, so before and after the secret was executed?

Of course, the very first:

ADD file:00dae10e79b05c4e1a3db053a1f85a4f38a39fe85cbbd88d74201a01a7dd59b5 in /

…which I guess copies the contents of a 27.5 MB directory into subfolders of the root (or is truly a file which is then handled when executing that secret), may already add shady things as well. Or not.

(Oh, that’s how Hub shows any file that is copied.)

Surely the old pre-May 15th Dockerfile was much easier to validate!

Aside, I asked about it in The Docker Hub image does not seem legit · Issue #787 · anasty17/mirror-leech-telegram-bot · GitHub – let’s see if that issue is not silently deleted. :sunglasses:

Just in case!

Created on https://github.com/anasty17/mirror-leech-telegram-bot/issues/787

Docker Hub shows a build step that copies some 27 MB folder into subfolders of the image’s root, and another step involves executing some secret. Both make That makes it hard to see what’s really included in the image.

Like today’s latest for linux/amd64 shows:

ADD file:00dae10e79b05c4e1a3db053a1f85a4f38a39fe85cbbd88d74201a01a7dd59b5 in / 
CMD ["bash"]
ARG DEBIAN_FRONTEND=noninteractive
RUN |1 DEBIAN_FRONTEND=noninteractive /bin/sh -c bash /run/secrets/secretxt # buildkit

The Dockerfile in this very repository seems to refer to that image, so presumably the Hub account is yours.

So: is the Docker Hub account still under your control, and is that image legit?

To Reproduce

Click a tag or digest on Docker Hub

Expected behavior

Some way to tell the image is legit.


The ADD instruction is just in base images to add the base filesystem to a scratch image. You will see a similar instruction in every bases image. If you are curious what’s added, you can explore the layer with dive: docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock wagoodman/dive:latest anasty17/mltb:latest. It is as worrying as the RUN instruction that executes an arbitrary bash script.

The whole image is a black box! It is used as base image in the Dockerfile from the GH repo. I guess the GH repo is ment to be used for personal customizations of some sorts.

What I saw in the image, more or less seem to match the description of the GH repo. Some filesharing clients, some cloud storage connectors, a qbittorrent client. Oddly I have seen x11 and pulseaudio beeing added when investigating the layers with dive.

update: the ADD instruction adds a very slim ubuntu base-os tar as first layer, most likely created using debootstrap.

1 Like

Brazilian lol, he is 16 years old Bangladesh kid, he trying hard to confuse all telegram bots devs.

1 Like


Your bash thingy didn’t work sadly :frowning: