How to determine the operating system used by each image without building a container

Docker Hub
1

How to determine the operating system used by each image without building a container

2

Supplementary notes

I understand that the local image file systems stored by docker different operating systems are different, but I have no way to know where to know these messages

3

If you downloaded an official image from Docker Hub, or any other image from Docker Hub with an available source code on GitHub, or if you can find.a link to the Dockerfile pointing to a custom git repo, then you can check the parent image and continue the investigation with that image until you find a parent image like “debian” or something else which you know is an operating system.

Otherwise you would have to look into each image layer one by one or merge the overlayfs layers and see what you can find in it. Sometimes it is easier to run a command which can tell you what OS you are using, but then you would have to run chroot manually at least. It would not make sense, since you could also just run the container with Docker.

Can I ask you why you don’t want to run a container to determine the operating system?
If you just don’t want others to see you started a new container, you can use podman or rootless docker daemon so you would be the only one who could see that container.

4

There is actualy a shortcut for that. Use wagoodman/dive to inspect the image (layers).

Either one of both files should indicate the os and version:
– /etc/os-release
– /etc/lsb-release

Now where I posted this, I don’t remember exactly, if actualy allows to “view” a file. It’s been a long time since I used it


update: I just checked it: there no way to actualy view the content of the files.
Please ignore the blurred part of this post.

There is no other way than what @rimelek wrote without actualy creating a container.

But if you are willing to crate a container, you can bypass the entrypoint script, cat any /etc/*-release file and remove the container process again:
docker run --rm --entrypoint /bin/sh ${repo}:${tag} -c 'cat /etc/*-release'

If it should be even more lightweight, you can check how linuxserver.io docker-mods fetches only a single layer of an image (even though their mod images only have a single layer, but should still work with more than a single layer) and extracts it.

5

I like how we inspire eachother to answer :smiley: This time I decided to write a small script to mount the filesystem of the image layers and check the OS version based on your idea with cat /etc/*-release. It works on Linux with overlayfs which is the most common recently.

You have to execute it as root. And don’t forget to set the target_dir and image_name

target_dir=/home/ta/layertest
image_name=httpd:2.4

lowerdir="$(docker image inspect "$image_name" --format '{{ .GraphDriver.Data.LowerDir }}')"

mkdir -p "$target_dir"
mount -t overlay overlay -o "lowerdir=$lowerdir" "$target_dir"
cat $target_dir/etc/*-release
umount "$target_dir"
1 Like
6

The reason why it doesn’t work is that the image doesn’t belong to me in essence. You can understand that I’m studying container image security

7

According to my research, I found that most image security detection is matched through component versions. At present, the matching method only supports installation such as yum, apt, dpkg and rpm. In the case of binary installation, there is no matching. The reason is that there is no unique value through this method. I want to try to solve this problem, However, how to get the operating system version without mounting the image has become a problem