I was playing around with the play-with-docker tutorials and something occurred to me about validating the chain of images produced in a final application image.
Is there a way to obtain the docker parent image tree for a given image? I know
docker history IMG_NAME
will provide an image id for the current image you’re working with but everything else is missing. I’ve read this was taken out in v1.10 for security concerns but it seems to be a larger concern not being able to verify the tree of images that a final image was created from.
The other other thing I’ve found is
docker save IMG_NAME -o TAR_OUTPUT.tar
which will let you view all of the files in each layer but that seems pretty tedious.
How can I be assured that the only things modified in a given image for a piece of software is the installation and configuration of the software itself. It seems that being able to see the changes in the Dockerfiles used to generated each successive image would be an easy way to verify this.