Question 232535 in Docker Question posted in
The official documentation can be found here.

Can I access a file in the intermediate layer of docker image by inspecting?

After reading Can I access a file in the intermediate layer of docker image? I learned that if the id of intermediate layer is known, files to be deleted in further layer are not concealed. This is what told "Don’t do this!" in Don’t leak your Docker image’s build secrets.

But in the above links it looks like the threat only exists if a build log leaks and thanks to buildkit intermediate layer id is no longer revealed, so I understand that there’s no threat in build phase. Then, is it possible to retrieve layer id from published image by user, by docker inspect for example?

Added

Apologies not to being clarified, I’m talking about layer id which is able to be specified in docker run -it <layer_id> . My concern is a possibility of running container on certain layer and leakage of files’ content.

As mentioned in Can I access a file in the intermediate layer of docker image? when building image without BuildKit intermediate layer id is revealed, can be specified in docker run -it so the files are all accessible. But layer ids retrieved by docker inspect cannot be specified; it results "Error response from daemon: No such image".

Added

More specifically. You build image by this Dockerfile then can you read the content of .env ?

FROM alpine:latest
ADD .env /.env
RUN rm /.env
Tags:

2

Answers


  1. 0

    Then, is it possible to retrieve layer id from published image by user, by docker inspect for example?

    Yes. You can, for example, show all layer IDs with docker inspect <image name> -f '{{.RootFS.Layers}}'.

    Thanks to buildkit intermediate layer id is no longer revealed

    It’s not that the intermediate layer ID is no longer revealed. The layer ID must be revealed for Docker’s layer caching to work. The reason why BuildKit is more secure is that it gives you options for using secrets besides copying the secrets into the image. If you don’t use those options, then BuildKit is no more secure than the previous system.

    Login or Signup to reply.
  2. 0

    You can do this using dive utility, even if you don’t know the id of the intermediate layers.

    dive

    A tool for exploring a docker image, layer contents, and discovering ways to shrink the size of your Docker/OCI image.
    https://github.com/wagoodman/dive

    dive

    Installation instructions: https://github.com/wagoodman/dive#installation

    You can build your image as usual, and then you can run:

    $ dive <image_name>

    and then you can dive into each intermediate layers, and see the directory structure.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search