snippetdockerMinor
How to know where a docker image came from?
Viewed 0 times
imagecameknowdockerwherehowfrom
Problem
I have a Docker image on my system
Is there a way to know where it is coming from?
Specifically, I would like to know if it was built locally or downloaded from a repository, and in that latter case, downloaded from which repository.
12346789ABCD.Is there a way to know where it is coming from?
Specifically, I would like to know if it was built locally or downloaded from a repository, and in that latter case, downloaded from which repository.
Solution
Typically, if it's from a registry, you see that in the name of the image (if it's not from the default registry, Docker Hub). Images from Quay look like
Some images are from from anywhere else at all. For example images that are
So, you can only see what is written in the manifest. Should you trust it? The manifest can be signed, using docker content trust even if the image contents themselves are not. If you need more certainty on the provenance, you probably need notary to ensure that trust is maintained throughout the delegation chain.
Hope that answers the question.
quay.io//:. Some images are from from anywhere else at all. For example images that are
FROM: scratch and images created via docker import will not be associated with any registry. These are the famous none:none images (no repository and no tag). In this case, you only have the ID (SHA) and you need do be Sherlock Holmes (or Jessie Frazelle) to match it with something.So, you can only see what is written in the manifest. Should you trust it? The manifest can be signed, using docker content trust even if the image contents themselves are not. If you need more certainty on the provenance, you probably need notary to ensure that trust is maintained throughout the delegation chain.
Hope that answers the question.
Context
StackExchange DevOps Q#5611, answer score: 5
Revisions (0)
No revisions yet.