以下网站指出Docker镜像'amazon-ecs-sample'使用的是Amazon Linux 2:
https://hub.docker.com/r/amazon/amazon-ecs-sample/tags
在Amazon Linux 2下运行的示例PHP应用程序,用作Amazon ECS的演示应用程序
但是,当我运行docker image inspect命令时,没有提到Amazon Linux 2。
以下与图像层相关的内容可能是相关的,但我不明白。
命令ADD文件:3cf 811 fe 5073384 ff 1d 5 f405992 ef 7 e5 e452 ad 6d 4a 4cb 873 eee 65007382 f3 a4 a在/中
% docker image inspect amazon/amazon-ecs-sample
[
{
"Id": "sha256:2d0c3b6b1a9b0f6a8bfc156261056589416ca50279e058cea8d184647fef646a",
"RepoTags": [
"amazon/amazon-ecs-sample:latest"
],
"RepoDigests": [
"amazon/amazon-ecs-sample@sha256:36c7b282abd0186e01419f2e58743e1bf635808231049bbc9d77e59e3a8e4914"
],
"Parent": "",
"Comment": "",
"Created": "2019-07-02T17:52:58.2707374Z",
"Container": "adef4c75541b87a0c488d24040078994831dcc051b29863af42d91e047376ab2",
"ContainerConfig": {
"Hostname": "adef4c75541b",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"80/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"APACHE_RUN_USER=apache",
"APACHE_RUN_GROUP=apache",
"APACHE_LOG_DIR=/var/log/apache2"
],
"Cmd": [
"/bin/sh",
"-c",
"#(nop) ",
"CMD [\"/usr/sbin/apache2\" \"-D\" \"FOREGROUND\"]"
],
"ArgsEscaped": true,
"Image": "sha256:43a26786e7a6bcb6fa2bbc2e19ae29a1051d17a9599d13e3a4c9fa3535151003",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {}
},
"DockerVersion": "18.09.2",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"80/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"APACHE_RUN_USER=apache",
"APACHE_RUN_GROUP=apache",
"APACHE_LOG_DIR=/var/log/apache2"
],
"Cmd": [
"/usr/sbin/apache2",
"-D",
"FOREGROUND"
],
"ArgsEscaped": true,
"Image": "sha256:43a26786e7a6bcb6fa2bbc2e19ae29a1051d17a9599d13e3a4c9fa3535151003",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": null
},
"Architecture": "amd64",
"Os": "linux",
"Size": 398000155,
"VirtualSize": 398000155,
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/34f3446d7a5fe0d41f7621aacf45efd3efb039a35cb811b3ac34bf851a0bb626/diff:/var/lib/docker/overlay2/ea8296aa2c448d3c6cb9c49853253b2fe17161cc82a851575518d871c755a284/diff:/var/lib/docker/overlay2/8de060e3d50b6acfc86910d97cd848cbe41bca4e498cbc11b6c14ca2d9ef9076/diff",
"MergedDir": "/var/lib/docker/overlay2/4657e5ba9af16308664f487f5cc0f03b9e1cc20188064ad16865736844ab9600/merged",
"UpperDir": "/var/lib/docker/overlay2/4657e5ba9af16308664f487f5cc0f03b9e1cc20188064ad16865736844ab9600/diff",
"WorkDir": "/var/lib/docker/overlay2/4657e5ba9af16308664f487f5cc0f03b9e1cc20188064ad16865736844ab9600/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:f387c8b346c85cae37abd1f1a63015acb69f593dc425d0269f57d1012c3a81f6",
"sha256:0079253c95d947e34db7f7ee7502f201690f705e45dbad32dc6a199b2c0ea3e5",
"sha256:06b41922fec5c9dbba69b013bee9a2d1c4a41b1d2e719d1045afd39e55e60eff",
"sha256:08b5344ac5932393d503b2744792eb260522af40b9e07da0aa23ab0f7fe9efaa"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]这是ChatGPT的回应。真的无法验证基础映像吗?
Indeed, /etc/os-release can be easily tampered with and it is not a reliable method to determine the base image from which a Docker image has been built.
As you've suggested, to verify whether a Docker image has been built from an official base image, it is important to ensure that the image was sourced from an official repository. Docker images are typically pulled from official Docker Hub repositories or other trusted repositories.
However, there aren't generally tools or means to directly verify an image's base image. This is a common challenge related to Docker's security and transparency, and it forms part of the strategies to ensure the trustworthiness and integrity of Docker images.
Securing some level of trust and security in the image can be achieved by sourcing your images from trusted sources, setting up notifications for when that image is updated, and where possible, inspecting the Dockerfile of the image.
Nevertheless, these measures do not 100% guarantee that an image is built from a trusted base image. As such, maintaining the trustworthiness and security of the Docker images you use requires ongoing management and monitoring.
1条答案
按热度按时间gcuhipw91#
关于
ADD行它从当前构建上下文中获取一个文件并将其添加到映像中。
ADD与COPY不同,它还具有在将tarball添加到映像之前解压缩tarball的功能,我们可以假设命令ADD文件:3cf 811 fe 5073384 ff 1d 5 f405992 ef 7 e5 e452 ad 6d 4a 4cb 873 eee 65007382 f3 a4 a在/中
基本上就是解压缩并在根目录添加tarball的内容。
什么操作系统?
如果你在容器内部执行
cat /etc/os-release,它会给予你下面的输出。尽管ChatGPT的答案是有效的,但有什么理由怀疑AWS吗?