Menu
I'm trying to get the labels of an image without pulling it.
For example: in docker-hub, on my username (stavalfi), in repo: projecty: https://hub.docker.com/v2/repositories/stavalfi/projecty/tags
I want to get all the labels of this image.
Following this guide: https://hackernoon.com/inspecting-docker-images-without-pulling-them-4de53d34a604
and this: https://docs.docker.com/registry/spec/api/#pulling-a-layer
I tried to reach to: http://$REGISTRY_ADDRESS/v2/$image/blobs/$digest:
https://hub.docker.com/v2/stavalfi/projecty/blobs/sha256:7701c1411c0e438c5bfb1d7b4c1f337ee75b4a3a1d8492fc3b608cdc2b320a9d
but the result is a 404.
What is the problem?
I can't use skopeo because it can't inspect registries with an HTTP connection (insecure).
657
You can just create a new file name, dockertags , under /usr/local/bin (or add a PATH env to your . bashrc / . zshrc ), and put that code in it. Then add the executable permissions( chmod +x dockertags ).
List images by name and tag. The docker images command takes an optional [REPOSITORY[:TAG]] argument that restricts the list to images that match the argument. If you specify REPOSITORY but no TAG , the docker images command lists all images in the given repository.
You can find the labels in the first layer of the docker manifest:
$ repo=stavalfi/k8test-monitoring
$ token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" \
| jq -r '.token')
$ curl -s -H "Authorization: Bearer $token" "https://registry-1.docker.io/v2/${repo}/manifests/latest" \
| jq ".history[0].v1Compatibility" -r | jq .config.Labels
{
"latest-hash": "dc971f310bd0b172fd0379cc9a1810f209c9a9604a28da14cef36457",
"latest-tag": "1.3.4"
}
Update: the v2 registry API is a bit cleaner, but needs one more curl:
$ repo=stavalfi/k8test-monitoring
$ token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" \
| jq -r '.token')
$ digest=$(curl -s -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -H "Authorization: Bearer $token" "https://registry-1.docker.io/v2/${repo}/manifests/latest" \
| jq .config.digest -r)
$ curl -s -L -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -H "Authorization: Bearer $token" "https://registry-1.docker.io/v2/${repo}/blobs/$digest" \
| jq .config.Labels
{
"latest-hash": "dc971f310bd0b172fd0379cc9a1810f209c9a9604a28da14cef36457",
"latest-tag": "1.3.4"
}
For a more generic use case, here's a script to pull the config of any public image on docker hub without downloading the full image:
#!/bin/sh
repo=${1:-library/ubuntu}
tag=${2:-latest}
token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" \
| jq -r '.token')
digest=$(curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-H "Authorization: Bearer $token" \
-s "https://registry-1.docker.io/v2/${repo}/manifests/${tag}" | jq -r .config.digest)
curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-H "Authorization: Bearer $token" \
-s -L "https://registry-1.docker.io/v2/${repo}/blobs/${digest}" | jq .
Just make sure to include the "library" prefix for official images:
$ ./get-config-v2.sh library/alpine 3.9
{
"architecture": "amd64",
"config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh"
],
"ArgsEscaped": true,
"Image": "sha256:186eda4636e895d982896312666e472a2d62aab1490608701e1b3438ac6649e7",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": null
},
....
Since this answer was first posted, I've also created regclient which includes the command regctl. This handles authentication, allows you to configure a registry without TLS or with a self signed certificate, resolves multi-platform images, and includes support for Go templates to extract the specific fields you want:
$ regctl image config regclient/regsync:latest --format '{{ jsonPretty .Config.Labels }}'
{
"maintainer": "",
"org.opencontainers.image.authors": "Regclient contributors",
"org.opencontainers.image.created": "2021-04-02T18:55:09Z",
"org.opencontainers.image.description": "",
"org.opencontainers.image.documentation": "https://github.com/regclient/regclient",
"org.opencontainers.image.licenses": "Apache 2.0",
"org.opencontainers.image.revision": "5a6a1d95524b9c1c2d38a5af7ab744742f8d55e9",
"org.opencontainers.image.source": "git://github.com/regclient/regclient.git",
"org.opencontainers.image.title": "regsync",
"org.opencontainers.image.url": "https://github.com/regclient/regclient",
"org.opencontainers.image.vendor": "",
"org.opencontainers.image.version": "v0.3.0"
}
this worked for me, you can try this
curl 'https://registry.hub.docker.com/v2/repositories/< username>/<repo>/tags/'|jq '."results"[]["name"]'
regarding blob, token need to be generated then use this token for blob
export TOKEN=\
"$(curl \
--silent \
--header 'GET' \
"https://auth.docker.io/token?
service=registry.docker.io&scope=repository:<username>/<repo>:pull,push" \
| jq -r '.token' \
)"
now get the manifest of the image
curl \
--silent \
--request 'GET' \
--header "Authorization: Bearer ${TOKEN}" \
'https://registry-1.docker.io/v2/<username>/<repo>/manifests/<latest>' \
| jq '.'
now get the blob for that image
curl \
--silent \
--request 'GET' \
--header "Authorization: Bearer ${TOKEN}" \
"https://registry-1.docker.io/v2/<username>/<repo>/manifests/19" \
| jq -r '.fsLayers[].blobSum'
the above command gives the list of digests which can be used to fetch the image
set the following variable
DIGEST=<SHA:somevalue>
curl \
--silent \
--location \
--request GET \
--header "Authorization: Bearer ${TOKEN}" \
"https://registry-1.docker.io/v2/<username>/<repo>/blobs/${DIGEST}" >
"${DIGEST/*:/}.gz"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
