Inspecting container images with ctr
Today I've learned about ctr tool --
internal demonstration client for containerd
by its developers. containerd is widely used container runtime.
And mentioned tool has some interesting practical capabilities: for me it was especially
the ability to mount image as fs to host. Because I need to inspect docker images from
time to time.
Inspecting container image fs
On the linux system mostly sure you would have containerd if you have docker installed.
The gotcha here is that you would need to pull the image for containerd even if you
already have it with docker:
| # Pull the image you want to inspect
sudo ctr image pull mirror.gcr.io/library/nginx:latest
# Create mount point
mkdir /tmp/container-root
# Mount image
sudo ctr image mount mirror.gcr.io/library/nginx:latest /tmp/container-root
|
Now you can browse the fs and use all your favourite (and even fancy) tools:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36 | # You can show files
ls -la /tmp/container-root/
total 20
drwxr-xr-x 1 root root 38 Aug 12 22:15 ./
drwxrwxrwt 13 root root 380 Aug 12 22:45 ../
lrwxrwxrwx 1 root root 7 Jul 21 02:00 bin -> usr/bin/
drwxr-xr-x 1 root root 0 May 9 16:50 boot/
drwxr-xr-x 1 root root 0 Jul 21 02:00 dev/
-rwxr-xr-x 1 root root 1620 Jul 22 03:12 docker-entrypoint.sh*
...
drwxr-xr-x 1 root root 22 Jul 21 02:00 var/
# Directory size
cd /tmp/container-root/ && sudo du -h -d 1 .
0 ./boot
0 ./dev
2.3M ./etc
0 ./home
0 ./media
0 ./mnt
0 ./opt
0 ./proc
8.0K ./root
0 ./run
0 ./srv
0 ./sys
0 ./tmp
187M ./usr
7.8M ./var
20K ./docker-entrypoint.d
197M .
# Lookup only huge dirs
cd /tmp/container-root/ && sudo dust -D -z 150MB .
186M ┌── usr│███████████████████████████████████████████ │ 95%
196M ┌─┴ . │█████████████████████████████████████████████ │ 100%
|
After all the fuzz don't forget to unmount the image:
| sudo ctr images unmount --rm=true /tmp/container-root/
|