Base container image
This project uses a CentOS and Alpine official container image and as the common base image layer for building images.
See the license information for details on licenses and software package types.
As with all container images, the base container image likely also contains other software (such as bash, glibc, zlib, etc. from the base distribution, along with any direct or indirect dependencies of the primary software included in the built image) which may be subject to other licenses.
The following links provide auto-detected license information for the these official images:
For example, you can find the information of the artifacts of the centos:7.9.2009 and alpine:3.15 official image.
As with any image, it is the image user's responsibility to ensure that any use of the image complies with all relevant licenses for all software contained within.
Additional software packages
Building images often installs additional software packages (fetched from the official distro software repositories, from other user added repositories or from specific locations) in addition to the packages already provided by the base image. You can inspect the Dockerfiles to identify these additional packages.
For example, inspecting the Local Edition Dockerfiles located at docker-build/tmgc in the installer, provides a list of packages that will be installed in the image as specified in the Dockerfile. Please note that each such specified package may, in turn, automatically install other software packages as dependencies.
Manually retrieve installed packages information
You can inspect a container image and retrieve its contents with standard container and package management tools.
Note: There are different ways to extract the list of installed packages and other installed artifacts. Providing detailed instructions on software license analysis specialized tools is outside the scope of this document. Retrieving information on software artifacts other than software packages installed with the package manager tools is also outside the scope of this document.
centos
You can retrieve the full list of installed packages in a container image using the yum list installed command.
For example, to retrieve the installed packages in the centos:7.9.2009 image:
$ docker run --rm centos:7.9.2009 yum list installed
Loaded plugins: fastestmirror, ovl
Determining fastest mirrors
* base: mirrors.nxtgen.com
* extras: mirrors.nxtgen.com
* updates: repo.extreme-ix.org
base | 3.6 kB 00:00
extras | 2.9 kB 00:00
updates | 2.9 kB 00:00
(1/4): extras/7/x86_64/primary_db | 247 kB 00:00
(2/4): base/7/x86_64/group_gz | 153 kB 00:06
(3/4): base/7/x86_64/primary_db | 6.1 MB 00:07
(4/4): updates/7/x86_64/primary_db | 16 MB 00:11
Installed Packages
acl.x86_64 2.2.51-15.el7 @CentOS
audit-libs.x86_64 2.8.5-4.el7 @CentOS
basesystem.noarch 10.0-7.el7.centos @CentOS
bash.x86_64 4.2.46-34.el7 @CentOS
bc.x86_64 1.06.95-13.el7 @CentOS
bind-license.noarch 32:9.11.4-26.P2.el7 @CentOS
binutils.x86_64 2.27-44.base.el7 @CentOS
bzip2-libs.x86_64 1.0.6-13.el7 @CentOS
ca-certificates.noarch 2020.2.41-70.0.el7_8 @CentOS
centos-release.x86_64 7-9.2009.0.el7.centos @CentOS
chkconfig.x86_64 1.7.6-1.el7 @CentOS
coreutils.x86_64 8.22-24.el7 @CentOS
cpio.x86_64 2.11-28.el7 @CentOS
cracklib.x86_64 2.9.0-11.el7 @CentOS
cracklib-dicts.x86_64 2.9.0-11.el7 @CentOS
cryptsetup-libs.x86_64 2.0.3-6.el7 @CentOS
...
alpine
You can retrieve the full list of installed packages in a container image using the apk list -I command.
For example, to retrieve the installed packages in the alpine:3.15 image:
$ docker run --rm alpine:3.15 apk list -I
libretls-3.3.4-r3 x86_64 {libretls} (ISC AND (BSD-3-Clause OR MIT)) [installed]
musl-1.2.2-r7 x86_64 {musl} (MIT) [installed]
zlib-1.2.12-r1 x86_64 {zlib} (Zlib) [installed]
apk-tools-2.12.7-r3 x86_64 {apk-tools} (GPL-2.0-only) [installed]
musl-utils-1.2.2-r7 x86_64 {musl} (MIT BSD GPL2+) [installed]
libssl1.1-1.1.1q-r0 x86_64 {openssl} (OpenSSL) [installed]
alpine-baselayout-3.2.0-r18 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.4-r1 x86_64 {alpine-keys} (MIT) [installed]
busybox-1.34.1-r7 x86_64 {busybox} (GPL-2.0-only) [installed]
scanelf-1.3.3-r0 x86_64 {pax-utils} (GPL-2.0-only) [installed]
ca-certificates-bundle-20211220-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
libc-utils-0.7.2-r3 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
ssl_client-1.34.1-r7 x86_64 {busybox} (GPL-2.0-only) [installed]
libcrypto1.1-1.1.1q-r0 x86_64 {openssl} (OpenSSL) [installed]
...
Manually retrieve installed packages licenses
centos
You can retrieve the license for any package using the rpm command.
For example, to retrieve license information for the installed package curl:
$ docker run --rm centos:7.9.2009 rpm -qa --qf "%{name}:%{version}t %{license}t %{URL}n" curl
curl:7.29.0 MIT http://curl.haxx.se/
alpine
You can retrieve the license for any package using the apk info --license command.
For example, to retrieve license information for the installed package musl:
docker run ?rm alpine:3.15 apk info --license musl
musl-1.2.2-r7 license:
MIT
Manually retrieve installed packages sources
centos
You can retrieve the source for any package using the rpm command.
For example, to retrieve the apt source for the installed package curl:
$ docker run --rm centos:7.9.2009 rpm -qa --qf '%{NAME}:%{VERSION}t%{SOURCERPM}t%{SIGPGP:pgpsig}t%{SIGGPG:pgpsig}n' curl
curl:7.29.0 curl-7.29.0-59.el7.src.rpm RSA/SHA256, Wed Oct 14 18:47:41 2020, Key ID 24c6a8a7f4a80eb5 (none)
alpine
The APKBUILD files for all alpine packages is available in the aports repository.
For example, the source packages for alpine:3.15 main can be found here.
Manually retrieve installed files
It is possible to extract the contents of a container for further inspection using the docker command.
One way is creating a temporal container, called temp-container that will be based on the unknown-image:latest image.
docker create --name temp-container unknown-image:latest
Note: Creating a new container from an image allows to inspect it without running the container.
Now it is possible to extract the container filesystem as a tar file:
docker export temp-container > temp-container.tar
If you prefer to directly extract the files list without creating a tar archive:
docker export temp-container | tar t > temp-container-files.txt
Another way to inspect the image contents is to use the docker image save command:
docker image save unknown-image:latest > temp-image.tar
For more information, see the Docker CLI documentation.
The first method, creating and exporting the contents of a stopped container, is a direct way to extract the image?s final filesystem, the composite view of a container instance.
The second method produces an archive that exposes the image format, not the containers created from it. The tar will include a manifest.json file, describing the image?s layers, and a set of separate directories containing the content of each of the individual layers. This is helpful when you?re evaluating each layer?s role in building the image.
For details on the container image format, see the OCI image format specification.
The diagram below illustrates the differences between the layered view and the composite view of a container image.
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now