How to inspect a docker image in docker hub?

Question

Is there a way to do docker inspect for an image that exists on docker hub and wasn't pulled locally?

I'm a bit confused about the usage of the docker cli when it comes to docker hub. I can docker login, but then can't use that login to perform any remote action other than pull or push.

Answer 1

As per the docker hub documentation -

Docker itself provides access to Docker Hub services via the docker search, pull, login, and push commands.

It does not look like you can do a docker inspect without pulling one image

Answer 2

There's an API to do this. Docker provided their registry 2 API, and more recently, the OCI distribution-spec was released. This covers how to query the registry for the manifest and blobs. And in the registry, what you are most likely looking for is in the config blob, which is json formatted and have almost all the same fields you see in the docker inspect.

What's less covered is authentication, and that can get a bit complicated depending on the registry. Docker Hub uses bearer tokens, so an example script that pulls the manifest and then the config with an anonymous bearer token looks like:

#!/bin/sh

ref="${1:-library/ubuntu:latest}"
repo="${ref%:*}"
tag="${ref##*:}"
token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull"
 \
        | jq -r '.token')
digest=$(curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
              -H "Authorization: Bearer $token" \
              -s "https://registry-1.docker.io/v2/${repo}/manifests/${tag}" \
         | jq -r .config.digest)
curl -H "Accept: application/vnd.docker.container.image.v1+json" \
     -H "Authorization: Bearer $token" \
     -s -L "https://registry-1.docker.io/v2/${repo}/blobs/${digest}" | jq .

There are a variety of tools that do all of these API calls for you. Off the top of my head are:

• RedHat's Skopeo
• go-containerregistry's crane CLI
• regclient's regctl CLI

I'm a bit biased as the author of regclient. The resulting command there looks like:

$ regctl image inspect localhost:5000/library/alpine:latest
{
  "created": "2021-08-27T17:19:45.758611523Z",
  "architecture": "amd64",
  "os": "linux",
  "config": {
    "Env": [
      "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
    ],
    "Cmd": [
      "/bin/sh"
    ]
  },
  "rootfs": {
    "type": "layers",
    "diff_ids": [
      "sha256:e2eb06d8af8218cfec8210147357a68b7e13f7c485b991c288c2d01dc228bb68"
    ]
  },
  "history": [
    {
      "created": "2021-08-27T17:19:45.553092363Z",
      "created_by": "/bin/sh -c #(nop) ADD file:aad4290d27580cc1a094ffaf98c3ca2fc5d699fe695dfb8e6e9fac20f1129450 in / "
    },
    {
      "created": "2021-08-27T17:19:45.758611523Z",
      "created_by": "/bin/sh -c #(nop)  CMD [\"/bin/sh\"]",
      "empty_layer": true
    }
  ]
}