How do I download Docker images without using the pull command?

docker docker-registry

Is there a way I can download a Docker image/container using, for example, Firefox and not using the built-in docker-pull.

I am blocked by the company firewall and proxy, and I can't get a hole through it.

My problem is that I cannot use Docker to get images, that is, Docker save/pull and other Docker supplied functions since it is blocked by a firewall.


Solution 1:

Just an alternative - This is what I did in my organization for couchbase image where I was blocked by a proxy.

On my personal laptop (OS X)

~$ $ docker save couchbase > couchbase.tar
~$ ls -lh couchbase.docker
-rw-------  1 vikas  devops   556M 12 Dec 21:15 couchbase.tar
~$ xz -9 couchbase.tar
~$ ls -lh couchbase.tar.xz
-rw-r--r--  1 vikas  staff   123M 12 Dec 22:17 couchbase.tar.xz

Then, I uploaded the compressed tar ball to Dropbox and downloaded on my work machine. For some reason Dropbox was open :)

On my work laptop (CentOS 7)

$ docker load < couchbase.tar.xz

References

  • https://docs.docker.com/engine/reference/commandline/save/
  • https://docs.docker.com/engine/reference/commandline/load/

Solution 2:

I just had to deal with this issue myself - downloading an image from a restricted machine with Internet access, but no Docker client for use on a another restricted machine with the Docker client, but no Internet access. I posted my question to the DevOps Stack Exchange site:

  • Downloading Docker Images from Docker Hub without using Docker

With help from the Docker Community I was able to find a resolution to my problem. What follows is my solution.

So it turns out that the Moby Project has a shell script on the Moby GitHub account which can download images from Docker Hub in a format that can be imported into Docker:

  • download-frozen-image-v2.sh

The usage syntax for the script is given by the following:

download-frozen-image-v2.sh target_dir image[:tag][@digest] ...

The image can then be imported with tar and docker load:

tar -cC 'target_dir' . | docker load

To verify that the script works as expected, I downloaded an Ubuntu image from Docker Hub and loaded it into Docker:

user@host:~$ bash download-frozen-image-v2.sh ubuntu ubuntu:latest
user@host:~$ tar -cC 'ubuntu' . | docker load
user@host:~$ docker run --rm -ti ubuntu bash
root@1dd5e62113b9:/#

In practice I would have to first copy the data from the Internet client (which does not have Docker installed) to the target/destination machine (which does have Docker installed):

user@nodocker:~$ bash download-frozen-image-v2.sh ubuntu ubuntu:latest
user@nodocker:~$ tar -C 'ubuntu' -cf 'ubuntu.tar' .
user@nodocker:~$ scp ubuntu.tar user@hasdocker:~

and then load and use the image on the target host:

user@hasdocker:~ docker load -i ubuntu.tar
user@hasdocker:~ docker run --rm -ti ubuntu bash
root@1dd5e62113b9:/#

Solution 3:

I adapted a python script for having an OS independant solution: docker-drag

Use it like that, and it will create a TAR archive that you will be able to import using docker load :

python docker_pull.py hello-world
python docker_pull.py alpine:3.9
python docker_pull.py kalilinux/kali-linux-docker

Solution 4:

First, check if your Docker daemon is configured for using the proxy. With boot2docker and docker-machine, for instance, this is done on docker-machine create, with the --engine-env option.

If this is just a certificate issue (i.e., Firefox does access Docker Hub), try and install that certificate:

openssl s_client -connect index.docker.io:443 -showcerts /dev/null | openssl x509 -outform PEM > docker.pem
sudo cp docker.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
sudo systemctl restart docker
sudo docker run hello-world

The other workaround (not a recommended solution) would be to access Docker Hub without relying on certificate with --insecure-registry:

If the firewall is actively blocking any Docker pull, to the point you can't even access Docker Hub from Firefox, then you would need to docker save/docker load an image archive. Save it from a machine where you did access Docker Hub (and where the docker pull succeeded). Load it on your corporate machine (after approval of your IT system administrators, of course).

Note: you cannot easily "just" download an image, because it is often based on top of other images which you would need to download too. That is what docker pull does for you. And that is what docker save does too (create one archive composed of all the necessary images).

The OP Ephreal adds in the comments:

[I] didn't get my corp image to work either. But I found that I could download the Docker file and recreate the image my self from scratch. This is essentially the same as downloading the image.

Related

How to set up ES cluster?
Does switch case order affect speed? [duplicate]
Max number of goroutines
Java GC: why two survivor regions?
Breaking space (opposite of non-breaking space)
C# method naming conventions: ToSomething vs. AsSomething
How to use zIndex in react-native
Grep and Python
How to add message box with 'OK' button?
What does the times mean in Google Chrome's timeline in the network panel?
What's the difference between GEM_HOME and GEM_PATH?
How to list all CMake build options and their default values?