How do I download Docker images without using the pull command? [closed]

Asked 19/6, 2016 at 9:29 Answered 24/6, 2022 at 6:5

123

Is there a way I can download a Docker image/container using, for example, Firefox and not using the built-in docker-pull.

I am blocked by the company firewall and proxy, and I can't get a hole through it.

My problem is that I cannot use Docker to get images, that is, Docker save/pull and other Docker supplied functions since it is blocked by a firewall.

Phonogram answered 19/6, 2016 at 9:29 Comment(9)

can you browser internet via proxy? If can, docker support proxy server to pull the images. – Devote 19/6, 2016 at 10:29

i cannot get access to the docker hub. I get a x509: Certificate signed by unknown authority. My company are using zScaler as man-in-the-middle firewall – Phonogram 19/6, 2016 at 10:38

@Phonogram Why did you mark an answer as solution that is not a solution? There should be an actual solution for that. Inside docker basically also just does http downloads of files of some kind. – Tillman 25/4, 2017 at 13:48

Possible duplicate of How to copy docker images from one host to another without via repository? – Tillman 25/4, 2017 at 13:54

@erikbwork I have set the answer as the solution because it refers to my own solution which is added to the bottom of the answer. Also in regard to the duplicity of another question. It does not apply since the solution there is to use the docker save option which I could not use. – Phonogram 26/4, 2017 at 15:33

Still, the accepted answer was good enough. – Gage 27/4, 2017 at 6:42

@Phonogram I see, thanks for the response. From the question text it seems to me that save/load should work for you, since it works completely around the firewall/proxy. Have you tried setting an http-proxy.conf file for your systemd docker service? If that helps more I can create an answer for that. – Tillman 27/4, 2017 at 7:0

@Phonogram , understood that you found an answer that works for you. Perhaps you can change the question though? The answer doesn't answer the question you originally asked. And when people search for it they will be misled. – Why 16/7, 2020 at 18:45

@J Roysdon. My company has changed its policy to include allowing us to use the pull command so I do no longer need to have a workaround. What do you mean "the answer does not answer the question" ? – Phonogram 23/7, 2020 at 13:21

-1

I found that I could download the Docker file and all the necessary support files and recreate the image my self from scratch. This is essentially the same as downloading the image.

Phonogram answered 23/7, 2020 at 13:26 Comment(0)

Just an alternative - This is what I did in my organization for couchbase image where I was blocked by a proxy.

On my personal laptop (OS X)

~$ $ docker save couchbase > couchbase.tar
~$ ls -lh couchbase.tar
-rw-------  1 vikas  devops   556M 12 Dec 21:15 couchbase.tar
~$ xz -9 couchbase.tar
~$ ls -lh couchbase.tar.xz
-rw-r--r--  1 vikas  staff   123M 12 Dec 22:17 couchbase.tar.xz

Then, I uploaded the compressed tar ball to Dropbox and downloaded on my work machine. For some reason Dropbox was open :)

On my work laptop (CentOS 7)

$ docker load < couchbase.tar.xz

References

EDIT

Step one to save docker image and compress can be done in one liner like this.

docker save mydocker_image | gzip -c -9 > mydocker_image.tar.gz

Also consider docker load command can import zipped images directly without prior extraction.

Unbroken answered 12/12, 2016 at 11:30 Comment(6)

Thank you; didn't know you could save an image into a tar ball. I will try this. – Phonogram 15/12, 2016 at 15:43

this is a workaround, and not answering the OP's question directly – Stairway 5/6, 2019 at 17:20

Thank you, this worked for me! Just a note, you will have to first pull the image using docker pull couchbase, before running the docker save command (otherwise docker save will have no reference image to find) – Blasphemy 26/2, 2020 at 16:8

This doesn't answer the question, which was specifically how to save an image WITHOUT doing a docker pull first. From everything I can tell, docker save only works for local images. So you have to do a pull first. – Why 16/7, 2020 at 18:42

On Windows I used docker save couchbase --output couchbase.tar otherwise the tar only included one of the layers – Selfliquidating 20/10, 2023 at 11:8

@muthuh - I use a combination of Linux VM, Mac and Windows depending on the task and company restrictions :) – Unbroken 28/2 at 15:8

I just had to deal with this issue myself - downloading an image from a restricted machine with Internet access, but no Docker client for use on a another restricted machine with the Docker client, but no Internet access. I posted my question to the DevOps Stack Exchange site:

Downloading Docker Images from Docker Hub without using Docker

With help from the Docker Community I was able to find a resolution to my problem. What follows is my solution.

So it turns out that the Moby Project has a shell script on the Moby GitHub account which can download images from Docker Hub in a format that can be imported into Docker:

download-frozen-image-v2.sh

The usage syntax for the script is given by the following:

download-frozen-image-v2.sh target_dir image[:tag][@digest] ...

The image can then be imported with tar and docker load:

tar -cC 'target_dir' . | docker load

To verify that the script works as expected, I downloaded an Ubuntu image from Docker Hub and loaded it into Docker:

user@host:~$ bash download-frozen-image-v2.sh ubuntu ubuntu:latest
user@host:~$ tar -cC 'ubuntu' . | docker load
user@host:~$ docker run --rm -ti ubuntu bash
root@1dd5e62113b9:/#

In practice I would have to first copy the data from the Internet client (which does not have Docker installed) to the target/destination machine (which does have Docker installed):

user@nodocker:~$ bash download-frozen-image-v2.sh ubuntu ubuntu:latest
user@nodocker:~$ tar -C 'ubuntu' -cf 'ubuntu.tar' .
user@nodocker:~$ scp ubuntu.tar user@hasdocker:~

and then load and use the image on the target host:

user@hasdocker:~ docker load -i ubuntu.tar
user@hasdocker:~ docker run --rm -ti ubuntu bash
root@1dd5e62113b9:/#

Mccubbin answered 3/12, 2017 at 23:54 Comment(2)

I can download ubuntu:latest but that is it! Everything else seems to need a "digest" key, but I have no idea how to find that key. (error 401 Unauthorized) – Mcgary 9/10, 2018 at 12:33

I can confirm that, only ubuntu seems to work. Also, I had to change the script: registryBase='https://index.docker.io'. – Zsolway 5/11, 2020 at 13:27

I adapted a python script for having an OS independant solution: docker-drag

Use it like that, and it will create a TAR archive that you will be able to import using docker load :

python docker_pull.py hello-world
python docker_pull.py alpine:3.9
python docker_pull.py kalilinux/kali-linux-docker

Ay answered 12/3, 2019 at 9:43 Comment(5)

Any ideas? ``` 70de4b41273e: Pull complete [171] Traceback (most recent call last): File "docker_pull.py", line 86, in <module> file.write(unzLayer.read()) File "/usr/lib/python2.7/gzip.py", line 261, in read self._read(readsize) File "/usr/lib/python2.7/gzip.py", line 303, in _read self._read_gzip_header() File "/usr/lib/python2.7/gzip.py", line 197, in _read_gzip_header raise IOError, 'Not a gzipped file'``` – Stairway 5/6, 2019 at 17:27

it seems the script is deprecated now. I got 'Not a gzipped file' error – Aim 9/6, 2019 at 12:50

@Stairway this is because your internet connection was too slow so the token expired. I will handle re-authentication for such cases. Also, the script isn't deprecated and is still working, please open an issue with the error if you have any trouble. I'll fix it. – Ay 19/8, 2019 at 9:24

This is great! I have problems pulling docker images on my network. I use this script to download the image on Google Colab and then download the tar file from colab to my local computer. – Lorenzoloresz 9/10, 2023 at 7:56

It was okay some days ago, but now I get the following error:

Traceback (most recent call last):   File "/content/docker-drag/docker_pull.py", line 87, in <module>     layers = resp.json()['layers'] KeyError: 'layers'

– Lorenzoloresz 19/10, 2023 at 11:57

Use Skopeo. It is a tool specifically made for that (and others) purpose.

After install simply execute:

mkdir ubuntu
skopeo --insecure-policy copy docker://ubuntu ./ubuntu

Copy these files and import as you like.

Gwendolyngweneth answered 12/11, 2020 at 17:4 Comment(0)

First, check if your Docker daemon is configured for using the proxy. With boot2docker and docker-machine, for instance, this is done on docker-machine create, with the --engine-env option.

If this is just a certificate issue (i.e., Firefox does access Docker Hub), try and install that certificate:

openssl s_client -connect index.docker.io:443 -showcerts /dev/null | openssl x509 -outform PEM > docker.pem
sudo cp docker.pem /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust
sudo systemctl restart docker
sudo docker run hello-world

The other workaround (not a recommended solution) would be to access Docker Hub without relying on certificate with --insecure-registry:

If the firewall is actively blocking any Docker pull, to the point you can't even access Docker Hub from Firefox, then you would need to docker save/docker load an image archive. Save it from a machine where you did access Docker Hub (and where the docker pull succeeded). Load it on your corporate machine (after approval of your IT system administrators, of course).

Note: you cannot easily "just" download an image, because it is often based on top of other images which you would need to download too. That is what docker pull does for you. And that is what docker save does too (create one archive composed of all the necessary images).

The OP Ephreal adds in the comments:

[I] didn't get my corp image to work either. But I found that I could download the Docker file and recreate the image my self from scratch. This is essentially the same as downloading the image.

Gage answered 19/6, 2016 at 11:43 Comment(7)

So the answer to my question is no. – Phonogram 19/6, 2016 at 11:50

@Phonogram I have edited the answer to add the certificate installation. Can you browse hub.docker.com or index.docker.io (which should redirect to docker hub)? – Gage 19/6, 2016 at 11:53

Well i tried that, but zscaler is a man-in-the-middle. every transaction is done through them and we only ever see our TSL connection to them. and no the firefox cannot access the internet either. I have made my own vm now with a corp image of linux and are installing docker on this. what i tried before was using docker through windows in which case it uses its own slim linux vm. – Phonogram 20/6, 2016 at 6:39

@Phonogram OK (Windows does use indeed boot2docker based on TinyCore). Looks like docker save/load is the way for you to import images then. – Gage 20/6, 2016 at 6:53

Well didnt get my corp image to work either. but i found that i could download the docker file and recreate the image my self from scratch. This is essentially the same as downloading the image. – Phonogram 20/6, 2016 at 11:45

@Phonogram Great! I have included your solution in the answer for more visibility. – Gage 20/6, 2016 at 13:22

O, buddy! Thanks for tip how to dump cert to local file system! You just safe my time! – Katricekatrina 26/10, 2021 at 13:53

So, by definition, a Docker pull client command actually needs to talk to a Docker daemon, because the Docker daemon assembles layers one by one for you.

Think of it as a POST request - it's causing a mutation of state, in the Docker daemon itself. You're not 'pulling' anything over HTTP when you do a pull.

You can pull all the individual layers over REST from the Docker registry, but that won't actually be the same semantics as a pull, because pull is an action that specifically tells the daemon to go and get all the layers for an image you care about.

Runnel answered 11/1, 2018 at 15:7 Comment(0)

Another possibly might be an option for you if your company firewall (and policy) allows for connecting to a remote SSH server. In that case you can simply set up a SSH tunnel to tunnel any traffic to the Docker registry through it.

Gonsalves answered 7/11, 2018 at 0:47 Comment(0)

thanks @Ham Co for answer,
I adapted a golang tool for having an OS independant solution:
golang http pull docker image

./gopull download redis

get a docker importable archive redis.tar

References:
https://github.com/NotGlop/docker-drag

Servility answered 24/6, 2022 at 6:5 Comment(1)

ahdr, a link to a solution is welcome, but please ensure your answer is useful without it: add context around the link so your fellow users will have some idea what it is and why it is there, then quote the most relevant part of the page you are linking to in case the target page is unavailable. Answers that are little more than a link may be deleted. – Propound 24/6, 2022 at 6:25

-1

I found that I could download the Docker file and all the necessary support files and recreate the image my self from scratch. This is essentially the same as downloading the image.

Phonogram answered 23/7, 2020 at 13:26 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

On my personal laptop (OS X)

On my work laptop (CentOS 7)

Recommended topics

Hot tags