`dissect.target.plugins.apps.container.docker`¶

Module Contents¶

Classes¶

DockerPlugin

Parse Docker Daemon artefacts.

Functions¶

`get_data_path`	Returns the configured Docker daemon data-root path.
`find_installs`	Attempt to find additional configured and existing Docker daemon data-root folders.
`convert_timestamp`	Docker sometimes uses (unpadded) 9 digit nanosecond precision
`convert_ports`	Depending on the state of the container (turned on or off) we
`hash_to_image_id`	Convert the hash to an abbrevated docker image id.
`strip_log`	Remove ANSI escape sequences from a given input string.

Attributes¶

`log`
`DockerContainerRecord`
`DockerImageRecord`
`DockerLogRecord`
`local_def`
`c_local`
`RE_DOCKER_NS`
`RE_ANSI_ESCAPE`
`ASCII_MAP`

dissect.target.plugins.apps.container.docker.log¶

dissect.target.plugins.apps.container.docker.DockerContainerRecord¶

dissect.target.plugins.apps.container.docker.DockerImageRecord¶

dissect.target.plugins.apps.container.docker.DockerLogRecord¶

dissect.target.plugins.apps.container.docker.local_def = Multiline-String¶

Show Value

"""
struct entry {
    uint32   header;

    // source
    uint8    s_type;        // 0x0a
    varint   s_len;         // 0x06
    char     source[s_len]; // stdout or stderr

    // timestamp
    uint8    t_type;        // 0x10
    varint   ts;            // timestamp in ums

    // message
    uint8    m_type;        // 0x1a
    varint   m_len;         // message length
    char     message[m_len];

    // partial_log_metadata not implemented

    uint32 footer;
};
"""

dissect.target.plugins.apps.container.docker.c_local¶

dissect.target.plugins.apps.container.docker.RE_DOCKER_NS¶

dissect.target.plugins.apps.container.docker.RE_ANSI_ESCAPE¶

dissect.target.plugins.apps.container.docker.ASCII_MAP¶

class dissect.target.plugins.apps.container.docker.DockerPlugin(target: dissect.target.target.Target)¶

Bases: dissect.target.plugin.Plugin

Parse Docker Daemon artefacts.

References

__namespace__ = 'docker'¶: Defines the plugin namespace.

installs¶

check_compatible() → None¶

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:: UnsupportedPluginError – If the plugin could not be loaded.

images() → Iterator[DockerImageRecord]¶: Returns any pulled docker images on the target system.

containers() → Iterator[DockerContainerRecord]¶: Returns any docker containers present on the target system.

logs(raw_messages: bool = False, remove_backspaces: bool = False) → Iterator[DockerLogRecord]¶

Returns log files (stdout/stderr) from Docker containers.

The default Docker Daemon log driver is json-file, which performs no log rotation. Another log driver is local and performs log rotation and compresses log files more efficiently.

Eventually local will likely replace json-file as the default log driver.

Resources:

dissect.target.plugins.apps.container.docker.get_data_path(path: pathlib.Path) → str | None¶: Returns the configured Docker daemon data-root path.

dissect.target.plugins.apps.container.docker.find_installs(target: dissect.target.target.Target) → Iterator[pathlib.Path]¶

Attempt to find additional configured and existing Docker daemon data-root folders.

References

https://docs.docker.com/config/daemon/

dissect.target.plugins.apps.container.docker.convert_timestamp(timestamp: str | None) → str¶

Docker sometimes uses (unpadded) 9 digit nanosecond precision in their timestamp logs, eg. “2022-12-19T13:37:00.123456789Z”.

Python has no native %n nanosecond strptime directive, so we strip the last three digits from the timestamp to force compatbility with the 6 digit %f microsecond directive.

dissect.target.plugins.apps.container.docker.convert_ports(ports: dict[str, list | dict]) → dict¶

Depending on the state of the container (turned on or off) we can salvage forwarded ports for the container in different parts of the config.v2.json file.

This function attempts to be agnostic and deals with “Ports” lists and “ExposedPorts” dicts.

NOTE: This function makes a couple of assumptions and ignores ipv6 assignments. Feel free to improve this helper function.

dissect.target.plugins.apps.container.docker.hash_to_image_id(hash: str) → str¶: Convert the hash to an abbrevated docker image id.

dissect.target.plugins.apps.container.docker.strip_log(input: str | bytes, exc_backspace: bool = False) → str¶

Remove ANSI escape sequences from a given input string.

Also translates ASCII codes such as backspaces to readable format.