Dockback - Reverse-Engineering Dockerfiles from Images

- 10 October 2025 - 5 mins read

Ever found yourself staring at a Docker image in production and wondering, “How the heck did they build this thing?” Maybe you’re doing a security audit, debugging a performance issue, or just trying to understand how that third-party image actually works.

Well, that’s exactly the problem I solved with Dockback! Dockback is a tiny CLI tool that reverse-engineers an approximate Dockerfile from any Docker image. No external dependencies, pure Bash + Docker CLI. Let me show you how it works and why it might save you hours of head-scratching.

The Problem: Black Box Containers

Docker images are amazing for deployment, but they’re also black boxes. Once built, you lose visibility into:

  • What packages were installed and how
  • What environment variables are set
  • Which ports are exposed
  • The exact RUN commands that were executed

This becomes a real pain when you need to:

  • Debug issues: “Why is this image behaving differently than expected?”
  • Audit security: “What packages are actually installed in this base image?”
  • Learn from others: “How did they optimize this build?”
  • Migrate workloads: “I need to recreate this setup in a different environment”

Traditional approaches like docker history give you raw layer information, but it’s not very human-readable. That’s where Dockback comes in.

What Dockback Does

Dockback inspects any Docker image and reconstructs a human-readable Dockerfile that approximates the original build process. It’s like having X-ray vision for containers.

Here’s what it extracts:

  • Base image (FROM instruction)
  • Build commands (RUN instructions)
  • Environment variables (ENV)
  • Exposed ports (EXPOSE)
  • Working directory (WORKDIR)
  • Entry point and command (CMD/ENTRYPOINT)

Try It Right Now

Let’s see it in action with the classic httpd:alpine image:

# Install dockback (one-time setup)
curl -fsSL https://repo.guztia.com/install-dockback.sh | bash

# Generate a Dockerfile from httpd:alpine
dockback httpd:alpine

# Or print to stdout instead of saving
dockback -p nginx:latest

The tool generates a file like this:

# Reconstructed from image: busybox
# ⚠️ Approximation only. Container runtime modifications are not included.

FROM scratch

CMD ["sh"]

How It Works Under the Hood

Dockback is pure Bash - no Python, no jq, no external dependencies. It uses only:

  1. docker image inspect - Extracts metadata like ENV vars, ports, CMD/ENTRYPOINT
  2. docker history --no-trunc - Gets the layer-by-layer build commands
  3. Bash string manipulation - Parses JSON with grep, sed, and awk

The key insight: Docker images store their build history in layers, and docker history reveals the exact commands used to create each layer. Dockback just formats this information into a readable Dockerfile.

Real-World Use Cases

1. Security Audits

# Check what packages are in that suspicious base image
dockback registry.company.com/suspicious-base:v1.2.3

2. Debugging Performance Issues

# Understand how this bloated image was built
dockback -p company/app:prod-v3 > build-analysis.md

3. Learning from Others

# Study how the pros structure their builds
dockback nginx:alpine
dockback redis:7-alpine
dockback python:3.11-slim

CLI Options

Option Description
-o FILE Output Dockerfile path (default: ./Dockerfile)
-p Print to stdout instead of saving
-h Show help

Important Limitations

⚠️ Dockback generates approximations, not exact replicas. It cannot capture:

  • Runtime modifications: Any changes made after the image was built
  • Source files: COPY/ADD operations (only the commands are shown)
  • Multi-stage builds: Complex build contexts are lost
  • Build arguments: ARG variables aren’t preserved
  • Secrets: Build-time secrets aren’t included

Always review and test the generated Dockerfile before using it.

Why This Matters

In the world of containers, visibility matters. Docker images are the building blocks of modern infrastructure, but once built, they become opaque. Dockback gives you back some of that visibility.

Whether you’re an SRE debugging production issues, a security engineer auditing supply chains, or a developer learning best practices, having the ability to peek inside containers is invaluable.

What will you discover inside your containers? The black boxes might not be as mysterious as you think.


Share: Link copied to clipboard

Tags:

Previous: Building the (maybe) First Public PQC Checker Tool

Where: Home > Technical > Dockback - Reverse-Engineering Dockerfiles from Images