Can I get an image digest without downloading the image?

前端未结

关注

 6  444

Similar to the question \"What´s the sha256 code of a docker image?\", I would like to find the digest of a Docker image. I can see the digest when I download an image:

相关标签:

6条回答

长情又很酷

2021-02-01 09:22

You can get this using docker inspect:

docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME}

Docs: https://docs.docker.com/engine/reference/commandline/inspect/

This has been in place since at least v1.9.

0 讨论(0)
发布评论:

提交评论
- 加载中...
暖寄归人

2021-02-01 09:25
I encountered a task recently that required viewing the sha256 digest without necessarily pulling the image. The tool skopeo makes the registry API calls so you don't need to pull the image.

For example,
```
$ skopeo inspect --creds "username:password" docker://waisbrot/wait:latest
```
You could then pipe this to jq if you want to get just the digest value.
```
$ skopeo inspect --creds "username:password" \
  docker://waisbrot/wait:latest | jq -r '.Digest'
sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330
```
0 讨论(0)
发布评论:

提交评论
- 加载中...
时光说笑

2021-02-01 09:29

I realise this issue is answered however either I am missing something or the current version of AWS ECR registry service does not work as expected.

When trying to get the digest from AWS ECR using either HEAD and also trying to switch the content-type does not return a digest value that I can use to pull an image using the registry Api.

To get this digest you have to get the manifest for the tag you are interested in and calculate the sha256 of the response Json as is, including the formatting, without the signature section

0 讨论(0)
发布评论:

提交评论
- 加载中...
深忆病人

2021-02-01 09:34
For newer versions of Docker, the inspect command provides the correct value:
```
docker inspect --format='{{index .RepoDigests 0}}' waisbrot/wait
```
For older versions, fetch the value from the repository following this example with the main Docker repo:
```
curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
     -H "Authorization: Basic ${username_password_base64}" \
     'https://auth.docker.io/token?service=registry.docker.io&scope=repository:waisbrot/wait:pull' 
```
Naive attempts to fetch that value fail because the default content-type being selected by the server is application/vnd.docker.distribution.manifest.v1+prettyjws (a v1 manifest) and you need to v2 manifest. Therefore, you need to set the Accept header to application/vnd.docker.distribution.manifest.v2+json.
0 讨论(0)
发布评论:

提交评论
- 加载中...

半阙折子戏

2021-02-01 09:39

Following up on ByteFlinger's suggestion, which did not have an example, I tried this, and this is how to calculate it:

$ docker-ls tag -registry https://myregistry.net:5000 
spicysomtam/zookeeper:latest
requesting manifest . done
repository: spicysomtam/zookeeper
tagName: latest
digest: sha256:bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036

$ curl -ns -H "Accept: 
application/vnd.docker.distribution.manifest.v2+json" -X GET  
https://myregistry.net:5000/v2/spicysomtam/zookeeper/manifests/latest|sha256sum
bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036  -

$ docker images --digests |grep zookeeper
myregistry.net:5000/spicysomtam/zookeeper           latest                                     sha256:bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036   a983e71ca22d        29 hours ago        584MB

0 讨论(0)

醉话见心

2021-02-01 09:41

With 2 http requests, you can get it. The first one to get an authentication token, and the second to get the image digest list by architecture and variant:

token=$(curl --silent "https://auth.docker.io/token?scope=repository:$image:pull&service=registry.docker.io"  | jq -r '.token')

curl -s --header "Accept: application/vnd.docker.distribution.manifest.list.v2+json" --header "Authorization: Bearer ${token}" "https://registry-1.docker.io/v2/$image/manifests/$tag" | jq -r '.manifests|.[]| "\(.digest) \(.platform.architecture) \(.platform.variant)"'

Example with:

image=library/nginx
tag=stable-alpine

sha256:8853c7e938c2aa5d9d7439e698f0e700f058df8414a83134a09fcbb68bb0707a amd64 null
sha256:dbcd23f95b94018fe72bfdb356e40f4ae8b95063883f3456fedaed1c02204ed4 arm v6
sha256:d3670edcd50bb07cae303767426adf9bc7ba0219736148d30e6f30dd4e08695c arm v7
sha256:0bcd76faa141e4fa37e875834b3994261e0cfc94b7233ac84896381315b845ca arm64 v8
sha256:da8e62ddb3fab89ff4fa0271dbe230f849ab53402a71338503952437dcda1026 386 null
sha256:269bf99e100294b6b75fbdecf7b4ddbef8b29ea0a953e2e904452a50dbc923ab ppc64le null
sha256:103da50956034c157abeffbc869e2e38a4fabbf913bed8ae6ae7c59e646b28a1 s390x null

0 讨论(0)