Docker History Base Image Add:sha256hash

Question

I'm trying to better understand the docker history output. When I run docker history nginx:latest I get output that nearly matches the Dockerfile:

/bin/sh -c #(nop) CMD ["nginx" "-g" "daemon off;"]
/bin/sh -c #(nop) EXPOSE 443/tcp 80/tcp/bin/sh -c ln -sf /dev/stdout /var/log/nginx/access.log  && ln -sf /dev/stderr /var/log/nginx/error.log
/bin/sh -c apt-key adv --keyserver hkp://pgp.mit.edu:80 --recv-keys 573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62  && echo "deb http://nginx.org/packages/mainline/debian/ jessie nginx" >> /etc/apt/sources.list && apt-get update && apt-get install --no-install-recommends --no-install-suggests -y       ca-certificates nginx=${NGINX_VERSION} nginx-module-xslt nginx-module-geoip nginx-module-image-filter nginx-module-perl nginx-module-njs gettext-base  && rm -rf /var/lib/apt/lists/*
/bin/sh -c #(nop) ENV NGINX_VERSION=1.11.9-1~jessie
/bin/sh -c #(nop) MAINTAINER NGINX Docker Maintainers "[email protected]"
/bin/sh -c #(nop) CMD ["/bin/bash"]
/bin/sh -c #(nop) ADD file:89ecb642d662ee7edbb868340551106d51336c7e589fdaca4111725ec64da957 in /

with three notable exceptions

1. All of the lines start with /bin/sh -c #(nop) except for the third line which is the RUN command in the Dockerfile - no big deal
2. The commands are in reverse (the last command in the Dockerfile is the first command listed with docker history) - also no big deal

3. This one's the kicker - The FROM debian:jessie line from the Dockerfile is translated to:

   ADD file:89ecb642d662ee7edbb868340551106d51336c7e589fdaca4111725ec64da957 in / CMD ["/bin/bash"]

It took me a little while to realize that the last two commands above (the ADD and CMD ["/bin/bash"] lines) were carried over from the base image debian:jessie. Once I figured that out, I thought to myself, "self, the file:89ec...da957 must be the sha256 hash of the rootfs.tar.xz included as the file system. But no, the sha256 hash of the rootfs.tar.xz is 467328e24c316fd058f086eb8eb77706f3f448ad8886d202e7c9687d30692eca.

Herein lies my question: Where does the hash listed in docker history come from? And why is it different than the actual hash of rootfs.tar.xz?

I've thoroughly reviewed much of Docker's documentation, with no luck, including:

1. https://docs.docker.com/engine/userguide/storagedriver/imagesandcontainers/
2. https://docs.docker.com/engine/reference/commandline/history/
3. https://docs.docker.com/engine/reference/builder/

The hash is consistent across all images that use debian:jessie as the base image. Even docker history debian:jessie shows the same hash:

/bin/sh -c #(nop) CMD ["/bin/bash"]
/bin/sh -c #(nop) ADD file:89ecb642d662ee7edbb868340551106d51336c7e589fdaca4111725ec64da957 in /

and I think you might agree, that there is only one file that could possibly have a hash in the debian:jessie Dockerfile:

FROM scratch
ADD rootfs.tar.xz /
CMD ["/bin/bash"]

If anyone could provide some insight or point me to a resource I have yet to find, it would be much appreciated.

Answer 1

The docker brew debian image is made of intermediate containers, as described in "Understand images, containers, and storage drivers".

See issue 25925: each layer being stored in (for instance) /var/lib/docker/aufs/mnt/.

So ADD file:89ecb642d662ee7edbb868340551106d51336c7e589fdaca4111725ec64da95 would add all files found in /var/lib/docker/aufs/mnt/89ecb642d662ee7edbb868340551106d51336c7e589fdaca4111725ec64da95.

(Note: I mentioned the (nop) part in "Docker missing layer IDs in output")