How to get a list of immutable identifier (digest) from a Docker image?

Question

I have a Docker image in dockerhub and this has been built several times because I need to update the PHP version to the newest. I need to use a previous version of that image and I think the way to go is by using the immutable identifier aka digest.

Here is the documentation in how to pull a given image by it's digest but I can't find a way to get all the digest from that image.

If you double click on a given build you obtain certain information like a build code, for example: berpxpunhmqe7bqh6lce5ub but I don't think that is such digest.

How do I find that digest for a given build?

Answer 1

Assuming you have a tag/identifier for the previous version and/or have a version in you local image cache, finding the digest to use with pull by digest can be done with a docker image inspect as follows:

$ docker image inspect --format "{{.RepoDigests}}" alpine:3.6
[alpine@sha256:b40e202395eaec699f2d0c5e01e6d6cb8e6b57d77c0e0221600cf0b5940cf3ab]

In this example I'm looking at the 3.6 tag of the alpine image, and the response is a string I can use with commands like docker pull:

$ docker pull alpine@sha256:b40e202395eaec699f2d0c5e01e6d6cb8e6b57d77c0e0221600cf0b5940cf3ab
sha256:b40e202395eaec699f2d0c5e01e6d6cb8e6b57d77c0e0221600cf0b5940cf3ab: Pulling from library/alpine
Digest: sha256:b40e202395eaec699f2d0c5e01e6d6cb8e6b57d77c0e0221600cf0b5940cf3ab
Status: Image is up to date for alpine@sha256:b40e202395eaec699f2d0c5e01e6d6cb8e6b57d77c0e0221600cf0b5940cf3ab

The potential problem with your specific image is that it looks like the latest tag has been used for all your builds, so unless you have a local cache of an older image, it may be quite difficult to find the older sha256 digest references to prior builds.

There are a few possible ways to find the digest of a prior image if local cached information hasn't been deleted via docker system prune or other cleanup utilities:

1. docker images -a | grep <image name> can be used to display all images, including those which have been untagged. A below example shows an updated ubuntu:latest where I still have access to the older image. Using that ID (which is not a digest), I can use the same docker image inspect --format '{{.RepoDigests}}' <image ID> to retrieve the actual digest of an older "build" of ubuntu.

2. If I had a container that is running or exited using a prior version of the image, I could find the digest of that image by first inspecting the container and finding the image ID, and then inspecting that image ID as above and retrieving the older image's digest. In this somewhat contrived example I have an exited container, 1edd.., which I inspect to find the image ID, which happens to still be validly tagged, but using it's id I can then use image inspect to get the digest, even if it is no longer tagged in my image cache.

Example 1:

$ docker images -a | grep ubuntu
ubuntu       latest      747cb2d60bbe   3 weeks ago    122MB`
ubuntu       <none>      ebcd9d4fca80   5 months ago   118MB
$ docker image inspect --format '{{.RepoDigests}}' ebcd9
 [ubuntu@sha256:382452f82a8bbd34443b2c727650af46aced0f94a44463c62a9848133ecb1aa8]

Example 2:

$ docker ps -aq
1edd14b528db
$ docker container inspect 1edd | grep Image
    "Image": "sha256:76da55c8019d7a47c347c0dceb7a6591144d232a7dd616242a367b8bed18ecbc",
        "Image": "alpine:3.6",
$ docker image inspect --format '{{.RepoDigests}}' 76da55
[alpine@sha256:f006ecbb824d87947d0b51ab8488634bf69fe4094959d935c0c103f4820a417d]