Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Pulling docker image by digest

I would like to ask why it is needed to specify both name and digest when pulling docker image?

docker pull ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2

Isn't it enough, just to pass the digest, or the digest is not unique enough in the context of the whole docker repository?

For example like that:

docker pull sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
like image 397
Stanimir Mitko Avatar asked Jan 09 '20 20:01

Stanimir Mitko


People also ask

How do I pull a docker image?

If you want to run docker image which pulled from the remote repository just use the IMAGE ID instead of Image name (Repository).

How do I get docker digest?

The Docker image digest SHA is a critical piece of evidence that makes a container and the content unique. You get the Docker image digest SHA from an image stored in a docker registry. Easy to do if the image has been pulled, just run docker image ls <image> –digests.

What is an image digest?

This document shows developers and operators who build and deploy container images what digests are and how they work. A container image digest uniquely and immutably identifies a container image. When you deploy images by digest, you avoid the downsides of deploying by image tags.


1 Answers

The name is required because of how the registry API is designed. Image pulls in docker all go back to a repository on a registry server. A repository is a path on the server, containing multiple image manifests, along with other blobs (image configs, layers, and possibly other data pulled by a digest).

One key reason to run all API requests against a repository, rather than the overall registry, is to handle authorization. Otherwise, each request for a digest would need to do a reverse lookup of all repositories that reference that digest, and see if the user has permission to access that digest.

You also wouldn't run a request against some global registry namespace since there's more than one registry, and new registries can be easily created. Docker Hub may be the most popular, but there are also registries for most cloud providers, CI providers like GitHub and GitLab, and self hosted registries on company networks, in their own production clusters, and on developer laptops. Therefore there's no upper limit to how long that request could take, and a discovery method would be needed to find new registries, including those that may have been created in your private network.


For a deeper dive, the api for a pull will request:

GET /v2/<name>/manifests/<reference>

The name and reference parameter identify the image and are required. The reference may include a tag or digest.

(The "name" referenced in that documentation is the repository name.)

The docker commands mirror this API design, requiring the image name. If you leave off the tag or digest, it will use "latest" as a default value. When you leave off the registry name, it defaults to Docker Hub. And if you also left off a username, it prefixes the registry name with library/ where all the official images are located on Docker Hub.

So the pull request for ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2 will turn into a request to registry-1.docker.io (the registry API server for Docker Hub) for the repository library/ubuntu with the reference of the sha256 you listed.

Attempting to leave off the repository name from the pull will result in an invalid syntax (docker will call this a reference format) because it cannot extrapolate the repository from nothing and there is no default repository name.

like image 78
BMitch Avatar answered Sep 30 '22 00:09

BMitch