sha256 of locally built docker image

Question

How do I get the sha256 checksum of an already locally built docker image?

I want to use the checksum to annotate a FROM instruction in a derived image:

FROM name@sha256:checksum

I already tried checksums from docker inspect.

• Neither the first nor the last of the checksums in the Layers list worked.
• The one in "Id" did not work.
• The one in "Parent" did not work.
• The one in "Container" did not work.
• The one in "Image" did not work.

Some of them I only tried out of desperation to finally find the correct checksum for my docker image, but I cannot find the correct checksum. Only thing I did not try yet, because of the number of layers, is to go through all of the layers in case they are in a random order. But to put them there like that would not make sense to begin with.

The error I see when I run docker build -t <some name> . in the directory of the Dockerfile of the derived image when it is not working is:

Step 1/7 : FROM name@sha256:<checksum> repository name not found: does not exist or no pull access

Info

• Docker version: Docker version 17.05.0-ce, build 89658be (obtained via docker --version)

• Output of docker info:

  Containers: 0
   Running: 0
   Paused: 0
   Stopped: 0
  Images: 3841
  Server Version: 17.05.0-ce
  Storage Driver: aufs
   Root Dir: /var/lib/docker/aufs
   Backing Filesystem: extfs
   Dirs: 2620
   Dirperm1 Supported: true
  Logging Driver: json-file
  Cgroup Driver: cgroupfs
  Plugins: 
   Volume: local
   Network: bridge host macvlan null overlay
  Swarm: inactive
  Runtimes: runc
  Default Runtime: runc
  Init Binary: docker-init
  containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
  runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
  init version: 949e6fa
  Security Options:
   apparmor
   seccomp
    Profile: default
  Kernel Version: 4.4.0-78-generic
  Operating System: Ubuntu 16.04.2 LTS
  OSType: linux
  Architecture: x86_64
  CPUs: 4
  Total Memory: 7.684GiB
  Name: xiaolong-hp-pavilion
  ID: QCJS:JPK4:KC7J:6MYF:WWCA:XQM2:7AF7:HWWI:BRZK:GT6B:D2NP:OJFS
  Docker Root Dir: /var/lib/docker
  Debug Mode (client): false
  Debug Mode (server): false
  Registry: https://index.docker.io/v1/
  Experimental: false
  Insecure Registries:
   127.0.0.0/8
  Live Restore Enabled: false
  
  WARNING: No swap limit support
  

Answer 1

The checksum docker is looking for in the FROM line comes from the registry server. In the inspect output, you'll see this in the RepoDigest section:

docker inspect -f '{{.RepoDigests}}' $image_name

If you haven't pushed this image to a registry server, then you won't be able to use this hash value.

E.g.:

$ docker inspect -f '{{.RepoDigests}}' busybox:latest
[busybox@sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f]

$ cat df.testsha
FROM busybox@sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f
CMD echo "hello world"

$ docker build -f df.testsha -t test-sha .
Sending build context to Docker daemon  23.35MB
Step 1/2 : FROM busybox@sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f
 ---> 00f017a8c2a6
Step 2/2 : CMD echo "hello world"
 ---> Running in c516e5b6a694
 ---> 68dc47866183
Removing intermediate container c516e5b6a694
Successfully built 68dc47866183
Successfully tagged test-sha:latest

$ docker run --rm test-sha
hello world