I have been following the Docker tutorial here, and built a test image on my local OSX machine by committing changes to an existing image and tagging it with three different labels:
# docker images REPOSITORY TAG IMAGE ID CREATED SIZE adamatan/sinatra devel fccb6b4d21b4 8 minutes ago 469.5 MB adamatan/sinatra junk fccb6b4d21b4 8 minutes ago 469.5 MB adamatan/sinatra latest fccb6b4d21b4 8 minutes ago 469.5 MB
However, none of these images has a digest:
# docker images --digests adamatan/sinatra REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE adamatan/sinatra devel <none> fccb6b4d21b4 9 minutes ago 469.5 MB adamatan/sinatra junk <none> fccb6b4d21b4 9 minutes ago 469.5 MB adamatan/sinatra latest <none> fccb6b4d21b4 9 minutes ago 469.5 MB
Other test images I have created with a Dockerfile do have a digest.
Why do some images have a digest and some don't? Is it related to the way the images were created (Dockerfile or not)?
The Docker image digest SHA is a critical piece of evidence that makes a container and the content unique. You get the Docker image digest SHA from an image stored in a docker registry. Easy to do if the image has been pulled, just run docker image ls <image> –digests.
A digest is an id that is automatically created during build time and cannot be changed (immutable). When an image is pulled using a digest, a docker pull will download the same image every time on any os/arch. This is called image pinning. The above command returns a JSON response.
A digest is the sha256 hash of a docker image, but an image is not really a single file but rather a set of layers.
If you have docker content trust enabled, and do a pull, create, or run, the client will look up the trust data and find the sha256 digest of the image that has been signed.
Firstly, Please keep in mind that a digest could represent a manifest
, a layer or a combination of them (we normally called that combination an image).
Manifest
is a new term that introduced with Docker registry V2. Here is a short description fetched from Docker Registry V2 slides page21 ~ page23:
- [Manifest] describes the components of an image in a single object
- Layers can be fetched immediately, in parallel.
When you get the digests with command docker images --digests
, here the digest is the SHA256 hash of image manifest, but image ID is the hash code of the local image JSON configuration (this configuration is different from manifest). In this case, if an image doesn't have an associated manifest, the digest of that image will be "none".
Normally, two scenarios could make an image doesn't have associated manifest:
To generate a manifest, the easiest way is to push the image to a V2 registry (V1 registry will not works). Docker client will generate a manifest locally, then push it with image layers to registry. When you pull the image back, the image will has a manifest.
Once the manifest existing, your image digest should not be "none".
Yes it is related to how the images were created. Docker can be a real stinker at times.
This may be helpful for you in this case.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With