Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why doesn't my newly-created docker have a digest?

Tags:

docker

digest

I have been following the Docker tutorial here, and built a test image on my local OSX machine by committing changes to an existing image and tagging it with three different labels:

# docker images REPOSITORY               TAG                 IMAGE ID            CREATED             SIZE adamatan/sinatra         devel               fccb6b4d21b4        8 minutes ago       469.5 MB adamatan/sinatra         junk                fccb6b4d21b4        8 minutes ago       469.5 MB adamatan/sinatra         latest              fccb6b4d21b4        8 minutes ago       469.5 MB 

However, none of these images has a digest:

# docker images --digests adamatan/sinatra REPOSITORY          TAG                 DIGEST              IMAGE ID            CREATED             SIZE adamatan/sinatra    devel               <none>              fccb6b4d21b4        9 minutes ago       469.5 MB adamatan/sinatra    junk                <none>              fccb6b4d21b4        9 minutes ago       469.5 MB adamatan/sinatra    latest              <none>              fccb6b4d21b4        9 minutes ago       469.5 MB 

Other test images I have created with a Dockerfile do have a digest.

Why do some images have a digest and some don't? Is it related to the way the images were created (Dockerfile or not)?

like image 847
Adam Matan Avatar asked Oct 01 '16 20:10

Adam Matan


People also ask

Where can I find docker digest?

The Docker image digest SHA is a critical piece of evidence that makes a container and the content unique. You get the Docker image digest SHA from an image stored in a docker registry. Easy to do if the image has been pulled, just run docker image ls <image> –digests.

How is docker image digest created?

A digest is an id that is automatically created during build time and cannot be changed (immutable). When an image is pulled using a digest, a docker pull will download the same image every time on any os/arch. This is called image pinning. The above command returns a JSON response.

What is Digest in docker?

A digest is the sha256 hash of a docker image, but an image is not really a single file but rather a set of layers.

How can I tell if a docker image is signed?

If you have docker content trust enabled, and do a pull, create, or run, the client will look up the trust data and find the sha256 digest of the image that has been signed.


2 Answers

Firstly, Please keep in mind that a digest could represent a manifest, a layer or a combination of them (we normally called that combination an image).

Manifest is a new term that introduced with Docker registry V2. Here is a short description fetched from Docker Registry V2 slides page21 ~ page23:

  • [Manifest] describes the components of an image in a single object
    • Layers can be fetched immediately, in parallel.

When you get the digests with command docker images --digests, here the digest is the SHA256 hash of image manifest, but image ID is the hash code of the local image JSON configuration (this configuration is different from manifest). In this case, if an image doesn't have an associated manifest, the digest of that image will be "none".

Normally, two scenarios could make an image doesn't have associated manifest:

  1. This image has not been pushed to or pulled from a V2 registry.
  2. This image has been pulled from a V1 registry.

To generate a manifest, the easiest way is to push the image to a V2 registry (V1 registry will not works). Docker client will generate a manifest locally, then push it with image layers to registry. When you pull the image back, the image will has a manifest.

Once the manifest existing, your image digest should not be "none".

like image 162
Haoming Zhang Avatar answered Oct 02 '22 17:10

Haoming Zhang


Yes it is related to how the images were created. Docker can be a real stinker at times.

This may be helpful for you in this case.

like image 36
Colin Avatar answered Oct 02 '22 18:10

Colin