Digests on Dockerhub and those fetched by docker pull do not match #1925
Comments
|
Apparently, the name you use to fetch an image is embedded in the I still don't know why you would do such a thing, nor do I know why the website, on the page for the tag itself, shows you the digest for fetching it as if you hadn't somehow specified a tag? |
|
@roy-work The digest displayed by the CLI is the digest of manifest list that composes of multiple manifests each representing an image for a particular platform. The digests shown in Hub are digests of each of these platform images. The CLI actually downloads the |
|
Is there a reliable way to check if the local running image is the same or actual one offered by docker hub? |
|
Pulling image with Get the digest from manifest, For image |
|
Some discussion on moby/moby#40636 (comment) as well (w.r.t. the presentation of the manifest digest for multi-arch images) |
since the digest returned by registry-image resource cannot be used in the docker CLI docker/hub-feedback#1925 Signed-off-by: Aidan Oldershaw <[email protected]>
|
So, as I see there is no such way to verify and match a downloaded image is the same as on the docker hub despite there are everything have tons of unique id-s. (I wanted to check which image is download in reality related to arches.) |
|
Actually, passing |
|
Is this actually still a thing? Hard to believe it. |
|
Seems especially pertinent when running an M1 Mac. I'm trying to verify that docker is pulling the AArch64 not AMD64 image. This would seem the obvious way to check but nope. |
|
Bummer! I thought SHA256 could help me justify what's happening in my case. It's actually a thing. |
|
I share @adwhit pain |
| Can sombody of the docker-team please fix that issue in a comprehensible way? Not being able to easily compare digests, to answer questions like "What version did I just download?" and "Which version of an image is located on my server?" is a missing thing. To use digests for that, is IMHO the way to reliably achieve that. Please advise if there's another intended way, thank you! |
|
I believe #2043 (comment) responds to the confusion here of which digest is where, as there are multiple which are involved in Docker Images. In addition, these recommendations might help explain what we are doing going forward to help with this problem. |
|
Came into this issue and want to move everything to github container registry instead because it provides the sha256 digest for all platforms on their website which is the same as the one from docker pull I can easily use to compare and pin my image to that multiplatform digest instead of having to pull the image manually first.
The "sha256:da52ff461520afd42284adfea5fb7c6c932d7900622a6e3612a3fab1ef3de7a4" here from github works for both amd64 and arm64 and it is the same as the one I get after docker pull, which docker hub won't provide on its web portal. Instead, it only provides one for amd64 only and another for arm64 only. |
|
If you're looking for this, also upvote docker/roadmap#262 to help getting work on this prioritised internally |
|
So there is now way currently to figure out which acual tag I've installed? |
|
WTF of this shit! If they don't match, why you show them? Even it can not be used to verify tag. |
|
FYI, my workaround to automate get hash from tag https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_digest.md |
|
It doesn't match because for multi-arch images To find out which image you're running you need to determine the manifest list digest that was stored locally ( Or using Then get the list of tags: Then query the manifest list digest on Docker Hub until you find the one that matches the RepoDigest ( But I guess images can be retagged on Docker Hub. As such, the image you're running... the tag may no longer point to your image. More on it here. |
|
This is so confusing. Here is what worked for me: The above shas for each arch match what's on Docker Hub. |
Of course it matches... because it pulls info from the registry (docker hub), not the local image you have. You can run: and will see: Show details of an image in the registry And I agree with almost everyone here that it's frustrating not to able to check whether the local image matches the info on docker hub. |
|
bump |
1 similar comment
|
bump |
|
Continually bumping will only result in this issue being locked to collaborators only, it will not increase visibility or prioritize this any higher than it already is. (I'm not affiliated with this project) |
|
Closing this as I've just added the digest on hub 🎉 The index digest will be displayed when present now.
|
|
The Index Digests would be much more useful if they were searchable on Docker Hub. It's great progress that the Index Digests are now listed on Docker Hub when present, but the whole point of this was to be able to easily match local Docker SHA digests with Docker Hub digests to confirm they are correct. Example: I can get the local Docker digest via: But there is no way for me to then search for this digest on the Docker Hub. So I instead click through each version and check the Index Digest in each version until I find it.. actually 22 versions back at 'deluan/navidrome:0.51.1'. That's only 4 months. I can imagine for a container someone has not updated for a year or more they would have to do a lot more digging. This should be a really simple task that takes a few seconds, but instead it feels like I'm rifling through a filing cabinet looking up dewey decimal symbols. Please add the ability to search for Index Digests, it will save a lot of people a lot of time. |
|
@bickford that's quite orthogonal to this ticket, and not sure if that's easy to support. That said, it looks like there's some existing feature requests on the roadmap issue tracker; |
I've spent many hours trying to get the exact date an image SHA (Index Digest) was built, and this command did the trick. Btw, with the output of this command, you can get the "Manifest SHA" from the "Index Digest", thus being able to access it in Docker Hub UI |
@oliveirafilipe
#!/bin/sh -eu
img=$1
docker inspect "$img" -f '{{json .RepoTags}}' | jq -r '.[]' \
| while IFS= read -r repo_tag; do
img=${repo_tag%:*}
tag=${repo_tag#*:}
docker inspect "$img:$tag" -f '{{json .RepoDigests}}' | jq -r '.[]' \
| while IFS= read -r repo_digest; do
repo_digest=${repo_digest#*@}
docker run --rm regclient/regctl tag ls "$img" | tac \
| while IFS= read -r tag; do
digest=`docker run --rm regclient/regctl image digest "$img:$tag"`
if [ "$digest" = "$repo_digest" ]; then
echo "$tag"
exit
fi
done
done
doneYou can pass it or an image id: and it'll do the work for you. It's not too fast and can probably be improved, but if you don't want to click through each version, that's an option.
It seems like |
and others
Problem description
The data on what SHAs an image on Dockerhub is on doesn't seem to match what I get from
docker pull. For example, takeubuntu:bionic. If I look up that tag on Dockerhub, the lastest digest for amd64 is sha256:134c7fe821b9d359490cd009ce7ca322453f4f2d018623f849e580a89a685e5d. But if I rundocker pull ubuntu:bionic, I get a different digest:(And this digest doesn't match any architecture, not just amd64. I checked the others just in case it was for some odd reason pulling an x86 image.)
Why do these not match?
The text was updated successfully, but these errors were encountered: