类似于问题“What´s the sha256 code of a docker image?”,我想找到Docker图像的摘要。我下载图片时可以看到摘要:
$ docker pull waisbrot/wait:latest
latest: Pulling from waisbrot/wait
Digest: sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330
Status: Image is up to date for waisbrot/wait:latest
$
另一个问题,What is the Docker registry v2 API endpoint to get the digest for an image有一个答案暗示Docker-Content-Digest
标题。
当我获取图像的清单时,我可以看到有一个Docker-Content-Digest
标题:
$ curl 'https://auth.docker.io/token?service=registry.docker.io&scope=repository:waisbrot/wait:pull' -H "Authorization: Basic ${username_password_base64}"
# store the resulting token in DT
$ curl -v https://registry-1.docker.io/v2/waisbrot/wait/manifests/latest -H "Authorization: Bearer $DT" -XHEAD
* Trying 52.7.141.30...
* Connected to registry-1.docker.io (52.7.141.30) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.docker.io
* Server certificate: RapidSSL SHA256 CA - G3
* Server certificate: GeoTrust Global CA
> GET /v2/waisbrot/wait/manifests/latest HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/7.43.0
> Accept: */*
> Authorization: Bearer LtVRw-etc-etc-etc
>
< HTTP/1.1 200 OK
< Content-Length: 4974
< Content-Type: application/vnd.docker.distribution.manifest.v1+prettyjws
< Docker-Content-Digest: sha256:128c6e3534b842a2eec139999b8ce8aa9a2af9907e2b9269550809d18cd832a3
< Docker-Distribution-Api-Version: registry/2.0
< Etag: "sha256:128c6e3534b842a2eec139999b8ce8aa9a2af9907e2b9269550809d18cd832a3"
< Date: Wed, 07 Sep 2016 16:37:15 GMT
< Strict-Transport-Security: max-age=31536000
但是,这个标题是不一样的。 pull
命令让我6f21
,标题显示128c
。此外,pull命令不适用于该摘要:
$ docker pull waisbrot/wait@sha256:128c6e3534b842a2eec139999b8ce8aa9a2af9907e2b9269550809d18cd832a3
Error response from daemon: manifest unknown: manifest unknown
当我有正确的摘要时,事情按我想要的方式工作:
$ docker pull waisbrot/wait@sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330 12:46 waisbrot@influenza
sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330: Pulling from waisbrot/wait
Digest: sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330
Status: Image is up to date for waisbrot/wait@sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330
我正在寻找的是一种将latest
标签(它一直在变化)翻译成我可以可靠拉动的固定摘要的方法。但是我不想实际将它拉下来进行翻译。
对于较新版本的Docker,inspect命令提供了正确的值:
docker inspect --format='{{index .RepoDigests 0}}' waisbrot/wait
对于旧版本,请使用主Docker repo在此示例后从存储库中获取值:
curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
-H "Authorization: Basic ${username_password_base64}" \
'https://auth.docker.io/token?service=registry.docker.io&scope=repository:waisbrot/wait:pull'
Naive尝试获取该值失败,因为服务器选择的默认内容类型是application/vnd.docker.distribution.manifest.v1+prettyjws
(v1清单),您需要v2清单。因此,您需要将Accept
标头设置为application/vnd.docker.distribution.manifest.v2+json
。
我意识到这个问题得到了解答,但要么我遗漏了某些内容,要么当前版本的AWS ECR注册服务无法正常工作。
尝试使用HEAD从AWS ECR获取摘要并尝试切换内容类型时,不会返回我可用于使用注册表Api提取图像的摘要值。
要获得此摘要,您必须获取您感兴趣的标记的清单,并按原样计算响应Json的sha256,包括格式,不带签名部分
按照ByteFlinger的建议,没有一个例子,我尝试了这个,这是如何计算它:
$ docker-ls tag -registry https://myregistry.net:5000
spicysomtam/zookeeper:latest
requesting manifest . done
repository: spicysomtam/zookeeper
tagName: latest
digest: sha256:bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036
$ curl -ns -H "Accept:
application/vnd.docker.distribution.manifest.v2+json" -X GET
https://myregistry.net:5000/v2/spicysomtam/zookeeper/manifests/latest|sha256sum
bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036 -
$ docker images --digests |grep zookeeper
myregistry.net:5000/spicysomtam/zookeeper latest sha256:bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036 a983e71ca22d 29 hours ago 584MB
你可以使用docker inspect
得到这个:
docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME}
文件:https://docs.docker.com/engine/reference/commandline/inspect/
这至少从v1.9开始实施。