我可以在不下载图像的情况下获取图像摘要吗?

时间:2016-09-07 16:48:42

标签: docker docker-registry

与问题“What´s the sha256 code of a docker image?”类似,我想找到Docker镜像的摘要。我下载图片时可以看到摘要:

$ docker pull waisbrot/wait:latest                                                                                                  
latest: Pulling from waisbrot/wait
Digest: sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330
Status: Image is up to date for waisbrot/wait:latest
$

另一个问题,What is the Docker registry v2 API endpoint to get the digest for an image有一个答案显示Docker-Content-Digest标题。

当我获取图片的清单时,我可以看到有一个Docker-Content-Digest标题:

$ curl 'https://auth.docker.io/token?service=registry.docker.io&scope=repository:waisbrot/wait:pull' -H "Authorization: Basic ${username_password_base64}"

# store the resulting token in DT

$ curl -v https://registry-1.docker.io/v2/waisbrot/wait/manifests/latest -H "Authorization: Bearer $DT" -XHEAD
*   Trying 52.7.141.30...
* Connected to registry-1.docker.io (52.7.141.30) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.docker.io
* Server certificate: RapidSSL SHA256 CA - G3
* Server certificate: GeoTrust Global CA
> GET /v2/waisbrot/wait/manifests/latest HTTP/1.1
> Host: registry-1.docker.io
> User-Agent: curl/7.43.0
> Accept: */*
> Authorization: Bearer LtVRw-etc-etc-etc
>
< HTTP/1.1 200 OK
< Content-Length: 4974
< Content-Type: application/vnd.docker.distribution.manifest.v1+prettyjws
< Docker-Content-Digest: sha256:128c6e3534b842a2eec139999b8ce8aa9a2af9907e2b9269550809d18cd832a3
< Docker-Distribution-Api-Version: registry/2.0
< Etag: "sha256:128c6e3534b842a2eec139999b8ce8aa9a2af9907e2b9269550809d18cd832a3"
< Date: Wed, 07 Sep 2016 16:37:15 GMT
< Strict-Transport-Security: max-age=31536000

但是,这个标题不一样。 pull命令让我6f21,标题显示128c。此外,pull命令不适用于该摘要:

$ docker pull waisbrot/wait@sha256:128c6e3534b842a2eec139999b8ce8aa9a2af9907e2b9269550809d18cd832a3                               
Error response from daemon: manifest unknown: manifest unknown

当我有正确的摘要时,事情就像我想要的那样:

$ docker pull waisbrot/wait@sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330                                 12:46  waisbrot@influenza
sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330: Pulling from waisbrot/wait
Digest: sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330
Status: Image is up to date for waisbrot/wait@sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330

我正在寻找的是一种将latest标签(一直在变化)转换为可以可靠拉动的固定摘要的方法。但是我不想实际将它拉下来进行翻译。

8 个答案:

答案 0 :(得分:12)

对于较新版本的Docker,inspect命令提供了正确的值:

docker inspect --format='{{index .RepoDigests 0}}' waisbrot/wait

对于旧版本,请使用主Docker repo:

在此示例后从存储库中获取值 
curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
     -H "Authorization: Basic ${username_password_base64}" \
     'https://auth.docker.io/token?service=registry.docker.io&scope=repository:waisbrot/wait:pull'

Naive尝试获取该值失败,因为服务器选择的默认内容类型为application/vnd.docker.distribution.manifest.v1+prettyjws(v1清单),您需要v2清单。因此,您需要将Accept标头设置为application/vnd.docker.distribution.manifest.v2+json

答案 1 :(得分:1)

通过2个http请求,您可以获取它。第一个获取身份验证令牌,第二个获取按体系结构和变体形式的图像摘要列表:

token=$(curl --silent "https://auth.docker.io/token?scope=repository:$image:pull&service=registry.docker.io"  | jq -r '.token')

curl -s --header "Accept: application/vnd.docker.distribution.manifest.list.v2+json" --header "Authorization: Bearer ${token}" "https://registry-1.docker.io/v2/$image/manifests/$tag" | jq -r '.manifests|.[]| "\(.digest) \(.platform.architecture) \(.platform.variant)"'

示例:

image=library/nginx
tag=stable-alpine

sha256:8853c7e938c2aa5d9d7439e698f0e700f058df8414a83134a09fcbb68bb0707a amd64 null
sha256:dbcd23f95b94018fe72bfdb356e40f4ae8b95063883f3456fedaed1c02204ed4 arm v6
sha256:d3670edcd50bb07cae303767426adf9bc7ba0219736148d30e6f30dd4e08695c arm v7
sha256:0bcd76faa141e4fa37e875834b3994261e0cfc94b7233ac84896381315b845ca arm64 v8
sha256:da8e62ddb3fab89ff4fa0271dbe230f849ab53402a71338503952437dcda1026 386 null
sha256:269bf99e100294b6b75fbdecf7b4ddbef8b29ea0a953e2e904452a50dbc923ab ppc64le null
sha256:103da50956034c157abeffbc869e2e38a4fabbf913bed8ae6ae7c59e646b28a1 s390x null

答案 2 :(得分:1)

我最近遇到了一个任务,需要查看sha256摘要,而不必提取图像。工具skopeo进行注册表API调用,因此您无需提取图像。

例如,

$ skopeo inspect --creds "username:password" docker://waisbrot/wait:latest

如果您只想获取摘要值,则可以将其通过管道传输到jq

$ skopeo inspect --creds "username:password" \
  docker://waisbrot/wait:latest | jq -r '.Digest'
sha256:6f2185daa4ab1711181c30d03f565508e8e978ebd0f263030e7de98deee5f330

答案 3 :(得分:0)

我意识到这个问题已得到解答,但要么我遗漏了某些内容,要么当前版本的AWS ECR注册管理机构服务无法按预期运行。

当尝试使用HEAD从AWS ECR获取摘要并尝试切换内容类型时,不会返回我可用于使用注册表Api提取图像的摘要值。

要获得此摘要,您必须获取您感兴趣的标记的清单,并按原样计算响应J21 的sha256,包括格式,不带签名部分

答案 4 :(得分:0)

跟进ByteFlinger的建议,没有一个例子,我尝试了这个,这就是如何计算它:

$ docker-ls tag -registry https://myregistry.net:5000 
spicysomtam/zookeeper:latest
requesting manifest . done
repository: spicysomtam/zookeeper
tagName: latest
digest: sha256:bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036

$ curl -ns -H "Accept: 
application/vnd.docker.distribution.manifest.v2+json" -X GET  
https://myregistry.net:5000/v2/spicysomtam/zookeeper/manifests/latest|sha256sum
bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036  -

$ docker images --digests |grep zookeeper
myregistry.net:5000/spicysomtam/zookeeper           latest                                     sha256:bd5dd80253171e4dffccbea7c639c90a63d5424aa2d7fe655aea766405c83036   a983e71ca22d        29 hours ago        584MB

答案 5 :(得分:0)

您可以使用docker inspect

docker inspect --format='{{index .RepoDigests 0}}' ${IMAGE_NAME}

文档:https://docs.docker.com/engine/reference/commandline/inspect/

至少从v1.9起就已经存在。

答案 6 :(得分:0)

这就是您今天使用 V2 清单的方式。

docker manifest inspect <REMOTE IMAGE>:<TAG> -v

您的输出是 JSON:

{
  ...
  "Descriptor": {
        "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
        "digest": "sha256:d13e102941a9f7bd417440f62f9cb29de35f6acb13a26cbf6a34f4c7340f0b63",
        "size": 3255,
        "platform": {
            "architecture": "amd64",
            "os": "linux"
        }
  },
  ...
}

答案 7 :(得分:0)

我也为此苦苦挣扎。如果有人感兴趣,这是一个 C#(dotnet core 5.0)实现:

    /**
       TOKEN=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:waisbrot/wait:pull" | jq -r .token)
       curl -s -D - -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.docker.distribution.manifest.v2+json" https://index.docker.io/v2/waisbrot/wait/manifests/latest
    */
    private string GetRemoteImageDigest(string image, string tag) {
        using HttpClient client = new ();   
        var url = string.Format($"https://auth.docker.io/token?service=registry.docker.io&scope=repository:{image}:pull");
        //var response = client.Send(new HttpRequestMessage(HttpMethod.Get, url));
        var result = client.GetStringAsync(url);            
        var drt = JsonSerializer.Deserialize<DockerRegistryToken>(result.Result);
    
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", drt.Token);
        client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/vnd.docker.distribution.manifest.v2+json"));
        
        var response = client.GetAsync(string.Format($"https://index.docker.io/v2/{image}/manifests/{tag}"));                        
        var headers =  response.Result.Headers;
        IEnumerable<string> values;
        headers.TryGetValues("Docker-Content-Digest", out values);
        return values.FirstOrDefault();
    }

DockerRegistryToken 定义为:

public class DockerRegistryToken{
    [JsonPropertyName("token")]
    public string Token { get; set; }

    /// always null
    [JsonPropertyName("access_token")]
    public string AccessToken  {get; set; }

    [JsonPropertyName("expires_in")]
    public int ExpiresInSeconds { get; set; }

    [JsonPropertyName("issued_at")]
    public DateTime IssuedAt { get; set; }

}
相关问题
最新问题