Marek Grzenkowicz
Reputation: 17333
Docker image with 2 different SHA256 digests
What does it mean when inspect shows two RepoDigests values for a Docker image?
Example:
$ docker inspect aquasec/trivy:latest
[
{
"Id": "sha256:33106c9ec694a2e9057fb80a5451f4648ed67d6159cc034fa6340f4cfbe2b98a",
"RepoTags": [
"aquasec/trivy:latest"
],
"RepoDigests": [
"aquasec/trivy@sha256:76d47e5917c583fcad5ab4f83a23cb5e534c34649a994c73722fe6dfd86f2855",
"aquasec/trivy@sha256:c0d08ac683a0e36ac71555314140718cd8d224efb70a5ebe388ad5879be56445"
],
...
]
When I go to Docker Hub, only the c0d08ac683a0 is shown.
Upvotes: 3
Views: 1009
Answers (1)
BMitch
Reputation: 263469
aquasec/trivy is distributed as a multi-platform image. The first one in your list is from the manifest list itself, and the second digest is for your specific platform:
$ regctl manifest get --list aquasec/trivy
Name: aquasec/trivy
MediaType: application/vnd.docker.distribution.manifest.list.v2+json
Digest: sha256:76d47e5917c583fcad5ab4f83a23cb5e534c34649a994c73722fe6dfd86f2855
Manifests:
Name: docker.io/aquasec/trivy@sha256:c0d08ac683a0e36ac71555314140718cd8d224efb70a5ebe388ad5879be56445
MediaType: application/vnd.docker.distribution.manifest.v2+json
Platform: linux/amd64
Name: docker.io/aquasec/trivy@sha256:5d0d4ce0af0888f77b9831172f0ec6a6f8e6b087496a5d2677426e0492224302
MediaType: application/vnd.docker.distribution.manifest.v2+json
Platform: linux/arm64
The manifest list is a set of pointers to each platform manifest (and it has it's own digest):
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1159,
"digest": "sha256:c0d08ac683a0e36ac71555314140718cd8d224efb70a5ebe388ad5879be56445",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 1159,
"digest": "sha256:5d0d4ce0af0888f77b9831172f0ec6a6f8e6b087496a5d2677426e0492224302",
"platform": {
"architecture": "arm64",
"os": "linux"
}
}
]
}
And then the docker manifest for your platform includes references to the config and layer blobs:
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 1820,
"digest": "sha256:33106c9ec694a2e9057fb80a5451f4648ed67d6159cc034fa6340f4cfbe2b98a"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 2814446,
"digest": "sha256:a0d0a0d46f8b52473982a3c466318f479767577551a53ffc9074c9fa7035982e"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 6900624,
"digest": "sha256:0df7abe0cb9353fe074cad7942ce432f7a95cc1e80a4e4f15e326f4c79af7364"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 13101667,
"digest": "sha256:49b8248ae36d0bf5eefe15d56704da18a3239db65bb82d5e73426dafbc16e7df"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 4268,
"digest": "sha256:33a14db32fe04bfed4ebca691c13c0947b2bbceb9ae68c5118435b9dbaf4dfcd"
}
]
}
Upvotes: 3
Related Questions
- What's the difference between a Docker image's Image ID and its Digest?
- How to use a multiarch base docker image when specifying SHA
- Can a Docker image have more than one digest?
- DockerHub: sha digest doesn't match
- Docker build failure -- how to run image by sha256 hash?
- Different SHA1 for copied files in my docker image (from Maven Build)
- Get digest hash of docker image before downloading
- Is the sha256 hash of a docker image different between repositories?
- sha256 of locally built docker image
- Docker History Base Image Add:sha256hash