skopeo copy does not preserve digests for certain images #1451

jeyaramashok · 2021-09-17T22:33:47Z

When we copy images between registries using skopeo, we observe that digests are stable for most cases. But occasionally the digests changes at the destination.

Can some explain why this changes or what can we do to prevent this change & preserve the digest if possible ? ( should we build & push image a particular way or use any skopeo flag)

How to reproduce ?

1. Create a temporary registry

docker run -d -p 5000:5000 --restart=always --name registry registry:2

2. Copy the image

$ skopeo copy docker://icr.io/cpopen/ibm-cpd-dods-operator-catalog@sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913 docker://localhost:5000/cpopen/ibm-cpd-dods-operator-catalog:v4.0.1-20210716.110818-211-linux.amd64 --dest-tls-verify=false --debug
DEBU[0000] Loading registries configuration "/usr/local/etc/containers/registries.conf"
DEBU[0000] No credentials for localhost:5000 found
DEBU[0000] Using registries.d directory /usr/local/etc/containers/registries.d for sigstore configuration
DEBU[0000]  Using "default-docker" configuration
DEBU[0000]   Using file:///var/lib/containers/sigstore
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/localhost:5000
DEBU[0000] Trying to access "icr.io/cpopen/ibm-cpd-dods-operator-catalog@sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913"
DEBU[0000] No credentials for icr.io found
DEBU[0000] Using registries.d directory /usr/local/etc/containers/registries.d for sigstore configuration
DEBU[0000]  Using "default-docker" configuration
DEBU[0000]  No signature storage configuration found for icr.io/cpopen/ibm-cpd-dods-operator-catalog@sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913, using built-in default file:///Users/jey/.local/share/containers/sigstore
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/icr.io
DEBU[0000] GET https://icr.io/v2/
DEBU[0000] Ping https://icr.io/v2/ status 401
DEBU[0000] GET https://icr.io/oauth/token?scope=repository%3Acpopen%2Fibm-cpd-dods-operator-catalog%3Apull&service=registry
DEBU[0000] GET https://icr.io/v2/cpopen/ibm-cpd-dods-operator-catalog/manifests/sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913
DEBU[0001] Content-Type from manifest GET is "application/vnd.docker.distribution.manifest.v2+json"
DEBU[0001] Using blob info cache at /Users/jey/.local/share/containers/cache/blob-info-cache-v1.boltdb
DEBU[0001] IsRunningImageAllowed for image docker:icr.io/cpopen/ibm-cpd-dods-operator-catalog@sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913
DEBU[0001]  Using default policy section
DEBU[0001]  Requirement 0: allowed
DEBU[0001] Overall: allowed
Getting image source signatures
DEBU[0001] GET https://icr.io/extensions/v2/cpopen/ibm-cpd-dods-operator-catalog/signatures/sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913
DEBU[0001] Manifest has MIME type application/vnd.docker.distribution.manifest.v2+json, ordered candidate list [application/vnd.docker.distribution.manifest.v2+json, application/vnd.docker.distribution.manifest.v1+prettyjws, application/vnd.oci.image.manifest.v1+json, application/vnd.oci.image.index.v1+json, application/vnd.docker.distribution.manifest.list.v2+json, application/vnd.docker.distribution.manifest.v1+json]
DEBU[0001] ... will first try using the original manifest unmodified
DEBU[0001] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:e067f9b1719be8491395f9f6c0281af1033cd9b4370e0088e49fb54c670d05e5
DEBU[0001] GET https://localhost:5000/v2/
DEBU[0001] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:1878e3c1a1aaf498e8567d0676b7dc6618187225afb1b9711c36e6326ab0ab91
DEBU[0001] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:fca16aff6ae7f5bee79ab10193243fe8ed43ee29ef1334e7636b7d5b75501f87
DEBU[0001] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:7782f100031b10d1ebfdf01b4500b237d4457cf15d55748b4beeea505372508c
DEBU[0001] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:399e5d2c71d84493b24c09ff0036c9f79c36a001ee70d37fe004f778897966b0
DEBU[0001] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:2032bfee0321847b2a2637a93d285b478b25277c4de1241b1ff326fc0a0e5e16
DEBU[0001] Ping https://localhost:5000/v2/ err Get "https://localhost:5000/v2/": http: server gave HTTP response to HTTPS client (&url.Error{Op:"Get", URL:"https://localhost:5000/v2/", Err:(*errors.errorString)(0xc000372370)})
DEBU[0001] GET http://localhost:5000/v2/
DEBU[0001] Ping http://localhost:5000/v2/ status 200
DEBU[0001] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:e067f9b1719be8491395f9f6c0281af1033cd9b4370e0088e49fb54c670d05e5
DEBU[0001] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:1878e3c1a1aaf498e8567d0676b7dc6618187225afb1b9711c36e6326ab0ab91
DEBU[0001] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:7782f100031b10d1ebfdf01b4500b237d4457cf15d55748b4beeea505372508c
DEBU[0001] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:fca16aff6ae7f5bee79ab10193243fe8ed43ee29ef1334e7636b7d5b75501f87
DEBU[0001] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:399e5d2c71d84493b24c09ff0036c9f79c36a001ee70d37fe004f778897966b0
DEBU[0001] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:2032bfee0321847b2a2637a93d285b478b25277c4de1241b1ff326fc0a0e5e16
DEBU[0001] ... not present
DEBU[0001] Trying to reuse cached location sha256:1878e3c1a1aaf498e8567d0676b7dc6618187225afb1b9711c36e6326ab0ab91 compressed with gzip in localhost:5000/cpopen/ibm-cpd-dods-operator-catalog
DEBU[0001] ... Already tried the primary destination
DEBU[0001] Downloading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:1878e3c1a1aaf498e8567d0676b7dc6618187225afb1b9711c36e6326ab0ab91
DEBU[0001] GET https://icr.io/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:1878e3c1a1aaf498e8567d0676b7dc6618187225afb1b9711c36e6326ab0ab91
DEBU[0001] ... not present
DEBU[0001] ... not present
DEBU[0001] Trying to reuse cached location sha256:7782f100031b10d1ebfdf01b4500b237d4457cf15d55748b4beeea505372508c compressed with gzip in localhost:5000/cpopen/ibm-cpd-dods-operator-catalog
DEBU[0001] ... Already tried the primary destination
DEBU[0001] Downloading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:7782f100031b10d1ebfdf01b4500b237d4457cf15d55748b4beeea505372508c
DEBU[0001] GET https://icr.io/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:7782f100031b10d1ebfdf01b4500b237d4457cf15d55748b4beeea505372508c
DEBU[0001] Trying to reuse cached location sha256:399e5d2c71d84493b24c09ff0036c9f79c36a001ee70d37fe004f778897966b0 compressed with gzip in localhost:5000/cpopen/ibm-cpd-dods-operator-catalog
DEBU[0001] ... Already tried the primary destination
DEBU[0001] Downloading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:399e5d2c71d84493b24c09ff0036c9f79c36a001ee70d37fe004f778897966b0
DEBU[0001] GET https://icr.io/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:399e5d2c71d84493b24c09ff0036c9f79c36a001ee70d37fe004f778897966b0
DEBU[0001] ... not present
DEBU[0001] ... not present
DEBU[0001] Trying to reuse cached location sha256:e067f9b1719be8491395f9f6c0281af1033cd9b4370e0088e49fb54c670d05e5 compressed with gzip in localhost:5000/cpopen/ibm-cpd-dods-operator-catalog
DEBU[0001] ... Already tried the primary destination
DEBU[0001] Downloading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:e067f9b1719be8491395f9f6c0281af1033cd9b4370e0088e49fb54c670d05e5
DEBU[0001] GET https://icr.io/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:e067f9b1719be8491395f9f6c0281af1033cd9b4370e0088e49fb54c670d05e5
DEBU[0001] Trying to reuse cached location sha256:2032bfee0321847b2a2637a93d285b478b25277c4de1241b1ff326fc0a0e5e16 compressed with gzip in localhost:5000/cpopen/ibm-cpd-dods-operator-catalog
DEBU[0001] ... Already tried the primary destination
DEBU[0001] Downloading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:2032bfee0321847b2a2637a93d285b478b25277c4de1241b1ff326fc0a0e5e16
DEBU[0001] GET https://icr.io/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:2032bfee0321847b2a2637a93d285b478b25277c4de1241b1ff326fc0a0e5e16
DEBU[0001] ... not present
DEBU[0001] Trying to reuse cached location sha256:fca16aff6ae7f5bee79ab10193243fe8ed43ee29ef1334e7636b7d5b75501f87 compressed with gzip in localhost:5000/cpopen/ibm-cpd-dods-operator-catalog
DEBU[0001] ... Already tried the primary destination
DEBU[0001] Downloading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:fca16aff6ae7f5bee79ab10193243fe8ed43ee29ef1334e7636b7d5b75501f87
DEBU[0001] GET https://icr.io/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:fca16aff6ae7f5bee79ab10193243fe8ed43ee29ef1334e7636b7d5b75501f87
DEBU[0001] Detected compression format gzip
DEBU[0001] Using original blob without modification
DEBU[0001] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:399e5d2c71d84493b24c09ff0036c9f79c36a001ee70d37fe004f778897966b0
DEBU[0001] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:399e5d2c71d84493b24c09ff0036c9f79c36a001ee70d37fe004f778897966b0
DEBU[0001] ... not present
DEBU[0001] Uploading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/
DEBU[0001] POST http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/
DEBU[0001] PATCH http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/b3cfdec5-5707-437b-8f76-98f59564867f?_state=BHtqWKOJ6zjuhw5Nm-Osa4v_uk-XdcHjXt2Ywx6fXiZ7Ik5hbWUiOiJjcG9wZW4vaWJtLWNwZC1kb2RzLW9wZXJhdG9yLWNhdGFsb2ciLCJVVUlEIjoiYjNjZmRlYzUtNTcwNy00MzdiLThmNzYtOThmNTk1NjQ4NjdmIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIxLTA5LTE3VDIxOjM5OjExLjkzMjkxNzdaIn0%3D
Copying blob 399e5d2c71d8 done
DEBU[0002] PUT http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/b3cfdec5-5707-437b-8f76-98f59564867f?_state=iV0yUk8n-HSTXVJA67HS4-fnN2BSO9ldBg2CKKK89lB7Ik5hbWUiOiJjcG9wZW4vaWJtLWNwZC1kb2RzLW9wZXJhdG9yLWNhdGFsb2ciLCJVVUlEIjoiYjNjZmRlYzUtNTcw
Copying blob 399e5d2c71d8 done
DEBU[0002] Detected compression format gzip
DEBU[0002] Using original blob without modification
DEBU[0002] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:7782f100031b10d1ebfdf01b4500b237d4457cf15d55748b4beeea505372508c
DEBU[0002] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:7782f100031b10d1ebfdf01b4500b237d4457cf15d55748b4beeea505372508c
DEBU[0002] ... not present
DEBU[0002] Uploading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/
DEBU[0002] POST http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/
DEBU[0002] Detected compression format gzip
DEBU[0002] Using original blob without modification
DEBU[0002] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:e067f9b1719be8491395f9f6c0281af1033cd9b4370e0088e49fb54c670d05e5
DEBU[0002] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:e067f9b1719be8491395f9f6c0281af1033cd9b4370e0088e49fb54c670d05e5
DEBU[0002] ... not present
DEBU[0002] Uploading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [--------------------------------------] 0.0b / 40.2MiB
Copying blob e067f9b1719b [--------------------------------------] 0.0b / 4.1KiB
DEBU[0002] Detected compression format gzip
DEBU[0002] Using original blob without modification
DEBU[0002] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:fca16aff6ae7f5bee79ab10193243fe8ed43ee29ef1334e7636b7d5b75501f87
DEBU[0002] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:fca16aff6ae7f5bee79ab10193243fe8ed43ee29ef1334e7636b7d5b75501f87
DEBU[0002] Upload of layer sha256:399e5d2c71d84493b24c09ff0036c9f79c36a001ee70d37fe004f778897966b0 complete
DEBU[0002] PATCH http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/8e82921a-5892-41e5-aa77-93df2311734e?_state=rHFBSUPUyCl-n6kLzzoUaPio5w22KeLeHUk_j54dNoB7Ik5hbWUiOiJjcG9wZW4vaWJtLWNwZC1kb2RzLW9wZXJhdG9yLWNhdGFsb2ciLCJVVUlEIjoiOGU4MjkyMWEtNTg5Mi00MWU1LWFhNzctOTNkZjIzMTE3MzRlIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIxLTA5LTE3VDIxOjM5OjEyLjAyMjExNzJaIn0%3D
DEBU[0002] ... not present
DEBU[0002] Uploading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [--------------------------------------] 288.0KiB / 40.2MiB
Copying blob e067f9b1719b done
Copying blob fca16aff6ae7 [--------------------------------------] 0.0b / 165.0b
DEBU[0002] Detected compression format gzip
DEBU[0002] Using original blob without modification
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [--------------------------------------] 528.0KiB / 40.2MiB
Copying blob e067f9b1719b done
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [>-------------------------------------] 1.0MiB / 40.2MiB
Copying blob e067f9b1719b done
Copying blob fca16aff6ae7 done
Copying blob 1878e3c1a1aa [--------------------------------------] 0.0b / 14.2MiB
DEBU[0002] Detected compression format gzip
DEBU[0002] Using original blob without modification
DEBU[0002] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:2032bfee0321847b2a2637a93d285b478b25277c4de1241b1ff326fc0a0e5e16
DEBU[0002] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:2032bfee0321847b2a2637a93d285b478b25277c4de1241b1ff326fc0a0e5e16
DEBU[0002] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:93e0328ec41b1bddc5ad75cabd617e9a7084641456171c63b074f6742d58266e
DEBU[0002] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:93e0328ec41b1bddc5ad75cabd617e9a7084641456171c63b074f6742d58266e
DEBU[0002] PATCH http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/eee7e8b6-2957-43ca-ab21-bfd4e2fea04f?_state=p3al1E6ddLeXRLcQZcopgJZAY_mhn9W6Sz9OA-HB97l7Ik5hbWUiOiJjcG9wZW4vaWJtLWNwZC1kb2RzLW9wZXJhdG9yLWNhdGFsb2ciLCJVVUlEIjoiZWVlN2U4YjYtMjk1Ny00M2NhLWFiMjEtYmZkNGUyZmVhMDRmIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIxLTA5LTE3VDIxOjM5OjEyLjI2MDIzNTVaIn0%3D
DEBU[0002] PUT http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/d01c8ea1-8e72-485b-8cd0-baaa8432ad7c?_state=6TNJopT469eWoGsbZvNrOeoALfzXOuPm28vdTncnZM57Ik5hbWUiOiJjcG9wZW4vaWJtLWNwZC1kb2RzLW9wZXJhdG9yLWNhdGFsb2ciLCJVVUlEIjoiZDAxYzhlYTEtOGU3Mi00ODViLThjZDAtYmFhYTg0MzJhZDdjIiwiT2Zmc2V0IjoxNjUsIlN0YXJ0ZWRBdCI6IjIwMjEtMDktMTdUMjE6Mzk6MTJaIn0%3D&digest=sha256%3Afca16aff6ae7f5bee79ab10193243fe8ed43ee29ef1334e7636b7d5b75501f87
DEBU[0002] ... not present
DEBU[0002] PUT http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/784f15c8-55bd-4266-8b5c-cbbf64f6e129?_state=3WkdadP9CGmmwBH_KHrqxc6UAX5IDvilaUxXqKA9Tbd7Ik5hbWUiOiJjcG9wZW4vaWJtLWNwZC1kb2RzLW9wZXJhdG9yLWNhdGFsb2ciLCJVVUlEIjoiNzg0ZjE1YzgtNTViZC00MjY2LThiNWMtY2JiZjY0ZjZlMTI5IiwiT2Zmc2V0Ijo0MTk5LCJTdGFydGVkQXQiOiIyMDIxLTA5LTE3VDIxOjM5OjEyWiJ9&digest=sha256%3Ae067f9b1719be8491395f9f6c0281af1033cd9b4370e0088e49fb54c670d05e5
DEBU[0002] Trying to reuse cached location sha256:93e0328ec41b1bddc5ad75cabd617e9a7084641456171c63b074f6742d58266e compressed with gzip in localhost:5000/cpopen/ibm-cpd-dods-operator-catalog
DEBU[0002] ... Already tried the primary destination
DEBU[0002] Downloading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:93e0328ec41b1bddc5ad75cabd617e9a7084641456171c63b074f6742d58266e
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [==>-----------------------------------] 2.7MiB / 40.2MiB
Copying blob e067f9b1719b done
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [====>---------------------------------] 5.1MiB / 40.2MiB
Copying blob e067f9b1719b done
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [=====>--------------------------------] 6.9MiB / 40.2MiB
Copying blob e067f9b1719b done
Copying blob fca16aff6ae7 done
Copying blob 1878e3c1a1aa [====>---------------------------------] 1.7MiB / 14.2MiB
Copying blob 2032bfee0321 [====>---------------------------------] 510.6KiB / 3.6MiB
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [============>-------------------------] 13.4MiB / 40.2MiB
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [============>-------------------------] 14.0MiB / 40.2MiB
Copying blob e067f9b1719b done
Copying blob fca16aff6ae7 done
Copying blob 1878e3c1a1aa [====================>-----------------] 7.8MiB / 14.2MiB
Copying blob 2032bfee0321 done
DEBU[0003] Detected compression format gzip
DEBU[0003] Using original blob without modification
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [==============>-----------------------] 15.6MiB / 40.2MiB
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [===============>----------------------] 16.5MiB / 40.2MiB
Copying blob 399e5d2c71d8 done
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [================>---------------------] 18.4MiB / 40.2MiB
Copying blob e067f9b1719b done
Copying blob fca16aff6ae7 done
Copying blob 1878e3c1a1aa [==================================>---] 13.2MiB / 14.2MiB
Copying blob 2032bfee0321 done
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b [=================>--------------------] 19.4MiB / 40.2MiB
Copying blob e067f9b1719b done
Copying blob fca16aff6ae7 done
Copying blob 1878e3c1a1aa done
Copying blob 2032bfee0321 done
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b done
Copying blob e067f9b1719b done
Copying blob 399e5d2c71d8 done
Copying blob 7782f100031b done
Copying blob e067f9b1719b done
Copying blob fca16aff6ae7 done
Copying blob 1878e3c1a1aa done
Copying blob 2032bfee0321 done
Copying blob 93e0328ec41b done
Copying blob 5f70bf18a086 done
DEBU[0004] Downloading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:e714e85d96023ebb42f4c787ff2d05fda27abdb7e1752bf3a79130707ef42eac
DEBU[0004] GET https://icr.io/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:e714e85d96023ebb42f4c787ff2d05fda27abdb7e1752bf3a79130707ef42eac
DEBU[0005] No compression detected
DEBU[0005] Using original blob without modification
DEBU[0005] Checking /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:e714e85d96023ebb42f4c787ff2d05fda27abdb7e1752bf3a79130707ef42eac
DEBU[0005] HEAD http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/sha256:e714e85d96023ebb42f4c787ff2d05fda27abdb7e1752bf3a79130707ef42eac
DEBU[0005] ... not present
DEBU[0005] Uploading /v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/
DEBU[0005] POST http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/
DEBU[0005] PATCH http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/31089a1f-7e1c-4f39-9d06-af949e973a9d?_state=BPcVfgcjRwNR3th7TJPi6qqrn6bBdHpNjB8ezp7vmz97Ik5hbWUiOiJjcG9wZW4vaWJtLWNwZC1kb2RzLW9wZXJhdG9yLWNhdGFsb2ciLCJVVUlEIjoiMzEwODlhMWYtN2UxYy00ZjM5LTlkMDYtYWY5NDllOTczYTlkIiwiT2Zmc2V0IjowLCJTdGFydGVkQXQiOiIyMDIxLTA5LTE3VDIxOjM5OjE1LjAwMjM0MjRaIn0%3D
Copying config e714e85d96 done
DEBU[0005] PUT http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/blobs/uploads/31089a1f-7e1c-4f39-9d06-af949e973a9d?_state=OGYNPf6UUR9PfXLYB1_bQG3Ru8BoFW2ExHr2bqPbVh97Ik5hbWUiOiJjcG9wZW4vaWJtLWNwZC1kb2RzLW9wZXJhdG9yLWNhdGFsb2ciLCJVVUlEIjoiMzEwODlhMWYtN2UxYy00ZjM5LTlkMDYtYWY5NDllOTczYTlkIiwiT2Zmc2V0Ijo3NDY0LCJTdGFydGVkQXQiOiIyMDIxLTA5LTE3VDIxOjM5OjE1WiJ9&digest=sha256%3Ae714e85d96023ebb42f4c787ff2d05fda27abdb7e1752bf3a79130707ef42eac
Copying config e714e85d96 done
Writing manifest to image destination
DEBU[0005] PUT http://localhost:5000/v2/cpopen/ibm-cpd-dods-operator-catalog/manifests/v4.0.1-20210716.110818-211-linux.amd64
Storing signatures

3. Difference in digests btw source & dest registry

$ skopeo inspect docker://icr.io/cpopen/ibm-cpd-dods-operator-catalog@sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913 | jq '.Digest'
"sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913"

$ skopeo inspect docker://localhost:5000/cpopen/ibm-cpd-dods-operator-catalog:v4.0.1-20210716.110818-211-linux.amd64 --tls-verify=false | jq '.Digest'
"sha256:40bf0af6d0da314949edc04c22578cf7b575a97754f0ad84dce646c469729316"

Additional Info:

There seems difference between one image layers between the source and after copy

$ skopeo inspect docker://icr.io/cpopen/ibm-cpd-dods-operator-catalog@sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913 --raw | jq . > cdp-image-raw-orig.json
$ skopeo inspect docker://localhost:5000/cpopen/ibm-cpd-dods-operator-catalog:v4.0.1-20210716.110818-211-linux.amd64 --tls-verify=false --raw | jq . > cdp-image-raw-copy.json
$ diff cdp-image-raw-orig.json cdp-image-raw-copy.json
46,48c46,48
<       "mediaType": "application/vnd.docker.image.rootfs.diff.tar",
<       "size": 1024,
<       "digest": "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef"
---
>       "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
>       "size": 42,
>       "digest": "sha256:4ca545ee6d5db5c1170386eeb39b2ffe3bd46e5d4a73a9acbebc805f19607eb3"

Document cases when skopeo is "digest stable" #1102

The text was updated successfully, but these errors were encountered:

mtrmac · 2021-09-20T13:24:33Z

Thanks for your report.

The 5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef layer is empty , and not compressed. It is usual for it to be represented as a compressed layer with digest a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4 .

Fundamentally, it’s a very reasonable desire that Skopeo should be able to copy an image without changing its digest at all. Currently that happens when copying to digest references, or when the image is signed; #1378 tracks allowing users to explicitly prohibit image changes, in situations like these.

As for workarounds/process changes with the software as is:

During uploads, Skopeo primarily tries to avoid the upload; so if the registry is known to contain a version of the blob, it is reused.

If uploading, Skopeo compresses files when uploading to registries; that’s typically quite useful when the source uses an uncompressed format, but that policy is independent of the source, and currently there isn’t an opt-out.

Creating the image: It might be possible to change how the image was originally created. Either the source image was somehow ~intentionally built with an uncompressed layer and uploaded to a registry that way (which might be possible to fix in the tool that did that); Or maybe Buildah was used to create the final image, and Buildah noticed that the uncompressed version of that layer exists on the registry, so it decided to reuse it instead of uploading the a3e… version; that could be worked around by somehow removing the 5f7… version from the registry, if the registry (and existing images) allow it.

Copying the image: Alternatively, when taking the image as given, and just wanting to copy it, this might work:

skopeo copy $options docker://icr.io/cpopen/ibm-cpd-dods-operator-catalog@sha256:$digest docker://localhost:5000/cpopen/ibm-cpd-dods-operator-catalog:$digest
skopeo copy $options docker://localhost:5000/cpopen/ibm-cpd-dods-operator-catalog:$digest v4.0.1-20210716.110818-211-linux.amd64

(because copies to a digested reference prohibit changing the image, and a later copy in the same location will notice that all necessary objects are already present, and thus not cause a new copy that could possibly compress the data.)

jeyaramashok · 2021-09-20T22:58:12Z

Thanks for the detailed response, this really helps. I tried the suggested workaround for copy and it works.

I guess we could have prevented this by using skopeo to push to our first destination icr.io (which we want to be source of truth), since skopeo would have compressed it for us by default during that copy.

fwiw, just found that oc image mirror seems to handle this particular scenario.

$ oc image mirror icr.io/cpopen/ibm-cpd-dods-operator-catalog@sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913 localhost:5000/cpopen/ibm-cpd-dods-operator-catalog:v4.0.1-20210716.110818-211-linux.amd64 --insecure=true
localhost:5000/
  cpopen/ibm-cpd-dods-operator-catalog
    blobs:
      icr.io/cpopen/ibm-cpd-dods-operator-catalog sha256:fca16aff6ae7f5bee79ab10193243fe8ed43ee29ef1334e7636b7d5b75501f87 165B
      icr.io/cpopen/ibm-cpd-dods-operator-catalog sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef 1KiB
      icr.io/cpopen/ibm-cpd-dods-operator-catalog sha256:399e5d2c71d84493b24c09ff0036c9f79c36a001ee70d37fe004f778897966b0 1.774KiB
      icr.io/cpopen/ibm-cpd-dods-operator-catalog sha256:e067f9b1719be8491395f9f6c0281af1033cd9b4370e0088e49fb54c670d05e5 4.101KiB
      icr.io/cpopen/ibm-cpd-dods-operator-catalog sha256:e714e85d96023ebb42f4c787ff2d05fda27abdb7e1752bf3a79130707ef42eac 7.289KiB
      icr.io/cpopen/ibm-cpd-dods-operator-catalog sha256:93e0328ec41b1bddc5ad75cabd617e9a7084641456171c63b074f6742d58266e 21.95KiB
      icr.io/cpopen/ibm-cpd-dods-operator-catalog sha256:2032bfee0321847b2a2637a93d285b478b25277c4de1241b1ff326fc0a0e5e16 3.596MiB
      icr.io/cpopen/ibm-cpd-dods-operator-catalog sha256:1878e3c1a1aaf498e8567d0676b7dc6618187225afb1b9711c36e6326ab0ab91 14.21MiB
      icr.io/cpopen/ibm-cpd-dods-operator-catalog sha256:7782f100031b10d1ebfdf01b4500b237d4457cf15d55748b4beeea505372508c 40.23MiB
    manifests:
      sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913 -> v4.0.1-20210716.110818-211-linux.amd64
  stats: shared=0 unique=9 size=58.08MiB ratio=1.00

phase 0:
  localhost:5000 cpopen/ibm-cpd-dods-operator-catalog blobs=9 mounts=0 manifests=1 shared=0

info: Planning completed in 15.25s
sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913 localhost:5000/cpopen/ibm-cpd-dods-operator-catalog:v4.0.1-20210716.110818-211-linux.amd64
info: Mirroring completed in 820ms (1.241kB/s)
$ skopeo inspect docker://localhost:5000/cpopen/ibm-cpd-dods-operator-catalog:v4.0.1-20210716.110818-211-linux.amd64 --tls-verify=false | jq '.Digest'
"sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913"
$ skopeo inspect docker://icr.io/cpopen/ibm-cpd-dods-operator-catalog@sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913 | jq '.Digest'
"sha256:4a6637ce09afd4073c4d83d57e90d62ffc31e185d5c651b5836bfae1baa91913"

since there's an existing #1378 to address this, pls close this if not needed.

mtrmac · 2021-09-22T19:40:10Z

Thanks for the confirmation, let’s track this in #1378 .

A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>

A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. Also adding a missing check to enable digest preservation for manifest lists where the destination is digested. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>

mtrmac closed this as completed Sep 22, 2021

Jamstah mentioned this issue Nov 21, 2021

Add option to preserve digests containers/image#1413

Merged

github-actions bot added the locked - please file new issue/PR label Sep 19, 2023

github-actions bot locked as resolved and limited conversation to collaborators Sep 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

skopeo copy does not preserve digests for certain images #1451

skopeo copy does not preserve digests for certain images #1451

jeyaramashok commented Sep 17, 2021 •

edited

mtrmac commented Sep 20, 2021

jeyaramashok commented Sep 20, 2021

mtrmac commented Sep 22, 2021

skopeo copy does not preserve digests for certain images #1451

skopeo copy does not preserve digests for certain images #1451

Comments

jeyaramashok commented Sep 17, 2021 • edited

mtrmac commented Sep 20, 2021

jeyaramashok commented Sep 20, 2021

mtrmac commented Sep 22, 2021

jeyaramashok commented Sep 17, 2021 •

edited