You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Request: Make it possible to hash-address images by using foo/bar@sha256:hashbefore pushing to a registry
Logic: Using foo/bar@sha256:hash allows one to ensure that the manifest hasn't changed. However, since you have to push it to a registry first, you are limited to the registry, and cannot prevent it from files (or the Image) changing on disk over time.
When we do docker build, the RepoDigests field is empty in docker inspect, because a manifest does not exist. However, when we do docker push, it constructs the manifest (and the digest) based entirely on information that already is available at build time locally. Thus, rather than waiting until docker push to construct the manifest and its hash, we should construct them at docker build time. This should be fairly simple - move the code from push to build, although it cannot hurt to validate at push time - and thus will be available even for locally build images without pushing.
Steps to reproduce the issue:
build a simple image using docker build -t foo/bar:tag .
try to get the digest for that image via docker inspect --format='{{index .RepoDigests 0}}' foo/bar:tag ; it fails
you cannot run the image using its sha256 manifest hash docker run foo/bar@sha256:<something>
Describe the results you received:
No way to get the manifest hash and thus close the validation loop without pushing to a registry.
Describe the results you expected:
Get the hash once the image is built.
Output of docker version:
Client:
Version: 18.06.0-ce
API version: 1.38
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:05:26 2018
OS/Arch: darwin/amd64
Experimental: true
Server:
Engine:
Version: 18.06.0-ce
API version: 1.38 (minimum version 1.12)
Go version: go1.10.3
Git commit: 0ffa825
Built: Wed Jul 18 19:13:46 2018
OS/Arch: linux/amd64
Experimental: true```
**Output of `docker info`:**
Description
Request: Make it possible to hash-address images by using
foo/bar@sha256:hash
before pushing to a registryLogic: Using
foo/bar@sha256:hash
allows one to ensure that the manifest hasn't changed. However, since you have to push it to a registry first, you are limited to the registry, and cannot prevent it from files (or the Image) changing on disk over time.When we do
docker build
, theRepoDigests
field is empty indocker inspect
, because a manifest does not exist. However, when we dodocker push
, it constructs the manifest (and the digest) based entirely on information that already is available at build time locally. Thus, rather than waiting untildocker push
to construct the manifest and its hash, we should construct them atdocker build
time. This should be fairly simple - move the code frompush
tobuild
, although it cannot hurt to validate atpush
time - and thus will be available even for locally build images without pushing.Steps to reproduce the issue:
docker build -t foo/bar:tag .
docker inspect --format='{{index .RepoDigests 0}}' foo/bar:tag
; it failsdocker run foo/bar@sha256:<something>
Describe the results you received:
No way to get the manifest hash and thus close the validation loop without pushing to a registry.
Describe the results you expected:
Get the hash once the image is built.
Output of
docker version
:Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 607
Server Version: 18.06.0-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.9.93-linuxkit-aufs
Operating System: Docker for Mac
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 1.952GiB
Name: linuxkit-025000000001
ID: UJ3S:YG5T:JDBM:ORIS:WAXS:FSBR:KM26:TFKL:NHOG:HEFE:JRTR:LBFH
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): true
File Descriptors: 27
Goroutines: 54
System Time: 2018-08-29T11:39:07.7983983Z
EventsListeners: 2
HTTP Proxy: gateway.docker.internal:3128
HTTPS Proxy: gateway.docker.internal:3129
Registry: https://index.docker.io/v1/
Labels:
Experimental: true
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
The text was updated successfully, but these errors were encountered: