Docker modifies the Digests value of the image

I encountered something at work recently. I exported an image from a local virtual machine and imported it to the server. I found that the digests of the image were . After searching online for a long time, I found that there was no relevant solution. The source code on the server was based on the hash value of the image. There is no Tag when pulling the image, and the image digests is . It is very painful to change the source code. After half a day of exploration, I found a solution, which is recorded here for future reference.

1. What is Digest

The definition given on the official website is:

Images using the V2 and above format will have a content-addressable identifier called digest.

According to the definition, this digest is actually an ID generated based on the image content. The official website says that as long as the input used to generate this image remains unchanged, then the digest is It is predictable. In other words, as long as the content of the image remains unchanged, the digest will not change. This digest is mainly used in warehouses.

So, the image we pulled httpd above can actually be pulled in two ways, for example,

Simple pull, docker pull httpd At this time, Alibaba Cloud’s mirror warehouse is used

$ docker pull httpd@sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32

At this time, we hope to pull the image from another private warehouse built by ourselves. We do not want this image to change a little bit, such as the harbor private warehouse built by ourselves. Of course, the image in the private warehouse must also have this digest before it can be correctly pulled.

Pulling the image with a check code can ensure that the image we pull must be a correct and verifiable image, ensuring that the content is correct. This is the function of digest.

2. How to modify Digest

Suppose an image has been pulled locally, but we find that it does not have a digest or the digest is not what we want, what should we do?

Check the storage path of docker, that is, check the path defined by the startup script

[root@slave1 ~]# cat /etc/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target firewalld.service
Wants=network-online.target
 
[Service]
Type=notify
ExecStart=/usr/local/bin/dockerd --graph=/var/lib/docker
ExecReload=/bin/kill -s HUP $MAINPID
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TimeoutStartSec=0
Delegate=yes
KillMode=process
Restart=on-failure
StartLimitBurst=3
StartLimitInterval=60s
 
[Install]
WantedBy=multi-user.target

Enter the mirror data layer directory and you can see a file, repositories.json

[root@slave1 overlay2]# pwd
/var/lib/docker/image/overlay2
[root@slave1 overlay2]#ll
total 4
drwx------ 4 root root 58 Jun 13 00:10 distribution
drwx------ 4 root root 37 Jun 12 19:54 imagedb
drwx------ 5 root root 45 Jun 13 00:10 layerdb
-rw------- 1 root root 3278 Jun 28 12:09 repositories.json

[root@slave1 overlay2]# cat repositories.json
{“Repositories”:{“httpd”:{“httpd:latest”:”sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34″,”httpd@sha256:0954cc1af252d824860 b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32″:”sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34″}, “jettech/kube-webhook-certgen”:{“jettech/kube-webhook-certgen:v1.5.1″:”sha256:a013daf8730dbb3908d66f67c57053f09055fddb28fde0b5808cb24c27900dc8”,”jettech/kube -webhook-certgen@sha256:950833e19ade18cd389d647efb88992a7cc077abedef343fa59e012d376d79b7 “:”sha256:a013daf8730dbb3908d66f67c57053f09055fddb28fde0b5808cb24c27900dc8″},”quay.io/coreos/flannel”:{“quay.io/coreos/flannel:v0.13.0″:”sha256:e7 08f4bb69e310904d564a1e67c3833d6a0428d3cf8dd9b9abba25c7aa0f3dfe”}, “registry.cn-hangzhou.aliyuncs.com/google_containers/coredns”:{“registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0″:”sha256:bfe3a36ebd2528b454be6aebece806db5b40407b833e2af9617bf39 afaff8c16”}, “registry.cn-hangzhou.aliyuncs.com/google_containers/etcd”:{“registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.13-0″:”sha256:0369cf4303ffdb467dc219990960a9baa8512a54b0ad9283e af55bd6c0adb934″ },”registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy”:{“registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.19.3″:”sha256 :cdef7632a242bc23fd6abf4e42b4ea36706d096ccef09cc855d4ad057db822d7″,”registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy@sha256:1f99b26aad3a90358ad83b4065cf590 02b5a913e839b70744caff4a84315a2e7″:”sha256:cdef7632a242bc23fd6abf4e42b4ea36706d096ccef09cc855d4ad057db822d7″},”registry.cn-hangzhou.aliyuncs.com/ google_containers/kube-scheduler”:{“registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.19.3″:”sha256:aaefbfa906bd854407acc3495e8a3b773bb3770e4a36d836f7fd3255c299 ab25″},”registry.cn-hangzhou. aliyuncs.com/google_containers/nginx-ingress-controller”:{“registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4 b9a”:”sha256:435df390f3673c475f60eac1ed1c12fd1aea2e8a083927325aa6d5c969c5c8d2″}, “registry.cn-hangzhou.aliyuncs.com/google_containers/pause”:{“registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2”:”sha256:80d28bedfe5dec59da9ebf8e6260224ac9008ab5c11dbbe16ee3ba3e4439ac2c\ “,”registry .cn-hangzhou.aliyuncs.com/google_containers/pause@sha256:927d98197ec1141a368550822d18fa1c60bdae27b78b0c004f705f548c07814f”:”sha256:80d28bedfe5dec59da9ebf8e6260224 ac9008ab5c11dbbe16ee3ba3e4439ac2c”},”registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner”: {“registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner:v3.1.0-k8s1.11″:”sha256:e47e31bbe424e3df9827b75c68380b5e34d7619ce83ceaea4100bb50d1e0f3d9″,” registry.cn-shanghai.aliyuncs.com /c7n/nfs-client-provisioner@sha256:819e4176025d46637700e0a0711cc048d4171d4e6279be94e91ad53315c26a9d”:”sha256:e47e31bbe424e3df9827b75c68380b5e3 4d7619ce83ceaea4100bb50d1e0f3d9″},”registry.hand-china.com/tools/redis”:{“registry.hand-china.com /Tools/redis:62.2.6-debian-10-R120 “:Sha256:74F63995C6262BED440FC5C23D66FBBDBDBD6E906F01D9A17740B1 “regitive.Hand-Chin A.Com/Tools/redis@sha256:6A76298B78B9890dDAC6010edfbea15545De20F2710A2222222222222222222222222222222222a6e9f”:74f6399Bed4440FC23D6 6FBB7BDBD6E906A54F018C01D9FA8A17740B1 “}}}[root@slave1 overlay2]

Add digests to the jettech/kube-webhook-certgen image as an example. Open the repositories.json file, replace the digest dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34 of httpd with the values behind the two jettech/kube-webhook-certgen, and then restart docker service

[root@slave1 overlay2]# cat repositories.json
{"Repositories":{"httpd":{"httpd:latest":"sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34","httpd@sha256:0954cc1af252d824860 b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32":"sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34"}, "jettech/kube-webhook-certgen":{"jettech/kube-webhook-certgen:v1.5.1":"sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34","jettech/kube- webhook-certgen@sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34 ":"sha256:a013daf8730dbb3908d66f67c57053f09055fddb28fde0b5808cb24c27900dc8"},"quay.io/coreos/flannel":{"quay.io/coreos/flannel:v0.13.0":"sha256:e7 08f4bb69e310904d564a1e67c3833d6a0428d3cf8dd9b9abba25c7aa0f3dfe"}, "registry.cn-hangzhou.aliyuncs.com/google_containers/coredns":{"registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0":"sha256:bfe3a36ebd2528b454be6aebece806db5b40407b833e2af9617bf39 afaff8c16"}, "registry.cn-hangzhou.aliyuncs.com/google_containers/etcd":{"registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.13-0":"sha256:0369cf4303ffdb467dc219990960a9baa8512a54b0ad9283e af55bd6c0adb934" },"registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy":{"registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.19.3":"sha256 :cdef7632a242bc23fd6abf4e42b4ea36706d096ccef09cc855d4ad057db822d7","registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy@sha256:1f99b26aad3a90358ad83b4065cf590 02b5a913e839b70744caff4a84315a2e7":"sha256:cdef7632a242bc23fd6abf4e42b4ea36706d096ccef09cc855d4ad057db822d7"},"registry.cn-hangzhou.aliyuncs.com/ google_containers/kube-scheduler":{"registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.19.3":"sha256:aaefbfa906bd854407acc3495e8a3b773bb3770e4a36d836f7fd3255c299 ab25"},"registry.cn-hangzhou. aliyuncs.com/google_containers/nginx-ingress-controller":{"registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4 b9a":"sha256:435df390f3673c475f60eac1ed1c12fd1aea2e8a083927325aa6d5c969c5c8d2"}, "registry.cn-hangzhou.aliyuncs.com/google_containers/pause":{"registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2":"sha256:80d28bedfe5dec59da9ebf8e6260224ac9008ab5c11dbbe16ee3ba3e4439ac2c\ ","registry .cn-hangzhou.aliyuncs.com/google_containers/pause@sha256:927d98197ec1141a368550822d18fa1c60bdae27b78b0c004f705f548c07814f":"sha256:80d28bedfe5dec59da9ebf8e6260224 ac9008ab5c11dbbe16ee3ba3e4439ac2c"},"registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner": {"registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner:v3.1.0-k8s1.11":"sha256:e47e31bbe424e3df9827b75c68380b5e34d7619ce83ceaea4100bb50d1e0f3d9"," registry.cn-shanghai.aliyuncs.com /c7n/nfs-client-provisioner@sha256:819e4176025d46637700e0a0711cc048d4171d4e6279be94e91ad53315c26a9d":"sha256:e47e31bbe424e3df9827b75c68380b5e3 4d7619ce83ceaea4100bb50d1e0f3d9"},"registry.hand-china.com/tools/redis":{"registry.hand-china.com /Tools/redis:62.2.6-debian-10-R120 ":Sha256:74F63995C6262BED440FC5C23D66FBBDBDBD6E906F01D9A17740B1 "regitive.Hand-Chin A.Com/Tools/redis@sha256:6A76298B78B9890dDAC6010edfbea15545De20F2710A2222222222222222222222222222222222a6e9f":74f6399Bed4440FC23D6 6FBB7BDBD6E906A54F018C01D9FA8A17740B1 "}}}

Looking at the image at this time, you will find that there are two jettech/kube-webhook-certgen

[root@slave1 overlay2]# docker images --digests
\REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE
registry.hand-china.com/tools/redis 6.2.6-debian-10-r120 sha256:6a76298b78b9890ddac6010edfbea15545e6a5de20f2710a222cec44900a6e9f 74f63995c626 4 months ago 95.2MB
jettech/kube-webhook-certgen v1.5.1 <none> dabbfbe0c57b 6 months ago 144MB
httpd latest sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32 dabbfbe0c57b 6 months ago 144MB
registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller <none> sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a 435df390f367 16 months ago 279MB
registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner v3.1.0-k8s1.11 sha256:819e4176025d46637700e0a0711cc048d4171d4e6279be94e91ad53315c26a9d e47e31bbe424 1 8 months ago 49.8MB
jettech/kube-webhook-certgen <none> sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34 a013daf

One of them is with digest, and the other is without it. At this point, the task of modifying digest is completed.

The knowledge points of the article match the official knowledge files, and you can further learn related knowledge. Algorithm skill tree Home page Overview 57,259 people are learning the system