-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Include imageId / image hash in /images
response
#839
Comments
/images
response/images
response
Implementation notes .. Here's the digests and image IDs of some images:
NB:
The manifests associated with nats:1.0.4-linux are in the gist at https://gist.github.com/squaremo/aca1537a2e4f3081b4a8669464cf9fb9. Observations:
That's an image with a schema v2 manifest -- not all images have one. Here's one that doesn't:
The schema v1 manifest is at https://gist.github.com/squaremo/aca1537a2e4f3081b4a8669464cf9fb9#file-flux-1-0-0-beta-json. Observation: the v1 schema doesn't mention the image ID anywhere! (And neither do the blobs to which it refers -- they are just bits of filesystem.) |
Image IDs didn't exist in v1. In the olden days, Docker relied on randomly assigned UUIDs, it now uses SHA256 which actually are generated based on layer data. More in this video and slides. Personally, the way they expose IDs to the user is still quite confusing. Also, note that FYI, Kuberentes can pull by image ID, if you set |
So the |
quay.io only serves schema version 1, but if you pull an image from quay.io, Docker will happily display an image ID for it. So what I would like to know is where does Docker get that image ID? In the case of images in DockerHub, you can get both a schema v1 and a schema v2, and only the schema v2 has the ID. Ultimately what we're trying to solve here is: how do I know if two tags actually point at the same image? The digest is no good, since it will change for different tags. And, if the image is in quay.io, we don't appear to be able to get an image ID either, which might have helped. |
🤦♂️ |
I bumped into this: Looks like you have to opt-in to v2 using a heard. |
A header, yes I know. |
You should not use v1 schema. It was replaced with v2 because random IDs were an enormous security hole, ie you can effectively replace any content in another image by duplicating the id... |
Surely good advice. In this situation, it's not up to us, but up to the users of flux, and/or the maintainers of quay.io, which doesn't return v2 schema upon request. @justincormack Is there any answer to the question above -- "how do I know if two tags point at the same image?" -- with resort only to v1 schemas (and the blobs they point at)? |
See distribution/distribution#1662 (comment) for an explanation... |
OK thanks @justincormack. Perhaps my reading comprehension just isn't up to it, but I'm not able to get a definitive answer from that -- unless it's "when using older versions of docker or the registry the answer may require pulling an image to get the identifier used within docker" (presumably Docker itself does some trickery to obtain a stable ID, but this is considered dark magic and not spoken of). I think I'll have to look at Alternative Means, like using the topmost image from the history (of a v1 schema). It won't be the ID Docker uses itself, but (I think?) it will be enough to see when tags are pointing at the same image. |
To allow UI to accurately determine if the most recent tag is the same as whatever tag you're currently running.
For:
https://github.com/weaveworks/service-ui/issues/1172
https://github.com/weaveworks/service-ui/issues/1418
The text was updated successfully, but these errors were encountered: