-
Notifications
You must be signed in to change notification settings - Fork 546
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
.Digest() gives wrong sha ! but Manifest() is correct #625
Comments
This is expected. The image's digest is the manifest's digest, which points to the config, which has a different digest. Container images are weird. 🤷♂️ |
To elaborate a bit -- what you're looking at with By default, If you call |
Thanks @jonjohnsonjr @imjasonh for the response. I am trying to find a cheap way to get the image SHA if I do docker inspect it takes 0.7 s
however if I use the code above it will take 4s, is there any cheaper way to get the image ID using go-containerregistry ? UPDATE:
but that also still takes 2.1 seconds |
I believe Jon was saying that this should return the "image ID" of the image (i.e., the digest of the image's config file -- not the "image's digest", which is the digest of the image's manifest file) img, _ := daemon.Image(ref)
cf, _ := img.ConfigName()
fmt.Println(cf) Once you've got the image metadata this shouldn't need to do much work, so I wouldn't expect this to take more than a few hundred ms. If you're seeing something else, that's likely a bug. |
@imjasonh that still takes 1.95ssec code:
|
I just wanted to chime in here and mention some issues I was running into from some downstream effects of this decision. I wanted to leave a tombstone for anyone debugging What I was attempting to doI'm attempting to write a macro to help with the deployment/rollout of services that use rules_docker and deploy into k8s. Essentially you can take a bunch of json/yaml with a similar format to this:
Where How this relates to go-containerregistryI'm noticing an issue when using images from Behavior I was seeing downstream
Reproducing this in bazel/rules_dockerImport a container:
Push your container:
The digest file produced by Temporary Hack (Fix)In
This creates a derivative container that |
@gravypod you might be hitting a bug in rules_docker (cc @smukherj1 for ideas). We expect Possibly the rules_docker internal representation for images isn't roundtripping, but I'd be really surprised. Maybe the "digest" file there isn't actually the manifest digest but something else, and this is just an issue of naming? |
@jonjohnsonjr I think you are correct. If this is a bug in If you look at that last link you can see the commenter thought that the
We might be able to update
From the perspective of |
@gravypod adding some more detail here... I did some work on this for a very similar reason. images in kubernetes manifests were are referenced by label, e.g. existing efforts to get the repo digest do this by pushing to the registry and recording the digest. this not deterministic because the format of the repo digest is not standardized. when I checked earlier this year there was a small difference between index.docker.io and gcr.io: pretty printing and whitespace. of course this can break at any point in the future. https://gist.github.com/NathanHowell/04a1e26cda9946acedee838aec75d28f has the relevant aspects I used to compute the repo digest for gcr.io. |
I think adding additional methods that do the same thing might actually make things more confusing -- the method names are from the perspective of a registry (hence go-containerregistry), which is a bit unfortunate if you're dealing with a
That is what's happening, so I still don't understand where this bug is.
There are a few reasons this might not be deterministic -- decompressing and recompressing the layers with different gzip implementations of compression levels is a common culprit.
There shouldn't ever be whitespace differences between registries. As part of the protocol, clients assert the digest of the contents when uploading them, and registries return the exact bytes of what was uploaded. If there's any difference in whitespace, it was done on the client side. Note that GCR's web UI will show pretty-printed manifests if you click a checkbox, but the underlying data is still whatever clients uploaded. |
@jonjohnsonjr ah ok, so I had a poorly setup test. our build was pushing images with bazel to @gravypod ignore some of my comments :-) |
Digest() gives wrong sha
Example
output
I expected them to be same !
for the record, the hash I get from Manifest() is the correct one (according to docker)
The text was updated successfully, but these errors were encountered: