Issue
I see the following Digest for Jenkins Docker image.
However, when I pull this image I get a different digest i.e. the digest does not match.
docker pull jenkins:2.60.3
As you can see the digest do not match.
Another issue is that I cannot find the Digest SHA value on Docker Hub for the latest Jenkins docker image as you see below.
https://hub.docker.com/_/jenkins?tab=tags
Can you please suggest where can I find it?
Solution
There are lots of digests with images, and you're looking at two very different ones. At the top level there's a manifest list with it's digest, which you see in the docker images
command, in addition to a digest for the platform specific manifest (what most consider the image):
$ regctl image manifest --list jenkins:2.60.3
Name: jenkins:2.60.3
MediaType: application/vnd.docker.distribution.manifest.list.v2+json
Digest: sha256:eeb4850eb65f2d92500e421b430ed1ec58a7ac909e91f518926e02473904f668
Manifests:
Name: docker.io/library/jenkins@sha256:0de43cde2c4b864a8e4a84bbd9958e47c5d851319f118203303d040b0a74f159
MediaType: application/vnd.docker.distribution.manifest.v2+json
Platform: linux/amd64
Within an image manifest, there are also digests for the image config, and each filesystem layer. These are all packaged as blobs, and the second digest you're looking at is one of these filesystem layers:
$ regctl image manifest docker.io/library/jenkins@sha256:0de43cde2c4b864a8e4a84bbd9958e47c5d851319f118203303d040b0a74f159
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 12976,
"digest": "sha256:cd14cecfdb3a657ba7d05bea026e7ac8b9abafc6e5c66253ab327c7211fa6281"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 45310044,
"digest": "sha256:55cbf04beb7001d222c71bfdeae780bda19d5cb37b8dbd65ff0d3e6a0b9b74e6"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 10740168,
"digest": "sha256:1607093a898cc241de8712e4361dcd907898fff35b945adca42db3963f3827b3"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 4336107,
"digest": "sha256:9a8ea045c9261c180a34df19cfc9bb3c3f28f29b279bf964ee801536e8244f2f"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 50064642,
"digest": "sha256:d4eee24d4dacb41c21411e0477a741655303cdc48b18a948632c31f0f3a70bb8"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 892350,
"digest": "sha256:c58988e753d7a34080c68b53f7c27229d8f8fa80b9940c34d5cf77a9a2df10a0"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 246,
"digest": "sha256:794a04897db9ebf95b1f6430cd4d4051bd227a5f0698b18404ccd4c59e43273d"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 131,
"digest": "sha256:70fcfa476f730980d7a89f5ea34dd29c0c58e7cfe62652584e3adc38106e30ee"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 133944795,
"digest": "sha256:0539c80a02be3183761cc42f94a4f9cd5e3bc455f4ac3f4ecaab6d476b7fe330"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 246694,
"digest": "sha256:54fefc6dcf80a7be81ef627ec6ba8449a8ee7958a026ef947f99cac250af8f53"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 334,
"digest": "sha256:911bc90e47a85cca565f7b14404e7a0473f56ad56fe64a7d6967db7fbd78fa76"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 4149,
"digest": "sha256:38430d93efed3574476fb8f41057c2a02f17a21dc11affde95b8a8d52138d4e4"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 182,
"digest": "sha256:7e46ccda148ad58d1c301ab1307a7b7aec50ae3ee4e39c1041c0836072bb64e4"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 354772,
"digest": "sha256:c0cbcb5ac7477b970b1b8a3770fb53edee6d1006f47b3978c620bfc88db64fc7"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 433,
"digest": "sha256:35ade7a86a8e486a2413dd7fc65392212edc7d55c892d3c9c18120176a6ccd6f"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 70409105,
"digest": "sha256:aa433a6a56b1bdf8211085ff28d524a0988050e7b10bf24331417ff09c5b72cf"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 442,
"digest": "sha256:841c1dd38d620cb787959646579e3b1aeed5c126160ba374026bd9c348b8b512"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1439,
"digest": "sha256:b865dcb08714ce7f0212fe30a08f7be313d8f1e0da826bef5c83fa7358276413"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 837,
"digest": "sha256:5a37790300054f7050ee94ac24a0f2f0693b613f887b24814be44750b6ac2a51"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1552,
"digest": "sha256:12b47c68955c9d18c7e2058d3d349e70b600cee9fa38665e0fe2fdaacdd929a2"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 2626,
"digest": "sha256:1322ea3e7bfdc77717f92042f9f69668a7b9698a8319eedf8b394542aa4e982e"
}
]
}
Since the manifest contains the list of layer digests and the config digest, the digest on that manifest uniquely guarantees the immutable content of that image. And similarly the manifest list contains a lists of manifest digests for each platform, so a digest on that manifest list uniquely identifies the set of manifests it references. This is the directed acyclic graph (DAG) and content addressable storage (CAS) that registries use to guarantee content with the parent digest.
Answered By - BMitch