How do I get the digest of a docker tar archive? Using the code below, I pull hello-world, get the digest of the image, and finally, save it as hello-world.tar.

docker pull hello-world
docker save hello-world > hello-world.tar

# Get the digest of the image **loaded into docker**
docker images --digests --filter=reference='hello-world'

REPOSITORY    TAG       DIGEST                                                                    IMAGE ID       CREATED         SIZE
hello-world   latest    sha256:faa03e786c97f07ef34423fccceeec2398ec8a5759259f94d99078f264e9d7af   feb5d9fea6a5   14 months ago   13.3kB

How can I get the digest from hello-world.tar? I'm expecting it to match the digest sha256:faa03e7... in the output shown above.

CodePudding user response：

If you untar hello-world.tar, you'll see:

drwxr-xr-x 2 ubuntu ubuntu  4096 Sep 23  2021 c28b9c2faac407005d4d657e49f372fb3579a47dd4e4d87d13e29edd1c912d5c
-rw-r--r-- 1 ubuntu ubuntu  1469 Sep 23  2021 feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412.json
-rw-rw-r-- 1 ubuntu ubuntu 24064 Dec  8 17:48 hello-world.tar
-rw-r--r-- 1 ubuntu ubuntu   207 Jan  1  1970 manifest.json
-rw-r--r-- 1 ubuntu ubuntu    94 Jan  1  1970 repositories

The manifest.json file has a field that shows you the name of the config file:

cat manifest.json | jq '.[0].Config'

"feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412.json"

If you inspect the Docker image loaded on the system for hello-world, you'll see that the name of the config file is the same as the SHA256 digest in the Id field:

docker inspect hello-world | jq '.[0].Id'

"sha256:feb5d9fea6a5e9606aa995e879d862b825965ba48de054caab5ef356dc6b3412"

This way, you can compare the 2 digest values, one from the loaded Docker image and one from the static tar.gz file.