最近工作中遇到个事情,我在本地虚拟机导出的镜像,导入到服务器发现镜像的digests是
根据官网给出的定义是:
使用V2以及V2以上格式的镜像将会有一个叫做digest的内容可寻址标识符。
根据定义来看,这个digest其实就是就是根据镜像内容产生的一个ID,官网上说,只要用于产生这个image的输入不变,那么digest就是可以预测的,换句话说只要镜像的内容不变digest也不会变。而这个digest主要是用在仓库内的。
那么,我们上面 pull httpd这个镜像,其实是可以两种方式pull的,比如,
简单的pull,docker pull httpd 这个时候使用的是阿里云的镜像仓库
$ docker pull httpd@sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32而这个时候,我们希望是从另一个私有的自己搭建的仓库拉取镜像,不希望这个镜像有一点点的改变,比如自己搭建的harbor私有仓库。当然,私有仓库内的该镜像也必须带有这个digest才可以正确拉取到哦。
带校验码拉取镜像可以保证我们拉取的镜像一定是一个正确的可以校验的镜像,保证内容是正确的。这个就是digest的功能。
假设已经有一个镜像拉取到本地了,但我们发现它没有digest或者digest不是我们想要的,怎么办呢?
查看docker的存储路径,也就是查看启动脚本定义的路径
- [root@slave1 ~]# cat /etc/systemd/system/docker.service
- [Unit]
- Description=Docker Application Container Engine
- Documentation=https://docs.docker.com
- After=network-online.target firewalld.service
- Wants=network-online.target
-
- [Service]
- Type=notify
- ExecStart=/usr/local/bin/dockerd --graph=/var/lib/docker
- ExecReload=/bin/kill -s HUP $MAINPID
- LimitNOFILE=infinity
- LimitNPROC=infinity
- LimitCORE=infinity
- TimeoutStartSec=0
- Delegate=yes
- KillMode=process
- Restart=on-failure
- StartLimitBurst=3
- StartLimitInterval=60s
-
- [Install]
- WantedBy=multi-user.target
进入镜像数据层目录,可以看到一个文件,repositories.json
- [root@slave1 overlay2]# pwd
- /var/lib/docker/image/overlay2
- [root@slave1 overlay2]# ll
- total 4
- drwx------ 4 root root 58 Jun 13 00:10 distribution
- drwx------ 4 root root 37 Jun 12 19:54 imagedb
- drwx------ 5 root root 45 Jun 13 00:10 layerdb
- -rw------- 1 root root 3278 Jun 28 12:09 repositories.json
[root@slave1 overlay2]# cat repositories.json
{"Repositories":{"httpd":{"httpd:latest":"sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34","httpd@sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32":"sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34"},"jettech/kube-webhook-certgen":{"jettech/kube-webhook-certgen:v1.5.1":"sha256:a013daf8730dbb3908d66f67c57053f09055fddb28fde0b5808cb24c27900dc8","jettech/kube-webhook-certgen@sha256:950833e19ade18cd389d647efb88992a7cc077abedef343fa59e012d376d79b7":"sha256:a013daf8730dbb3908d66f67c57053f09055fddb28fde0b5808cb24c27900dc8"},"quay.io/coreos/flannel":{"quay.io/coreos/flannel:v0.13.0":"sha256:e708f4bb69e310904d564a1e67c3833d6a0428d3cf8dd9b9abba25c7aa0f3dfe"},"registry.cn-hangzhou.aliyuncs.com/google_containers/coredns":{"registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0":"sha256:bfe3a36ebd2528b454be6aebece806db5b40407b833e2af9617bf39afaff8c16"},"registry.cn-hangzhou.aliyuncs.com/google_containers/etcd":{"registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.13-0":"sha256:0369cf4303ffdb467dc219990960a9baa8512a54b0ad9283eaf55bd6c0adb934"},"registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy":{"registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.19.3":"sha256:cdef7632a242bc23fd6abf4e42b4ea36706d096ccef09cc855d4ad057db822d7","registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy@sha256:1f99b26aad3a90358ad83b4065cf59002b5a913e839b70744caff4a84315a2e7":"sha256:cdef7632a242bc23fd6abf4e42b4ea36706d096ccef09cc855d4ad057db822d7"},"registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler":{"registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.19.3":"sha256:aaefbfa906bd854407acc3495e8a3b773bb3770e4a36d836f7fd3255c299ab25"},"registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller":{"registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a":"sha256:435df390f3673c475f60eac1ed1c12fd1aea2e8a083927325aa6d5c969c5c8d2"},"registry.cn-hangzhou.aliyuncs.com/google_containers/pause":{"registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2":"sha256:80d28bedfe5dec59da9ebf8e6260224ac9008ab5c11dbbe16ee3ba3e4439ac2c","registry.cn-hangzhou.aliyuncs.com/google_containers/pause@sha256:927d98197ec1141a368550822d18fa1c60bdae27b78b0c004f705f548c07814f":"sha256:80d28bedfe5dec59da9ebf8e6260224ac9008ab5c11dbbe16ee3ba3e4439ac2c"},"registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner":{"registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner:v3.1.0-k8s1.11":"sha256:e47e31bbe424e3df9827b75c68380b5e34d7619ce83ceaea4100bb50d1e0f3d9","registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner@sha256:819e4176025d46637700e0a0711cc048d4171d4e6279be94e91ad53315c26a9d":"sha256:e47e31bbe424e3df9827b75c68380b5e34d7619ce83ceaea4100bb50d1e0f3d9"},"registry.hand-china.com/tools/redis":{"registry.hand-china.com/tools/redis:6.2.6-debian-10-r120":"sha256:74f63995c6262bed440fc5c23d66fbb7bdbd6e906a54f018c01d9fa8a17740b1","registry.hand-china.com/tools/redis@sha256:6a76298b78b9890ddac6010edfbea15545e6a5de20f2710a222cec44900a6e9f":"sha256:74f63995c6262bed440fc5c23d66fbb7bdbd6e906a54f018c01d9fa8a17740b1"}}}[root@slave1 overlay2]
给jettech/kube-webhook-certgen这个镜像增加digests为例,打开 repositories.json 这个文件,将httpd的digest dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34 替换到两个jettech/kube-webhook-certgen后面的值,然后重启docker服务
[root@slave1 overlay2]# cat repositories.json
{"Repositories":{"httpd":{"httpd:latest":"sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34","httpd@sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32":"sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34"},"jettech/kube-webhook-certgen":{"jettech/kube-webhook-certgen:v1.5.1":"sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34","jettech/kube-webhook-certgen@sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34":"sha256:a013daf8730dbb3908d66f67c57053f09055fddb28fde0b5808cb24c27900dc8"},"quay.io/coreos/flannel":{"quay.io/coreos/flannel:v0.13.0":"sha256:e708f4bb69e310904d564a1e67c3833d6a0428d3cf8dd9b9abba25c7aa0f3dfe"},"registry.cn-hangzhou.aliyuncs.com/google_containers/coredns":{"registry.cn-hangzhou.aliyuncs.com/google_containers/coredns:1.7.0":"sha256:bfe3a36ebd2528b454be6aebece806db5b40407b833e2af9617bf39afaff8c16"},"registry.cn-hangzhou.aliyuncs.com/google_containers/etcd":{"registry.cn-hangzhou.aliyuncs.com/google_containers/etcd:3.4.13-0":"sha256:0369cf4303ffdb467dc219990960a9baa8512a54b0ad9283eaf55bd6c0adb934"},"registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy":{"registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy:v1.19.3":"sha256:cdef7632a242bc23fd6abf4e42b4ea36706d096ccef09cc855d4ad057db822d7","registry.cn-hangzhou.aliyuncs.com/google_containers/kube-proxy@sha256:1f99b26aad3a90358ad83b4065cf59002b5a913e839b70744caff4a84315a2e7":"sha256:cdef7632a242bc23fd6abf4e42b4ea36706d096ccef09cc855d4ad057db822d7"},"registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler":{"registry.cn-hangzhou.aliyuncs.com/google_containers/kube-scheduler:v1.19.3":"sha256:aaefbfa906bd854407acc3495e8a3b773bb3770e4a36d836f7fd3255c299ab25"},"registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller":{"registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a":"sha256:435df390f3673c475f60eac1ed1c12fd1aea2e8a083927325aa6d5c969c5c8d2"},"registry.cn-hangzhou.aliyuncs.com/google_containers/pause":{"registry.cn-hangzhou.aliyuncs.com/google_containers/pause:3.2":"sha256:80d28bedfe5dec59da9ebf8e6260224ac9008ab5c11dbbe16ee3ba3e4439ac2c","registry.cn-hangzhou.aliyuncs.com/google_containers/pause@sha256:927d98197ec1141a368550822d18fa1c60bdae27b78b0c004f705f548c07814f":"sha256:80d28bedfe5dec59da9ebf8e6260224ac9008ab5c11dbbe16ee3ba3e4439ac2c"},"registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner":{"registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner:v3.1.0-k8s1.11":"sha256:e47e31bbe424e3df9827b75c68380b5e34d7619ce83ceaea4100bb50d1e0f3d9","registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner@sha256:819e4176025d46637700e0a0711cc048d4171d4e6279be94e91ad53315c26a9d":"sha256:e47e31bbe424e3df9827b75c68380b5e34d7619ce83ceaea4100bb50d1e0f3d9"},"registry.hand-china.com/tools/redis":{"registry.hand-china.com/tools/redis:6.2.6-debian-10-r120":"sha256:74f63995c6262bed440fc5c23d66fbb7bdbd6e906a54f018c01d9fa8a17740b1","registry.hand-china.com/tools/redis@sha256:6a76298b78b9890ddac6010edfbea15545e6a5de20f2710a222cec44900a6e9f":"sha256:74f63995c6262bed440fc5c23d66fbb7bdbd6e906a54f018c01d9fa8a17740b1"}}}
此时查看镜像会发现有两个jettech/kube-webhook-certgen
[root@slave1 overlay2]# docker images --digests \REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE registry.hand-china.com/tools/redis 6.2.6-debian-10-r120 sha256:6a76298b78b9890ddac6010edfbea15545e6a5de20f2710a222cec44900a6e9f 74f63995c626 4 months ago 95.2MB jettech/kube-webhook-certgen v1.5.1dabbfbe0c57b 6 months ago 144MB httpd latest sha256:0954cc1af252d824860b2c5dc0a10720af2b7a3d3435581ca788dff8480c7b32 dabbfbe0c57b 6 months ago 144MB registry.cn-hangzhou.aliyuncs.com/google_containers/nginx-ingress-controller sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a 435df390f367 16 months ago 279MB registry.cn-shanghai.aliyuncs.com/c7n/nfs-client-provisioner v3.1.0-k8s1.11 sha256:819e4176025d46637700e0a0711cc048d4171d4e6279be94e91ad53315c26a9d e47e31bbe424 18 months ago 49.8MB jettech/kube-webhook-certgen sha256:dabbfbe0c57b6e5cd4bc089818d3f664acfad496dc741c9a501e72d15e803b34 a013daf
其中一个就是带digest,一个不带的哦,至此,digest修改的任务就算完成了。