I am debugging a problem with python3.10 and gitlab-ci/cd. Apparently, in the last weeks, a newer image of python 3.10.12 was pushed, updating the underlying OS from debian 11 to debian 12 (bullseye). While trying to diagnose this problem, I ran into the following siutation:
$ docker images --digests
python <none> sha256:1435f1edde19dbe479b0ea9d358bff26726ddd391c8b6fe587624d84a68da31e 23e11cf6844c 7 days ago 1GB
python <none> sha256:a8462db480ec3a74499a297b1f8e074944283407b7a417f22f20d8e2e1619782 23e11cf6844c 7 days ago 1GB
How is this possible? How can two images have the same digest? Doesn’t that undermine the purpose of a digest?
2
Answers
Check this answer What's the difference between a Docker image's Image ID and its Digest? to understand teh difference betweeen image ID and Digest.
It can happen that the ID and the digest are different between images.
This case happen when your images are the same but you change options related to the images, such as adding the platforms list (
linux/386,linux/amd64,linux/arm64, etc.) to the manifest. In this case the image, and so the ID, remains identical but the digest change.An image consists of several components: the layers, the config, and the manifest that represents both. These are described in the OCI image-spec. Docker uses the hash of the config JSON as the image ID. This JSON contains the hashes of the uncompressed layers, so it is guaranteed to be unique for a platform specific image.
The digests are the hashes of the manifest. There are currently two types of manifest, an image manifest and a manifest list (used by multi-platform images to point to the image manifest of each platform). Those manifests also have OCI and Docker media types for at least 4 types of manifests (there are a couple more legacy ones I’ll avoid getting into).
So the digest can be for a multi-platform manifest, the platform specific manifest, or a different unrelated content or a different JSON rendering of either of those (changing the JSON white space, reordering keys the map, etc, will all change the hash of the JSON). In this case, it’s two different manifest lists, where the AMD64 image is unchanged, but all of the other platforms were updated:
And you can see that
23e11...hash on the config of the AMD64 image: