skip to Main Content

I am debugging a problem with python3.10 and gitlab-ci/cd. Apparently, in the last weeks, a newer image of python 3.10.12 was pushed, updating the underlying OS from debian 11 to debian 12 (bullseye). While trying to diagnose this problem, I ran into the following siutation:

$ docker images --digests
python   <none> sha256:1435f1edde19dbe479b0ea9d358bff26726ddd391c8b6fe587624d84a68da31e   23e11cf6844c   7 days ago      1GB
python   <none> sha256:a8462db480ec3a74499a297b1f8e074944283407b7a417f22f20d8e2e1619782   23e11cf6844c   7 days ago      1GB

How is this possible? How can two images have the same digest? Doesn’t that undermine the purpose of a digest?

2

Answers


  1. Check this answer What's the difference between a Docker image's Image ID and its Digest? to understand teh difference betweeen image ID and Digest.

    It can happen that the ID and the digest are different between images.
    This case happen when your images are the same but you change options related to the images, such as adding the platforms list (linux/386, linux/amd64, linux/arm64, etc.) to the manifest. In this case the image, and so the ID, remains identical but the digest change.

    Login or Signup to reply.
  2. An image consists of several components: the layers, the config, and the manifest that represents both. These are described in the OCI image-spec. Docker uses the hash of the config JSON as the image ID. This JSON contains the hashes of the uncompressed layers, so it is guaranteed to be unique for a platform specific image.

    The digests are the hashes of the manifest. There are currently two types of manifest, an image manifest and a manifest list (used by multi-platform images to point to the image manifest of each platform). Those manifests also have OCI and Docker media types for at least 4 types of manifests (there are a couple more legacy ones I’ll avoid getting into).

    So the digest can be for a multi-platform manifest, the platform specific manifest, or a different unrelated content or a different JSON rendering of either of those (changing the JSON white space, reordering keys the map, etc, will all change the hash of the JSON). In this case, it’s two different manifest lists, where the AMD64 image is unchanged, but all of the other platforms were updated:

    $ docker buildx imagetools inspect python@sha256:1435f1edde19dbe479b0ea9d358bff26726ddd391c8b6fe587624d84a68da31e
    Name:      docker.io/library/python@sha256:1435f1edde19dbe479b0ea9d358bff26726ddd391c8b6fe587624d84a68da31e
    MediaType: application/vnd.docker.distribution.manifest.list.v2+json
    Digest:    sha256:1435f1edde19dbe479b0ea9d358bff26726ddd391c8b6fe587624d84a68da31e
    
    Manifests:
      Name:      docker.io/library/python@sha256:4a1aacea636cab6af8f99f037d1e56a4de97de6025da8eff90b3315591ae3617
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/amd64
    
      Name:      docker.io/library/python@sha256:14b2ce1eda6a5685fa7be19a09dd9f47e7d497a0f25e1cf03fd7bc7edbb6225c
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/arm/v5
    
      Name:      docker.io/library/python@sha256:6220f606209088b68d4572fca6c280085f79b8757bb00d40e308dbcd7219b5c1
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/arm/v7
    
      Name:      docker.io/library/python@sha256:5e7192c06de51ff1164ea123aa7ef71c85886339078cea09aaa5671bc9015eab
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/arm64/v8
    
      Name:      docker.io/library/python@sha256:8bc1f0da01b11fba3152f43cfdd6e60be09de0f9e4ff722b8c59777301a47ca7
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/386
    
      Name:      docker.io/library/python@sha256:a034324572d801a0626d98ef681748510dd721ca15104864f761477cf98b6e1f
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/ppc64le
    
      Name:      docker.io/library/python@sha256:480ad5c174411791a08b614e2ecf587b4a52d514725924729d71a7ee3e22613f
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/s390x
    
    $ docker buildx imagetools inspect python@sha256:a8462db480ec3a74499a297b1f8e074944283407b7a417f22f20d8e2e1619782
    Name:      docker.io/library/python@sha256:a8462db480ec3a74499a297b1f8e074944283407b7a417f22f20d8e2e1619782
    MediaType: application/vnd.docker.distribution.manifest.list.v2+json
    Digest:    sha256:a8462db480ec3a74499a297b1f8e074944283407b7a417f22f20d8e2e1619782
    
    Manifests:
      Name:      docker.io/library/python@sha256:4a1aacea636cab6af8f99f037d1e56a4de97de6025da8eff90b3315591ae3617
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/amd64
    
      Name:      docker.io/library/python@sha256:04f58351f4387ae9f23df91d2174777e02c9110de0845dfc02abf3675bafda37
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/arm/v5
    
      Name:      docker.io/library/python@sha256:8fed3b37d3954ca556604db5b7e7b2f1856efaa5625d0ef763c31efd1f106fbd
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/arm/v7
    
      Name:      docker.io/library/python@sha256:5e7192c06de51ff1164ea123aa7ef71c85886339078cea09aaa5671bc9015eab
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/arm64/v8
    
      Name:      docker.io/library/python@sha256:411d4ffa2d620de28120e2d363386f9ccd992ff11c4f7f7f4abbdce04d3d90b6
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/386
    
      Name:      docker.io/library/python@sha256:864a650024d6f6f93ba042c5667bb598dcb3f68311825a98b47fd6a00490a088
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/ppc64le
    
      Name:      docker.io/library/python@sha256:b0fe9eab552b92321f5bc4a4f060efcf52282b58fb871b09434fe0c2b33fff92
      MediaType: application/vnd.docker.distribution.manifest.v2+json
      Platform:  linux/s390x
    

    And you can see that 23e11... hash on the config of the AMD64 image:

    $ regctl manifest get python@sha256:4a1aacea636cab6af8f99f037d1e56a4de97de6025da8eff90b3315591ae3617
    Name:        python@sha256:4a1aacea636cab6af8f99f037d1e56a4de97de6025da8eff90b3315591ae3617
    MediaType:   application/vnd.docker.distribution.manifest.v2+json
    Digest:      sha256:4a1aacea636cab6af8f99f037d1e56a4de97de6025da8eff90b3315591ae3617
    Total Size:  375.313MB
                 
    Config:      
      Digest:    sha256:23e11cf6844c334b2970fd265fb09cfe88ec250e1e80db7db973d69d757bdac4
      MediaType: application/vnd.docker.container.image.v1+json
      Size:      7530B
                 
    Layers:      
                 
      Digest:    sha256:bba7bb10d5baebcaad1d68ab3cbfd37390c646b2a688529b1d118a47991116f4
      MediaType: application/vnd.docker.image.rootfs.diff.tar.gzip
      Size:      49.552MB
                 
      Digest:    sha256:ec2b820b8e87758dde67c29b25d4cbf88377601a4355cc5d556a9beebc80da00
      MediaType: application/vnd.docker.image.rootfs.diff.tar.gzip
      Size:      24.031MB
                 
      Digest:    sha256:284f2345db055020282f6e80a646f1111fb2d5dfc6f7ee871f89bc50919a51bf
      MediaType: application/vnd.docker.image.rootfs.diff.tar.gzip
      Size:      64.112MB
                 
      Digest:    sha256:fea23129f080a6e28ebff8124f9dc585b412b1a358bba566802e5441d2667639
      MediaType: application/vnd.docker.image.rootfs.diff.tar.gzip
      Size:      211.003MB
                 
      Digest:    sha256:7c62c924b8a6474ab5462996f6663e07a515fab7f3fcdd605cae690a64aa01c7
      MediaType: application/vnd.docker.image.rootfs.diff.tar.gzip
      Size:      6.389MB
                 
      Digest:    sha256:c48db0ed1df2d2df2dccd680323097bafb5decd0b8a08f02684b1a81b339f39b
      MediaType: application/vnd.docker.image.rootfs.diff.tar.gzip
      Size:      17.146MB
                 
      Digest:    sha256:f614a567a40341ac461c855d309737ebccf10a342d9643e94a2cf0e5ff29b6cd
      MediaType: application/vnd.docker.image.rootfs.diff.tar.gzip
      Size:      243B
                 
      Digest:    sha256:00c5a00c6bc24a1c23f2127a05cfddd90865628124100404f9bf56d68caf17f4
      MediaType: application/vnd.docker.image.rootfs.diff.tar.gzip
      Size:      3.080MB
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search