dockerfile-cloudflared icon indicating copy to clipboard operation
dockerfile-cloudflared copied to clipboard
verified publisher icon visibilityspots

Local SHA256 digest does not match remote dockerhub

Open kamkudla opened this issue 4 years ago • 2 comments

I'm trying to verify whether my local image matches that of dockerhub. Running on Pi3, armv7, Docker version 20.10.6, build 370c289

Looking at latest: https://hub.docker.com/layers/visibilityspots/cloudflared/latest/images/sha256-8dca4d6083ba6564632d29f2b1628af39515b4cea31550f49ebcdc4417b9ef9a?context=explore I see a digest of sha256:8dca4d6083ba6564632d29f2b1628af39515b4cea31550f49ebcdc4417b9ef9a for the armv7 arch.

Pulling the image docker pull visibilityspots/cloudflared:latest and running docker inspect returns a digest of sha256:98f5bf4de5b5aab77ef04faa39fd166c46a076d1145ce798ba6f760db73f7044

What am I missing here? How do I verify the images that I have match that of the servers?

Here is the full output of the inspect:

docker inspect visibilityspots/cloudflared:latest
[
    {
        "Id": "sha256:972fc30a188fde42bb7748be866f5776470560a46267ee8828d8092501e3022c",
        "RepoTags": [
            "visibilityspots/cloudflared:latest"
        ],
        "RepoDigests": [
            "visibilityspots/cloudflared@sha256:98f5bf4de5b5aab77ef04faa39fd166c46a076d1145ce798ba6f760db73f7044"
        ],
        "Parent": "",
        "Comment": "buildkit.dockerfile.v0",
        "Created": "2021-04-26T08:54:12.702960307Z",
        "Container": "",
        "ContainerConfig": {
            "Hostname": "",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": null,
            "Cmd": null,
            "Image": "",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": null
        },
        "DockerVersion": "",
        "Author": "",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "cloudflared",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "UPSTREAM1=https://1.1.1.1/dns-query",
                "UPSTREAM2=https://1.0.0.1/dns-query",
                "PORT=5054",
                "ADDRESS=0.0.0.0",
                "METRICS=127.0.0.1:8080"
            ],
            "Cmd": [
                "/bin/sh",
                "-c",
                "/usr/local/bin/cloudflared proxy-dns --address ${ADDRESS} --port ${PORT} --metrics ${METRICS} --upstream ${UPSTREAM1} --upstream ${UPSTREAM2}"
            ],
            "Healthcheck": {
                "Test": [
                    "CMD-SHELL",
                    "nslookup -po=${PORT} cloudflare.com 127.0.0.1 || exit 1"
                ],
                "Interval": 5000000000,
                "Timeout": 3000000000,
                "StartPeriod": 5000000000
            },
            "ArgsEscaped": true,
            "Image": "",
            "Volumes": null,
            "WorkingDir": "",
            "Entrypoint": null,
            "OnBuild": null,
            "Labels": {
                "maintainer": "Jan Collijs"
            }
        },
        "Architecture": "arm",
        "Variant": "v7",
        "Os": "linux",
        "Size": 68305008,
        "VirtualSize": 68305008,
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/8fdc89e5d92e5bcf2c071a36187a777b646f50d0db08254fbea2f09e9497b7a9/diff:/var/lib/docker/overlay2/0718ea7231173595b3cc31dac7657c7e6946dd351bf01246491d9b09b69afc21/diff:/var/lib/docker/overlay2/99fc3319d89cd7cb7905adf968400c61f9156a637f7c40cb67030ea67d5f109b/diff",
                "MergedDir": "/var/lib/docker/overlay2/fcec3668483550d89ae33d0a4134a2f05e62ce17ad2bd8c5ae9b825391efb72d/merged",
                "UpperDir": "/var/lib/docker/overlay2/fcec3668483550d89ae33d0a4134a2f05e62ce17ad2bd8c5ae9b825391efb72d/diff",
                "WorkDir": "/var/lib/docker/overlay2/fcec3668483550d89ae33d0a4134a2f05e62ce17ad2bd8c5ae9b825391efb72d/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:e678d54c933532243e4ca1cb0b7ef7d6fa4969783100e0022246bc14d83972e9",
                "sha256:a12272c41df18361eb321674f3835d3480339521bb0b62ae90aecf9074bbf7e5",
                "sha256:d35110086134dd6844390f6a3987817e04ad4fd6c155fe2c3aa047f20bd1a663",
                "sha256:ca2bbf190f72796b1968a177adafa673e208bd821e29624fb24bf7edca4ac1bd"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]

kamkudla avatar May 02 '21 15:05 kamkudla

I'm using the docker buildx flow to build multi architecture based images using github actions.

Those are saved using a manifest on docker hub.

By executing docker manifest inspect you could see the different digests to compare with the one on docker hub;

# cat /proc/cpuinfo 
...
model name	: ARMv7 Processor rev 3 (v7l)

# docker manifest inspect visibilityspots/cloudflared:latest
{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
   "manifests": [
...
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 1163,
         "digest": "sha256:06718ab762f90d52f65f1a676ba2c357742a76f0e3e9b12fb321163c37984f34",
         "platform": {
            "architecture": "arm",
            "os": "linux",
            "variant": "v7"
         }
      },
...
      }
   ]
}

next to that I found out that the Digest from the docker pull command does compare with the .RepoDigests from the docker inspect tool.

# docker pull visibilityspots/cloudflared:latest
latest: Pulling from visibilityspots/cloudflared
Digest: sha256:c6e8600ae2478a46bf8a9a67ced941e5e002969540810b3e2ef307e6fae4e33e
Status: Image is up to date for visibilityspots/cloudflared:latest
docker.io/visibilityspots/cloudflared:latest

# docker inspect --format='{{.RepoDigests}}' visibilityspots/cloudflared:latest
[visibilityspots/cloudflared@sha256:c6e8600ae2478a46bf8a9a67ced941e5e002969540810b3e2ef307e6fae4e33e]

I do lack a proper page describing how to compare all those generated hashes by docker if you find one which explains it clearly let me know :)

visibilityspots avatar May 04 '21 19:05 visibilityspots

Thank you for that. Quite perplexing that docker hasn't implemented a straightforward flow to check that hashes match. I will certainly let you know if I find anything

kamkudla avatar May 05 '21 04:05 kamkudla