https://rancher.com/ logo
Title
i

incalculable-air-54033

09/15/2022, 7:57 AM
Hi, where can i verify the SHA256 of all rancher images?
E.g.:
kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}{"\n"}{.metadata.namespace}{","}{.metadata.name}{","}{range .status.containerStatuses[*]}{.image}{", "}{.imageID}{", "}{end}{end}' | sort
Returns all the SHA256 hashes for the containers running on my box, I can see this for Klipper-LB:
<http://docker.io/rancher/klipper-lb@sha256:02f8cb41d53fe08b5726a563ce36c3675ad7f2694b65a8477f6a66afac89fef7|docker.io/rancher/klipper-lb@sha256:02f8cb41d53fe08b5726a563ce36c3675ad7f2694b65a8477f6a66afac89fef7>
But cross checking with DockerHub, the hash doesn't match up:
c

creamy-pencil-82913

09/15/2022, 8:35 AM
i

incalculable-air-54033

09/15/2022, 8:40 AM
So how do i verify?
Does Rancher not give the correct manifest to crosscheck?
c

creamy-pencil-82913

09/15/2022, 6:50 PM
I’m not sure what you mean by “cross-checking”. Read through that issue, it explains the difference between multi-arch manifest lists and the actual arch-specific image digest that gets pulled.
Tools like Skopeo will show you what Docker Hub will not. For example:
brandond@dev01:~$ skopeo inspect <docker://docker.io/rancher/klipper-lb:v0.3.5>
{
    "Name": "<http://docker.io/rancher/klipper-lb|docker.io/rancher/klipper-lb>",
    "Digest": "sha256:02f8cb41d53fe08b5726a563ce36c3675ad7f2694b65a8477f6a66afac89fef7",
That shows you that the manifest list (the list of arch-specific images for that tag) has a digest that matches what you see when you look at the running pods
If you look at the raw manifest list, you can see that the amd64 image in the manifest list matches what you see on Docker Hub when looking at the info for the amd64 arch:
brandond@dev01:~$ skopeo inspect <docker://docker.io/rancher/klipper-lb:v0.3.5> --raw
{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 945,
         "digest": "sha256:23286ad7a6adb09adaf66a1d12955e98b47ce1c77aa30082c4d7a4392bc4c95f",
         "platform": {
            "architecture": "amd64",
            "os": "linux"
         }
      },
Docker Hub is hiding the manifest list from you, and only showing you arch-specific image info. That is what he issue I linked you to is complaining about. If you’re going to try to poke through and verify image digests, you need to understand how docker images, tags, and manifests are constructed and referenced.