Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
i
incalculable-air-54033
09/15/2022, 7:57 AMHi, where can i verify the SHA256 of all rancher images?
E.g.:
kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}{"\n"}{.metadata.namespace}{","}{.metadata.name}{","}{range .status.containerStatuses[*]}{.image}{", "}{.imageID}{", "}{end}{end}' | sort<http://docker.io/rancher/klipper-lb@sha256:02f8cb41d53fe08b5726a563ce36c3675ad7f2694b65a8477f6a66afac89fef7|docker.io/rancher/klipper-lb@sha256:02f8cb41d53fe08b5726a563ce36c3675ad7f2694b65a8477f6a66afac89fef7>c
creamy-pencil-82913
09/15/2022, 8:35 AMBecause manifest lists exist
https://github.com/docker/hub-feedback/issues/1925#issuecomment-565646445
i
incalculable-air-54033
09/15/2022, 8:40 AMSo how do i verify?
Does Rancher not give the correct manifest to crosscheck?
c
creamy-pencil-82913
09/15/2022, 6:50 PMI’m not sure what you mean by “cross-checking”. Read through that issue, it explains the difference between multi-arch manifest lists and the actual arch-specific image digest that gets pulled.
Tools like Skopeo will show you what Docker Hub will not. For example:
brandond@dev01:~$ skopeo inspect <docker://docker.io/rancher/klipper-lb:v0.3.5>
{
"Name": "<http://docker.io/rancher/klipper-lb|docker.io/rancher/klipper-lb>",
"Digest": "sha256:02f8cb41d53fe08b5726a563ce36c3675ad7f2694b65a8477f6a66afac89fef7",If you look at the raw manifest list, you can see that the amd64 image in the manifest list matches what you see on Docker Hub when looking at the info for the amd64 arch:
brandond@dev01:~$ skopeo inspect <docker://docker.io/rancher/klipper-lb:v0.3.5> --raw
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 945,
"digest": "sha256:23286ad7a6adb09adaf66a1d12955e98b47ce1c77aa30082c4d7a4392bc4c95f",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},Docker Hub is hiding the manifest list from you, and only showing you arch-specific image info. That is what he issue I linked you to is complaining about. If you’re going to try to poke through and verify image digests, you need to understand how docker images, tags, and manifests are constructed and referenced.