This message was deleted Rancher Users #general

Join Slack

This message was deleted.

# general

adamant-kite-43734

09/15/2022, 7:57 AM

This message was deleted.

incalculable-air-54033

09/15/2022, 7:59 AM

E.g.:

Copy code

kubectl get pods --all-namespaces -o=jsonpath='{range .items[*]}{"\n"}{.metadata.namespace}{","}{.metadata.name}{","}{range .status.containerStatuses[*]}{.image}{", "}{.imageID}{", "}{end}{end}' | sort

Returns all the SHA256 hashes for the containers running on my box, I can see this for Klipper-LB:

<http://docker.io/rancher/klipper-lb@sha256:02f8cb41d53fe08b5726a563ce36c3675ad7f2694b65a8477f6a66afac89fef7|docker.io/rancher/klipper-lb@sha256:02f8cb41d53fe08b5726a563ce36c3675ad7f2694b65a8477f6a66afac89fef7>

But cross checking with DockerHub, the hash doesn't match up:

creamy-pencil-82913

09/15/2022, 8:35 AM

Because manifest lists exist https://github.com/docker/hub-feedback/issues/1925#issuecomment-565646445

incalculable-air-54033

09/15/2022, 8:40 AM

So how do i verify?

incalculable-air-54033

09/15/2022, 6:21 PM

Does Rancher not give the correct manifest to crosscheck?

creamy-pencil-82913

09/15/2022, 6:50 PM

I’m not sure what you mean by “cross-checking”. Read through that issue, it explains the difference between multi-arch manifest lists and the actual arch-specific image digest that gets pulled.

creamy-pencil-82913

09/15/2022, 6:58 PM

Tools like Skopeo will show you what Docker Hub will not. For example:

Copy code

brandond@dev01:~$ skopeo inspect <docker://docker.io/rancher/klipper-lb:v0.3.5>
{
    "Name": "<http://docker.io/rancher/klipper-lb|docker.io/rancher/klipper-lb>",
    "Digest": "sha256:02f8cb41d53fe08b5726a563ce36c3675ad7f2694b65a8477f6a66afac89fef7",

That shows you that the manifest list (the list of arch-specific images for that tag) has a digest that matches what you see when you look at the running pods

creamy-pencil-82913

09/15/2022, 6:59 PM

If you look at the raw manifest list, you can see that the amd64 image in the manifest list matches what you see on Docker Hub when looking at the info for the amd64 arch:

Copy code

brandond@dev01:~$ skopeo inspect <docker://docker.io/rancher/klipper-lb:v0.3.5> --raw
{
   "schemaVersion": 2,
   "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
   "manifests": [
      {
         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
         "size": 945,
         "digest": "sha256:23286ad7a6adb09adaf66a1d12955e98b47ce1c77aa30082c4d7a4392bc4c95f",
         "platform": {
            "architecture": "amd64",
            "os": "linux"
         }
      },

creamy-pencil-82913

09/15/2022, 7:01 PM

Docker Hub is hiding the manifest list from you, and only showing you arch-specific image info. That is what he issue I linked you to is complaining about. If you’re going to try to poke through and verify image digests, you need to understand how docker images, tags, and manifests are constructed and referenced.

72 Views

Open in Slack

Previous Next