堆栈内存溢出
  简体   繁体   English

Docker 注册表:如何获取图像层的摘要列表?

[英]Docker Registry: How do I get the list of digest of an image layers?

 原文  2022-03-08 15:29:32       docker/ hash/ docker-registry/ container-image

问题描述

I am trying to list the layers digest of an image (eg: ubuntu) that is loaded to a docker registry.我正在尝试列出加载到 docker 注册表的图像(例如:ubuntu)的层摘要。 I am basically looking for the equivalent of docker manifest inspect --verbose <image-name> for docker registry and which gives a similar output:我基本上是在为 docker 注册表寻找docker manifest inspect --verbose <image-name>的等价物,它给出了类似的 output:

在此处输入图像描述

From the server that is hosting the registry, I am running the following command successfully to list the images inside the registry:从托管注册表的服务器,我成功运行以下命令以列出注册表中的图像:

curl -k -X GET -u admin:root https://docker.registry.url/v2/_catalog | python -mjson.tool

I can also run the following command to see the tag of my image:我还可以运行以下命令来查看图像的标签:

curl -k -X GET -u admin:root https://docker.registry.url/v2/ubuntu/tags/list | python -mjson.tool

But when I try to use the following command (as in here ) to list the digests:但是当我尝试使用以下命令(如此)列出摘要时:

curl -k -v -s -X GET -u admin:root https://docker.registry.url/v2/ubuntu/manifests/latest -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' | python -mjson.tool

... I get the following two messages: ...我收到以下两条消息:

  • "HTTP/1.1 404 Not Found" “未找到 HTTP/1.1 404”
  • "errors: "code": "MANIFEST_UNKNOWN" “错误:”代码“:”MANIFEST_UNKNOWN“

as per the following output:根据以下 output:

* About to connect() to docker.registry.url port 443 (#0)
*   Trying <server-ip-address>...
* Connected to docker.registry.urll (<server-ip-address>) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=docker.registry.url
*       start date: Oct 22 13:15:18 2021 GMT
*       expire date: Oct 21 13:00:19 2031 GMT
*       common name: docker.registry.url
*       issuer: CN=docker.registry.url
* Server auth using Basic with user 'admin'
> GET /v2/ubuntu/manifests/latest HTTP/1.1
> Authorization: Basic YWRtaW46QWlyc3BhbjEyMw==
> User-Agent: curl/7.29.0
> Host: docker.registry.url
> Accept: application/vnd.docker.distribution.manifest.v2+json
>
< HTTP/1.1 404 Not Found
< Server: nginx/1.21.3
< Date: Tue, 08 Mar 2022 15:00:36 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 187
< Connection: keep-alive
< Docker-Distribution-Api-Version: registry/2.0
< X-Content-Type-Options: nosniff
<
{ [data not shown]
* Connection #0 to host docker.registry.url left intact
{
    "errors": [
        {
            "code": "MANIFEST_UNKNOWN",
            "detail": {
                "Name": "ubuntu",
                "Revision": "sha256:9c152418e380c6e6dd7e19567bb6762b67e22b1d0612e4f5074bda6e6040c64a"
            },
            "message": "manifest unknown"
        }
    ]
}

1- Why am I getting the above error? 1- 为什么会出现上述错误?

2- How do I get the list of manifests of an image from a docker registry? 2- 如何从 docker 注册表中获取图像的清单列表?

2 个解决方案

解决方案1
 0  2022-05-22 21:40:13

Workaround:解决方法:

Not sure if this answer is 100% related to the actual question, but I needed to delete images in my registry;不确定这个答案是否与实际问题 100% 相关,但我需要删除注册表中的图像; using registry:2.8.1, followed this but even garbage collector didn't clear images for me so as a workaround I'm clearing images by not having them mounted as a volume - and just restarting the whole registry;使用 registry:2.8.1,遵循这个,但即使是垃圾收集器也没有为我清除图像,因此作为一种解决方法,我通过不将图像安装为卷来清除图像 - 并重新启动整个注册表; and if I need to clear a different group of images independently, I can set up a second registry on a different port and also not use a mounted volume.如果我需要单独清除一组不同的图像,我可以在不同的端口上设置第二个注册表,并且不使用已安装的卷。

But in case it works for someone else here's some other commands:但如果它适用于其他人,这里还有一些其他命令:

1 Get Digest 1 获取摘要

docker inspect example.com:5000/myimage

there should be this section:应该有这个部分:

"RepoDigests": [
"my.docker.registry.com:5000/ubuntu@sha256:74a1b5f5c5d771cf3570fa0f050e0c827538b7fe1873bc88b85d56818df3f2bc"
]

2 run garbage collector 2 运行垃圾收集器

docker exec registry bin/registry garbage-collect --dry-run /etc/docker/registry/config.yml

docker exec registry bin/registry garbage-collect --help /etc/docker/registry/config.yml

3 delete 3 删除

curl -X DELETE -u username:password https://example.com:5000/v2/my_image/manifests/<digest> -H 'Accept: application/vnd.docker.distribution.manifest.v2+json'

解决方案2
 0  2023-01-24 17:22:10

I have a situation where I want to see if the latest image in the repository is the same as the image currently running on my machine.我有一种情况,我想查看存储库中的最新图像是否与当前在我的机器上运行的图像相同。 I was trying to use curl commands and running into problems, but skopeo "just worked" on Raspbian:我试图使用 curl 命令并遇到问题,但 skopeo 在 Raspbian 上“正常工作”:

apt install -y skopeo
skopeo  inspect  docker://zwavejs/zwave-js-ui:latest | jq -r  '.Digest'

解决方案3
 0  2023-01-24 23:36:59

Given the error message, the registry understands the tag, and is trying to pull a specific digest but cannot find it.鉴于错误消息,注册管理机构理解标签,并试图提取特定的摘要但找不到它。 One of the most common causes of this is running a GC on the registry with a multi-platform image because of a longstanding bug with the GC design .造成这种情况的最常见原因之一是,由于GC 设计存在长期存在的错误,因此使用多平台映像在注册表上运行 GC。

In the command:在命令中:

curl -k -v -s -X GET -u admin:root \
  https://docker.registry.url/v2/ubuntu/manifests/latest \
  -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' \
  | python -mjson.tool

You are requesting a single platform manifest, so the registry will automatically dereference a multi-platform image manifest.您正在请求单一平台清单,因此注册表将自动取消引用多平台图像清单。 Checking that digest from Hub, that shows up as the following:检查来自 Hub 的摘要,显示如下:

$ regctl manifest get \
  ubuntu@sha256:9c152418e380c6e6dd7e19567bb6762b67e22b1d0612e4f5074bda6e6040c64a \
  --format '{{jsonPretty .}}'
{
  "schemaVersion": 2,
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
  "config": {
    "mediaType": "application/vnd.docker.container.image.v1+json",
    "size": 1463,
    "digest": "sha256:2b4cba85892afc2ad8ce258a8e3d9daa4a1626ba380677cee93ef2338da442ab"
  },
  "layers": [
    {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "size": 28565751,
      "digest": "sha256:7c3b88808835aa80f1ef7f03083c5ae781d0f44e644537cd72de4ce6c5e62e00"
    }
  ]
}

You can better see what's happening by pulling the manifest list by allowing an additional media type:您可以通过允许额外的媒体类型来拉取清单列表来更好地了解发生了什么:

curl -k -v -s -X GET -u admin:root \
  https://docker.registry.url/v2/ubuntu/manifests/latest \
  -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' \
  -H 'Accept: application/vnd.docker.distribution.manifest.list.v2+json' \
  | python -mjson.tool

An example of that looks like:一个例子如下:

$ regctl manifest get ubuntu --format 'body' | jq .
{
  "manifests": [
    {
      "digest": "sha256:965fbcae990b0467ed5657caceaec165018ef44a4d2d46c7cdea80a9dff0d1ea",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      },
      "size": 529
    },
    {
      "digest": "sha256:ea8f467d512068a1e52494d5b2d959a9307a35682633d0b5d481e79c914c627f",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "arm",
        "os": "linux",
        "variant": "v7"
      },
      "size": 529
    },
    {
      "digest": "sha256:e77aa65a8a2bccbc47b96b4256995dd7ff447024ed5319527040f7cc465f6511",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "arm64",
        "os": "linux",
        "variant": "v8"
      },
      "size": 529
    },
    {
      "digest": "sha256:48d0b40359f8789f1c5d6065bf0d2a00c8d0d4913ac61670215b2debedd483e6",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "ppc64le",
        "os": "linux"
      },
      "size": 529
    },
    {
      "digest": "sha256:f31546bc71659c643837d57f09a161f04e866b59da4f418e064082a756c4c23a",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "riscv64",
        "os": "linux"
      },
      "size": 529
    },
    {
      "digest": "sha256:4e3c33035b808801fc84ba48d5a779cd572167956f5123d846d7e1cbafe9e785",
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "platform": {
        "architecture": "s390x",
        "os": "linux"
      },
      "size": 529
    }
  ],
  "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
  "schemaVersion": 2
}

Since your registry is in a corrupt state, you're likely best off deleting the images and starting over, without the GC process.由于您的注册表位于损坏的 state 中,您最好删除图像并重新开始,而无需 GC 过程。 But you can copy individual images back to the server by digest:但是您可以通过摘要将单个图像复制回服务器:

$ regctl image copy \
  ubuntu@sha256:9c152418e380c6e6dd7e19567bb6762b67e22b1d0612e4f5074bda6e6040c64a \
  docker.registry.url/ubuntu@sha256:9c152418e380c6e6dd7e19567bb6762b67e22b1d0612e4f5074bda6e6040c64a

I even have the flag --force-recursive for this because I've seen it happen too often:我什至为此设置了--force-recursive标志,因为我经常看到它发生:

$ regctl image copy --help
...

Flags:
      --digest-tags        Include digest tags ("sha256-<digest>.*") when copying manifests
      --force-recursive    Force recursive copy of image, repairs missing nested blobs and manifests
  -h, --help               help for copy
      --include-external   Include external layers
      --referrers          Include referrers
...

$ regctl image copy --force-recursive \
  ubuntu:latest docker.registry.url/ubuntu:latest

The above is shown with my own regclient/regctl tool, but there's also crane, scopeo, and I'm sure several other tools including whichever you used to first copy the image yourself.上面显示的是我自己的 regclient/regctl 工具,但还有 crane、scopeo,我敢肯定还有其他几种工具,包括您自己首先用来复制图像的任何工具。 I'd avoid using curl to pull the images yourself for more than a demo since you'll eventually run into scenarios other media types or token authentication that make the scripting around the curl command very complicated (I started down that path before deciding it was easier to write regclient).除了演示之外,我会避免使用 curl 自己拉取图像,因为您最终会遇到其他媒体类型或令牌身份验证的场景,这使得围绕 curl 命令的脚本编写非常复杂(在决定它是更容易编写regclient)。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 什么是docker registry v2 API端点来获取图像的摘要? - What is the docker registry v2 API endpoint to get the digest for an image? 如何从Docker镜像获取不可变标识符(摘要)列表? - How to get a list of immutable identifier (digest) from a Docker image? 通过 SHA 摘要搜索 docker 集线器注册表图像/层 - Searching docker hub registry images/layers by their SHA digest 创建没有注册表的 docker 镜像摘要 - Create docker image digest without registry 将带有保留摘要的 Docker 图像重新发布到不同的注册表 - Republish Docker Image with Preserved Digest to Different Registry 如何在远程注册表中列出 Docker 图像的所有标签? - How can I list all tags for a Docker image on a remote registry? 如何从文件服务器获取 docker 映像到我的本地注册表? - How do I get a docker image from a fileserver into my local registry? 我如何知道在 Docker 中从哪个注册表中提取图像? - How do I know which registry an image was pulled from in Docker? 如何列出主机上的所有docker图像层? - How to list all the docker image layers on a host? 如何让Artifactory充当Docker注册表? - How do I get Artifactory to serve as a Docker registry?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM