sha256 of locally built docker image

Question

How do I get the sha256 checksum of an already locally built docker image?

I want to use the checksum to annotate a FROM instruction in a derived image:

FROM name@sha256:checksum

I already tried checksums from docker inspect .

• Neither the first nor the last of the checksums in the Layers list worked.
• The one in "Id" did not work.
• The one in "Parent" did not work.
• The one in "Container" did not work.
• The one in "Image" did not work.

Some of them I only tried out of desperation to finally find the correct checksum for my docker image, but I cannot find the correct checksum. Only thing I did not try yet, because of the number of layers, is to go through all of the layers in case they are in a random order. But to put them there like that would not make sense to begin with.

The error I see when I run docker build -t <some name> . in the directory of the Dockerfile of the derived image when it is not working is:

Step 1/7 : FROM name@sha256:<checksum> repository name not found: does not exist or no pull access

Info

• Docker version: Docker version 17.05.0-ce, build 89658be (obtained via docker --version )

• Output of docker info :

   Containers: 0 Running: 0 Paused: 0 Stopped: 0 Images: 3841 Server Version: 17.05.0-ce Storage Driver: aufs Root Dir: /var/lib/docker/aufs Backing Filesystem: extfs Dirs: 2620 Dirperm1 Supported: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host macvlan null overlay Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 9048e5e50717ea4497b757314bad98ea3763c145 runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228 init version: 949e6fa Security Options: apparmor seccomp Profile: default Kernel Version: 4.4.0-78-generic Operating System: Ubuntu 16.04.2 LTS OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 7.684GiB Name: xiaolong-hp-pavilion ID: QCJS:JPK4:KC7J:6MYF:WWCA:XQM2:7AF7:HWWI:BRZK:GT6B:D2NP:OJFS Docker Root Dir: /var/lib/docker Debug Mode (client): false Debug Mode (server): false Registry: https://index.docker.io/v1/ Experimental: false Insecure Registries: 127.0.0.0/8 Live Restore Enabled: false WARNING: No swap limit support 

Answer 1

The checksum docker is looking for in the FROM line comes from the registry server. In the inspect output, you'll see this in the RepoDigest section:

docker inspect -f '{{.RepoDigests}}' $image_name

If you haven't pushed this image to a registry server, then you won't be able to use this hash value.

Eg:

$ docker inspect -f '{{.RepoDigests}}' busybox:latest
[busybox@sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f]

$ cat df.testsha
FROM busybox@sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f
CMD echo "hello world"

$ docker build -f df.testsha -t test-sha .
Sending build context to Docker daemon  23.35MB
Step 1/2 : FROM busybox@sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f
 ---> 00f017a8c2a6
Step 2/2 : CMD echo "hello world"
 ---> Running in c516e5b6a694
 ---> 68dc47866183
Removing intermediate container c516e5b6a694
Successfully built 68dc47866183
Successfully tagged test-sha:latest

$ docker run --rm test-sha
hello world