patterndockerMinor
Is it reliable to use Docker's hash as a mean to determine image's version between different platform
Viewed 0 times
platformimagereliabledockerversionmeanhashdifferentbetweendetermine
Problem
Situation
I have a docker image on a Linux box. I push it onto a docker registry (AWS ECR).
Then, I use the image pushed onto that docker registry in a K8s pod.
Question
How do I know the docker image used for the K8s pod is the same as the one on the Linux box? Note that the tag is irrelevant. I set it to different things all the time.
I have a docker image on a Linux box. I push it onto a docker registry (AWS ECR).
Then, I use the image pushed onto that docker registry in a K8s pod.
Question
How do I know the docker image used for the K8s pod is the same as the one on the Linux box? Note that the tag is irrelevant. I set it to different things all the time.
Solution
Yes, you can use the repository digest for this. Note that while this is a hash of the container, it's a hash specific to the repository, and is NOT the image id, which is a separate sha256 hash.
Once you push or pull a docker container to/from a registry, it acquires some repository metadata, including the repository digest for that container. You can see that digest by running
Now you can compare that with the docker pullable of the kubernetes pod you want to check by running this command:
If the hashes of both of those values match, then you can be sure they are running the same container.
Once you push or pull a docker container to/from a registry, it acquires some repository metadata, including the repository digest for that container. You can see that digest by running
docker inspect and looking for the RepoDigests section of the json (or just pipe that command into jq '.[].RepoDigests' if you have it installed.Now you can compare that with the docker pullable of the kubernetes pod you want to check by running this command:
kubectl get pod -o jsonpath='{.status.containerStatuses[*].imageID}'If the hashes of both of those values match, then you can be sure they are running the same container.
Context
StackExchange DevOps Q#10073, answer score: 3
Revisions (0)
No revisions yet.