Docker app inspect on a pulled application shows digested references

[silvin-lubecki]

$ docker app inspect ccrone/hello-world:0.0.1
hello-world 0.1.0

Maintained by: user <[email protected]>

Hello, World!

Service (1) Replicas Ports Image
----------- -------- ----- -----
hello       1        8080  ccrone/cnab-demo@sha256:ba27d460cd1f22a1a4331bdf74f4fccbc025552357e8a3249c40ae216275de96

Parameters (2) Value
-------------- -----
port           8080
text           Hello, World!

As we run the inspect command inside the invocation image, we have access to the image map so we could show the original image and the actual image, maybe in two separated columns.

NOTE: The inspect code does a render using the mapped images, see https://github.com/docker/app/blob/master/internal/inspect/inspect.go#L21 .

[ijc]

Isn't this by design since when the image was pushed we make all the refs into concrete digested ones so when we pull it back that's what we get and what users want/expect?

When you say "the original image" do you mean something with a tag instead of a digest or is there something else you are thinking of? I think you are suggesting something like:

Service (1) Replicas Ports Image                   Digest
----------- -------- ----- ----------------------- -----------------------------------------------------------------------
hello       1        8080  ccrone/cnab-demo:v0.1.2 sha256:ba27d460cd1f22a1a4331bdf74f4fccbc025552357e8a3249c40ae216275de96

(perhaps with the digest truncated by default for readability?)

We might need to be a little careful with the presentation here since foo:v0.1.2@sha256:abcdef is semantically the same as foo@sha256:abcdef (i.e. the tag is ignored), there is no check that v0.1.2 and sha256:abcdef correspond, the tag is simply ignored. If the user was actually specifying the digest in the original we'd need to maybe be a bit careful.