cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon docker

Feature Request: docker tag option to preserve/generate RepoDigests config entry when locally retagging an image to a different registry

Open jakissel opened this issue 5 years ago • 2 comments

The scenario here is that we publish an image to a given registry, teams pull these images and test them, then later on we publish the same exact image to a different registry. When a team pulls the image and tests it they retag it to appear as if it comes from the second registry so the work they do on it doesn't have to be redone when the same image comes from the second registry.

Example: docker pull registry1.com/repo1:tag1 docker tag registry1.com/repo1:tag1 registry2.com/repo1:tag1 docker rmi registry1.com/repo1:tag1 ---- then do stuff with the retagged image like run dockerfiles without having to change the FROM statement ----

When the image is retagged with the destination set in the same registry/repo with a different tag the repodigest is preserved and doing "docker images --digests" shows the old and new tag both having the same digest. When the image is retagged with the destination set in a different registry with the same repo and tag, the repodigest is not preserved and doing "docker images --digests" shows for the digest.

I understand the manifest digest is determined by the registry when you pull it, because this digest can change if different registries use different manifest formats so it makes sense that this does not happen by default. However, we control both registries and preserve the same exact manifest when pushing to one and the other and our partner teams are aware of this precisely so the work they do after retagging the registry1 image can be relied upon as if it came directly from registry2. One partner team is using the repodigests config entry for something, hence we would like a way to have this entry stay populated when we retag.

For full clarity, the use case with what we would want the outputs to look like would be the following (with the proposed --preserve-digest command option): docker pull registry1.com/repo1:tag1 docker inspect registry1.com/repo1:tag1 { "Id": "sha256:54321...", "RepoTags": [ "registry1.com/repo1:tag1" ], "RepoDigests": [ "registry1.com/repo1@sha256:abcdef..." ], .... }

docker images --digests REPOSITORY TAG DIGEST ...
registry1.com/repo1 tag1 sha256:abcdef...

docker tag --preserve-digest registry1.com/repo1:tag1 registry2.com/repo1:tag1 docker inspect registry2.com/repo1:tag1 { "Id": "sha256:54321...", "RepoTags": [ "registry1.com/repo1:tag1", "registry2.com/repo1:tag1" ], "RepoDigests": [ "registry1.com/repo1@sha256:abcdef...", "registry2.com/repo1@sha256:abcdef..." ], .... }

docker images --digests REPOSITORY TAG DIGEST ...
registry1.com/repo1 tag1 sha256:abcdef...
registry2.com/repo1 tag1 sha256:abcdef...

docker rmi registry1.com/repo1:tag1 docker inspect registry2.com/repo1:tag1 { "Id": "sha256:54321...", "RepoTags": [ "registry2.com/repo1:tag1" ], "RepoDigests": [ "registry2.com/repo1@sha256:abcdef..." ], .... }

docker images --digests REPOSITORY TAG DIGEST ...
registry2.com/repo1 tag1 sha256:abcdef...

Thanks!

jakissel avatar Jun 25 '20 00:06 jakissel

Hi I just wanted to clarify, this request is not that this behavior be accomplished specifically using that flag or a flag, or any specific implementation, just that there be some way to preserve the RepoDigests when retagging images across different registries. Or even if that's not an option, maybe just a way to manually populate the RepoDigest field in the configs on the machine so that we can do it ourselves. I tried looking to see if that was possible as of right now and I couldn't find anything.

Any help would be appreciated, thanks!

jakissel avatar Sep 03 '20 19:09 jakissel

For those who are still looking to pull an image and push to a remote registry with an arbitrary tag while preserving original digests, you can do it with an external cli called crane.

crane copy - "Efficiently copy a remote image from src to dst while retaining the digest value". Note that this does an image pull and an image push to the remote registry, so you will need to be authenticated with the source and destination registries and the push will be done immediately.

Example:

$ crane cp ubuntu:20.04 localhost:5000/myreg/my-ubuntu:20.04
...
$ docker pull localhost:5000/myreg/my-ubuntu:20.04
20.04: Pulling from myreg/my-ubuntu
Digest: sha256:450e066588f42ebe1551f3b1a535034b6aa46cd936fe7f2c6b0d72997ec61dbd
Status: Downloaded newer image for localhost:5000/myreg/my-ubuntu:20.04
localhost:5000/myreg/my-ubuntu:20.04
$ docker pull ubuntu:20.04
20.04: Pulling from library/ubuntu
Digest: sha256:450e066588f42ebe1551f3b1a535034b6aa46cd936fe7f2c6b0d72997ec61dbd
Status: Image is up to date for ubuntu:20.04
docker.io/library/ubuntu:20.04
$ docker image ls --digests | grep ubuntu
ubuntu                              20.04         sha256:450e066588f42ebe1551f3b1a535034b6aa46cd936fe7f2c6b0d72997ec61dbd   680e5dfb52c7   3 weeks ago     72.8MB
localhost:5000/myreg/my-ubuntu      20.04         sha256:450e066588f42ebe1551f3b1a535034b6aa46cd936fe7f2c6b0d72997ec61dbd   680e5dfb52c7   3 weeks ago     72.8MB

thomas-anderson-bsl avatar Nov 18 '22 03:11 thomas-anderson-bsl