2

I am newbie at Docker. I have to theoretically question about Docker. We know that defaultly Docker uses AUFS, layers filesystem. Where can I find in /var/libs/docker folders for each layer ? I would like to see it.

And second thing:
What is sha256 ? I know that it is some number-hash. But what does it mean in docker ?

  • partial dupe http://stackoverflow.com/questions/32046334/what%C2%B4s-the-sha256-code-of-a-docker-image – fvu Mar 08 '17 at 19:19

1 Answers1

0

You can see more at "Docker and AUFS in practice"

https://docs.docker.com/engine/userguide/storagedriver/images/aufs_layers.jpg

This diagram shows that each image layer, and the container layer, is represented in the Docker hosts filesystem as a directory under /var/lib/docker/.
The union mount point provides the unified view of all layers.

As of Docker 1.10, image layer IDs do not correspond to the names of the directories that contain their data.

As I mentioned before:

the V2 API does not deal in Image IDs. Rather, it uses digests to identify layers, which can be calculated as property of the layer and are independently verifiable.

See "Docker Registry HTTP API V2":

This API design is driven heavily by content addressability.
The core of this design is the concept of a content addressable identifier.

It uniquely identifies content by taking a collision-resistant hash of the bytes. Such an identifier can be independently calculated and verified by selection of a common algorithm.
If such an identifier can be communicated in a secure manner, one can retrieve the content from an insecure source, calculate it independently and be certain that the correct content was obtained.
Put simply, the identifier is a property of the content.

To disambiguate from other concepts, we call this identifier a digest.
A digest is a serialized hash result, consisting of a algorithm and hex portion. The algorithm identifies the methodology used to calculate the digest. The hex portion is the hex-encoded result of the hash.

We define a digest string to match the following grammar: 

 digest := algorithm ":" hex algorithm := /[A-Fa-f0-9_+.-]+/ hex := /[A-Fa-f0-9]+/

Some examples of digests include the following:

digest  description
sha256:6c3c624b58dbbcd3c0dd82b4c53f04194d1247c6eebdaab7c610cf7d66709b3b     Common sha256 based digest

While the algorithm does allow one to implement a wide variety of algorithms, compliant implementations should use sha256

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Can I see somewhere difference file (representation of layer) ? –  Mar 08 '17 at 21:13
  • 1
    @JavaNewbie you mean a diff between two layers with the list of files changed? – VonC Mar 08 '17 at 21:14
  • @JavaNewbie that would be `docker diff `: https://docs.docker.com/engine/reference/commandline/diff/#extended-description – VonC Mar 08 '17 at 21:16
  • Yes, it is. I would like to find this file. From what I did read each layer = new directory. –  Mar 08 '17 at 21:16
  • So sha is something like hash of commit in git –  Mar 08 '17 at 21:16
  • 1
    @JavaNewbie yes: a way to uniquely reference a layer. (Even though Git only uses SHA1, not SHA2, which is a bit awkward these days: http://stackoverflow.com/a/42450327/6309) – VonC Mar 08 '17 at 21:18
  • Can you try understand last thing ? Union mount point. I don't understand it. Everywhere it is written: It provides one view on file system, but it is not clear for me –  Mar 08 '17 at 21:20
  • @JavaNewbie See http://collabnix.com/archives/516: "A union mount is a mount that allows several filesystems to be mounted at one time but appear to be one filesystem." – VonC Mar 08 '17 at 21:26
  • Where it is exploited? After all, Each container **has exactly** one AUFS filesystem. –  Mar 08 '17 at 21:28
  • @JavaNewbie it is exploited when creating an image (committing a container): the result AUFS layer is a Union mount point which is the result of the concatenation of all the previous layers. – VonC Mar 08 '17 at 21:29
  • Each layer is mount point? What does it mean mount layer on some point ? –  Mar 08 '17 at 21:32
  • @JavaNewbie It means that when you use it (as an image or a container), the filesystem you see is the result of the concatenation of all the previous layers. – VonC Mar 08 '17 at 21:34
  • The problem is that under: `/var/lib/docker` there is no `aufs` directory, there are for example: image, network, volumens, containers and so on –  Mar 08 '17 at 21:37
  • 1
    @JavaNewbie what docker version are you using on which host OS? – VonC Mar 08 '17 at 21:38
  • v = 1.12, fedora 25 –  Mar 08 '17 at 21:39
  • (I have some containers) –  Mar 08 '17 at 21:39
  • @JavaNewbie Then your storage driver might not be AUFS by default: https://docs.docker.com/engine/userguide/storagedriver/selectadriver/ – VonC Mar 08 '17 at 21:50
  • Oh, yes. You are right. So only before AUFS was defautl ? –  Mar 08 '17 at 22:32
  • Yes, Fedora is Redhat based. from docs: It used devicemapper - and in my case it is true –  Mar 08 '17 at 22:35
  • could you point me out to an algorithm used to serialize folders, as docker layers are actually folders, not "bytes"? – wick Jan 15 '20 at 20:03
  • @wick Not an exact match to your case, but https://github.com/moby/moby/blob/master/contrib/download-frozen-image-v2.sh loads said layers. – VonC Jan 15 '20 at 22:14
  • @wick Also https://github.com/p8952/bocker/blob/000633061c6cfcb99c8d9eef5aa483a44318f3e6/bocker#L23-L36 – VonC Jan 16 '20 at 10:11