94

This has been surprisingly confusing for me. I thought Docker's Image ID is its SHA256 hash. However, apparently the result from docker image ls --digests (listed under the column header DIGEST) is different from the IMAGE ID of that image.

For example

docker image ls --digests alpine
REPOSITORY          TAG                 DIGEST                                                                    IMAGE ID            CREATED             SIZE
alpine              latest              sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6   055936d39205        2 weeks ago         5.53MB

while 

docker image ls --no-trunc
REPOSITORY                                             TAG                 IMAGE ID                                                                  CREATED             SIZE
...
alpine                                                 latest              sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1   2 weeks ago         5.53MB

Clearly sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1 (IMAGE ID) and sha256:769fddc7cc2f0a1c35abb2f91432e8beecf83916c421420e6a6da9f8975464b6 (DIGEST) are not the same value. But why? What's the purpose of having two different sha256 hashes of the same image. How are they calculated, respectively?

I was confused by this when reading the book Docker Deep Dive, and I haven't been able to find a clear answer either in the book or online.

xji
  • 7,341
  • 4
  • 40
  • 61
  • 7
    look at [this](https://stackoverflow.com/questions/39811230/why-doesnt-my-newly-created-docker-have-a-digest) – Michał Krzywański May 29 '19 at 17:16
  • 4
    @michalk Thanks for the comment. It offers a clear explanation. I wonder why this distinction is not mentioned more. – xji May 31 '19 at 08:16

1 Answers1

78

Thanks for michalk's comment. The short answer is:

  • The "digest" is a hash of the manifest, introduced in Docker registry v2.
  • The image ID is a hash of the local image JSON configuration.
xji
  • 7,341
  • 4
  • 40
  • 61
  • 4
    "manifest" vs "JSON configuration"... you've pushed the question "down". What's the difference between these two? – Otheus Jun 30 '23 at 18:38
  • if you use `regctl manifest get IMAGE`, you can see that a manifest wraps around a config and some layers. Config also has a bunch of rootfs (layers) objects inside, the sha sums differ (between manifest and config), because manifest's layers are after compression and config's rootfs are before compression. The manifest is newer, so it's somewhat redundant for backwards compat I guess. – Iskren Ivov Chernev Jul 26 '23 at 13:31