3

I have a use case I need to find the image tag from its hashed format.

for example, if I have this image

quay.io/containerdisks/centos-stream@sha256:0c8d8b253a0b729c602efe45a5bc4640b3d4161b6924db3def2e7a76296e42c9

I would like to find one or more labels that point to this image. At the moment the only option I know of is to "brute-force" it by fetching all the labels related to this image and checking the digest of each against the hash I'm looking for.

Is there another option?

Rabin
  • 826
  • 10
  • 21

2 Answers2

1

The tag listing only includes tags, not the digests for each of those tags (though I'd like to see that improved). So you're left with brute forcing a digest check against each tag. With regctl that looks like:

for tag in $(regctl tag ls quay.io/containerdisks/centos-stream); do
  echo "${tag}: $(regctl image digest quay.io/containerdisks/centos-stream:${tag})"
done | grep "sha256:0c8"

Which lists the following matches:

9: sha256:0c8d8b253a0b729c602efe45a5bc4640b3d4161b6924db3def2e7a76296e42c9
9-20220829.0: sha256:0c8d8b253a0b729c602efe45a5bc4640b3d4161b6924db3def2e7a76296e42c9
9-2209010207: sha256:0c8d8b253a0b729c602efe45a5bc4640b3d4161b6924db3def2e7a76296e42c9

Note that the image digest command here only runs a HEAD request to the registry, so it doesn't download the image and should be relatively fast.

BMitch
  • 231,797
  • 42
  • 475
  • 450
  • Thanks, but it's exactly what I was trying to avoid, as some of the repos I work with have a lot of tags. – Rabin Sep 06 '22 at 16:02
  • 1
    If you are making the image reference, then include the tag in there. `registry.example.org/repo:tag@sha256:...`. The value of `tag` is ignored, but can be useful as documentation to yourself to know what tag that digest belonged to at one point. – BMitch Sep 06 '22 at 17:45
  • Thanks, nice to know, I was not familiar with `regctl` tool – Rabin Sep 07 '22 at 07:37
  • @Rabin regctl is written by myself. The other good project in this space is crane from go-containerregistry. Skopeo also plays in this space, but they don't have a minimal manifest HEAD command. – BMitch Sep 08 '22 at 20:53
1

Another iteration on @BMitch answer is to use the parallel to make several queries in parallel, which reduces the time to query all the tags.

skopeo list-tags docker://quay.io/containerdisks/centos-stream \
 | jq -r '.Tags[]' \
 | parallel bash -c "\"printf \"%-16s\" {} '-> ' && skopeo inspect -n docker://quay.io/containerdisks/centos-stream:{} --format '{{ .Digest }}'\"" \
 | grep 'sha256:0c8'
Rabin
  • 826
  • 10
  • 21
  • 1
    Note that skopeo is querying the /v2 endpoint, running a manifest get, pulling the config blob, and running a tag listing, for each inspect. While `crane digest` and `regctl image digest` each do a single manifest head request. So if you need to run a lot of these, the latter two would be much more efficient. – BMitch Sep 07 '22 at 13:19