问题
使用go-containerregistry库 push image 时和 docker push image 时的layer hash不一致
### 本地docker push推送镜像 ###
# docker push 192.168.1.1:30500/alpine-java:1.0.0
The push refers to repository [192.168.1.1:30500/alpine-java]
372aafbe5d64: Preparing
5b7df235d876: Preparing
### 拉取go-containerregistry推送到registry的镜像 ###
# docker pull 192.168.1.1:30500/alpine-java:1.0.0
1.0.0: Pulling from alpine-java
4d23f0108a5c: Pull complete
20ec70f16685: Pull complete
Digest: sha256:ee64093d46b7c9f6e9676deca8b8e10ac935ab2970f1b25d24c06182872f265a
Status: Downloaded newer image for 192.168.1.1:30500/alpine-java:1.0.0
分析
-
两种方式push后,docker inspect 两个image后,发现内容是一致的,说明其实push的是同一个镜像
(左边是机器上docker inspect的结果,右边是本地docker inspect结果。rootfs:容器只读的文件系统) -
docker save -o两个image的tar包后,解压比对manifest.json文件
(左边是docker push manifest.json,右边是go-containerregistry push manifest.json) -
通过分析go-containerregistry源码发现,推送的image layer_id实际上是对layer.tar做了“再压缩”后计算的sha256 commit到manifest.json导致sha256发生变化。从而导致与docker push的layer sha256不一致。
(go-containerregistry代码计算的layer_id,