Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
780 views
in Technique[技术] by (71.8m points)

bash - How do I check if my local docker image is outdated, without pushing from somewhere else?

I'm running a react app in a docker container, on a Coreos server. Let's say it's been pulled from dockerhub from https://hub.docker.com/r/myimages/myapp.

Now I want to check periodically if the dockerhub image for the app container has been updated, to see if the image I'm running locally is behind.

What would be the most efficient way to check if a local docker image is outdated compared to the remote image? All solutions I've found so far are bash scripts or external services that push on an update. I'd like to find a solution that is as native to docker as possible, and would like to refrain from pushing a notification from somewhere else (to alert the server of an updated image).

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

You can query the registry API for the image digest and compare it to that of what you've pulled.

$ cat digest-v2.sh
#!/bin/sh

ref="${1:-library/ubuntu:latest}"
repo="${ref%:*}"
tag="${ref##*:}"
acceptM="application/vnd.docker.distribution.manifest.v2+json"
acceptML="application/vnd.docker.distribution.manifest.list.v2+json"
token=$(curl -s "https://auth.docker.io/token?service=registry.docker.io&scope=repository:${repo}:pull" 
        | jq -r '.token')
curl -H "Accept: ${acceptM}" 
     -H "Accept: ${acceptML}" 
     -H "Authorization: Bearer $token" 
     -I -s "https://registry-1.docker.io/v2/${repo}/manifests/${tag}"

$ ./digest-v2.sh library/busybox:latest
HTTP/1.1 200 OK
Content-Length: 2080
Content-Type: application/vnd.docker.distribution.manifest.list.v2+json
Docker-Content-Digest: sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a"
Date: Sun, 11 Oct 2020 21:04:59 GMT
Strict-Transport-Security: max-age=31536000

You can compare that ETag or Docker-Content-Digest header to the registry reference on the image you've previously pulled:

$ docker image inspect busybox:latest --format '{{json .RepoDigests}}' | jq .
[
  "busybox@sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a"
]

$ docker image pull busybox:latest
latest: Pulling from library/busybox
Digest: sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a
Status: Image is up to date for busybox:latest
docker.io/library/busybox:latest

I've also been working on some Go APIs and CLI to work with more registries where you may need to pass different types of authorization. That project is at regclient/regclient and includes a regctl command.

$ regctl image digest --list busybox:latest
sha256:d366a4665ab44f0648d7a00ae3fae139d55e32f9712c67accd604bb55df9d05a

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...