Digest id is changing when mirroring images
Issue
When copying images with skopeo:
### Listing images at destination registry
$ curl -s -u xxxx:yyyy https://default-route-openshift-image-registry.apps.mylab/v2/_catalog | jq "." | grep sso71
"openshift/redhat-sso71-openshift",
### Checking image digest at origin
$ skopeo inspect --creds "aaaa:bbbb" docker://registry.access.redhat.com/redhat-sso-7/sso71-openshift:1.3 | jq -r '.Digest'
sha256:e7ceea30da82c540fce1ecfccc3160826eb1ee84e4114e4dba2049860d3fc15d
### Copying image
$ skopeo copy --src-creds="aaaa:bbbb" --dest-creds="xxxx:yyyy" --remove-signatures docker://registry.access.redhat.com/redhat-sso-7/sso71-openshift:1.3 docker://default-route-openshift-image-registry.apps.mylab/test/sso71-openshift:1.3
### Verify the image is listed
$ curl -s -u xxxx:yyyy https://default-route-openshift-image-registry.apps.mylab/v2/_catalog | jq "." | grep sso71
"openshift/redhat-sso71-openshift",
"test/sso71-openshift" <----- the new image
### Checking image digest at destination
$ skopeo inspect --creds "xxxx:yyyy" docker://default-route-openshift-image-registry.apps.mylab/test/sso71-openshift:1.3 | jq -r '.Digest'
sha256:2b07e91589991521e45b1c131cb59358d06d7c6a356cbe5f7b9ee50d2417f197
there is a clear mismatch between the origin and the destination digest.
When trying a different method for copying forcing the sha256 digest in the image reference:
# skopeo copy --all --src-creds="aaaa:bbbb" --dest-creds="xxxx:yyyy" docker://registry.access.redhat.com/redhat-sso-7/sso71-openshift@sha256:e7ceea30da82c540fce1ecfccc3160826eb1ee84e4114e4dba2049860d3fc15d docker://default-route-openshift-image-registry.apps.mylab/test/sso71-openshift@sha256:e7ceea30da82c540fce1ecfccc3160826eb1ee84e4114e4dba2049860d3fc15d
Getting image source signatures
FATA[0001] Copying a schema1 image with an embedded Docker reference to docker://default-route-openshift-image-registry.apps.mylab/test/sso71-openshift@sha256:e7ceea30da82c540fce1ecfccc3160826eb1ee84e4114e4dba2049860d3fc15d (Docker reference default-route-openshift-image-registry.apps.mylab/test/sso71-openshift@sha256:e7ceea30da82c540fce1ecfccc3160826eb1ee84e4114e4dba2049860d3fc15d) would change the manifest, which is not possible (image is signed or the destination specifies a digest)
In that particular case it is described that the image is using a Schema 1 manifest.
Environment
Red Hat OpenShift Container Platform
- 3.11
- 4.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.