How to check the authenticity of Container base images
My previous blog explains how to setup a private docker registry and use docker container images for offline usage . Before using any docker image which was downloaded from a third party registry it is important to check the authenticity of those images . There are several ways to check the authenticity of the images and below are few methods ,
Docker image checksum verification :
With reference to Docker image specification v1.2.0 each image’s ID is given by the SHA256 hash of its configuration JSON. It is represented as a hexadecimal encoding of 256 bits, e.g.,sha256:a9561eb1b190625c9adb5a9513e72c4dedafc1cb2d4c5236c9a6957ec7dfd5a9.
Since the configuration JSON that gets hashed references hashes of each layer in the image, this formulation of the ImageID makes images content-addressable.
# docker image ls –digests –format ‘{{.Digest}}’ IMAGE
docker pull verifies download of its each layer using Checksum. It will detect corrupted download
In above example you can see the checksum is verified for every layer of the file getting downloaded . The mismatch in checksum indicates that the container image is corrupted or tampered .
Comparing Container images :
The container-diff tool can be used for analyzing and comparing container images and can examine images along several different criteria as well . You can inspect a single image, or perform a diff operation on two images. container-diff supports Docker images located in both a local Docker daemon and a remote registry. It is also possible to use the tool with the .tar, .tar.gz, and .tgz archives. The container-diff package is part of the SUSE Linux Enterprise Server 15 SP2 Containers Module and can be installed on Linux with below commands ,
# curl -LO https://storage.googleapis.com/container-diff/latest/container-diff-linux-amd64 && chmod +x container-diff-linux-amd64 && sudo mv container-diff-linux-amd64 /usr/local/bin/container-diff
These analyses can be performed on a single image, or a diff can be performed on two images to compare. The tool can help users better understand what is changing inside their images, and give them a better look at what their images contain.
Please refer to Container-diff GitHub page for more examples ,
https://github.com/GoogleContainerTools/container-diff#installation
Related Articles
Mar 26th, 2024
SUSE’s WebAssembly report from KubeCon EU
Oct 23rd, 2024
No comments yet