Develop Reference

Failed to pull container images via short reference format

I have a problem downloading container images from a private docker registry.
The registry need no authentication credentials and is only available over the
internal network.
I have configured the registries in /etc/docker/daemon.json like the example
below. I have replaced the FQDN.
{
"exec-opts": ["native.cgroupdriver=systemd"],
"registry-mirrors": [
"https://customer-registry.example.com",
"https://location-a.dev.example.com:17519",
"https://location-b.dev.example.com:17519"
]
}
When I use the short reference format to download the container image
apvxw/build-env-go:4.2.1 I get the following error:
$ docker pull apvxw/build-env-go:4.2.1
Unable to find image 'apvxw/build-env-go:4.2.1' locally
/usr/bin/docker: Error response from daemon: pull access denied for
orbis-u/build-env-go, repository does not exist or may require 'docker login':
denied: requested access to the resource is denied.
When I use the long reference format docker can pull the image
$ docker pull customer-registry.example.com/apvxw/build-env-go:4.2.1
4.2.1: Pulling from apvxw/build-env-go:4.2.1
ac9208207ada: Already exists
5cf798ece9e5: Already exists
510bf5361e28: Already exists
b2f42d2b54d9: Pull complete
4b8be0bf5345: Pull complete
311322fb5cb6: Pull complete
Digest: sha256:f522ce0974ee41dfc7f16fc44682fee77e57bc056e37b27a4bf4885af3f5c375
Status: Downloaded newer image for customer-registry.example.com/apvxw/build-env-go:4.2.1
customer-registry.example.com/apvxw/build-env-go:4.2.1
The same behavior applies to the other configured docker registries.
I have also tested downloading container images via the registries with podman.
There the download via the short reference works fine.
Does anyone have an idea what the problem is because I can't download container
images under Arch using the short notation?
System and docker informations:
$ uname -a
Linux markus-pc 5.5.9-arch1-2 #1 SMP PREEMPT Thu, 12 Mar 2020 23:01:33 +0000 x86_64 GNU/Lin
$
$ docker info
Client:
Debug Mode: false
Server:
Containers: 10
Running: 0
Paused: 0
Stopped: 10
Images: 71
Server Version: 19.03.7-ce
Storage Driver: overlay2
Backing Filesystem: <unknown>
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: systemd
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d76c121f76a5fc8a462dc64594aea72fe18e1178.m
runc version: dc9208a3303feef5b3839f4323d9beb36df0a9dd
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 5.5.9-arch1-2
Operating System: Arch Linux
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.54GiB
Name: markus-pc
ID: DKFK:PHVZ:LDGJ:54OG:5VJ5:5XYK:YDZR:DJFR:HZ7B:4HDT:LBEK:7JQ4
Docker Root Dir: /var/lib/docker
Debug Mode: false
Username: volkerraschek
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Registry Mirrors:
https://customer-registry.example.com/
https://location-a.dev.example.com:17519/
https://location-b.dev.example.com:17519/
Live Restore Enabled: false

In Docker
The default registry is configured to search images on docker hub which is docker.io. When you pull any image without domain name it will try to pull from docker.io, not from any other registry.
If you want to pull an image from a private registry, then you need to use long reference which is
docker pull <YOUR-DOMAIN>/apvxw/build-env-go:4.2.1
In Podman
You can configure multiple registries and podman searches in all registries whichever configured in the config file.
Location of podman configuration file is /etc/containers/registries.conf. and you can add the following lines in that which you might have already done.
[registries.search]
registries = ['docker.io', 'customer-registry.example.com', 'location-a.dev.example.com:17519', 'location-b.dev.example.com:17519']

'docker: invalid reference format' when docker repository is not explicitly specified

I'm running a Docker in Docker container in kubernetes through the Gitlab CI (there is a main image and dind is as a service). In the pod I can build docker images and push them, however any further manipulation or a simple docker run triggers an error of invalid reference format.
There are two additional insecure private repositories specified in the dind service specification. If I try to run docker images without a repo prefix specified, it fails. (note that the images are there, it's just their tag which doesn't have the repo specified)
bash-4.2# docker run hello-world
docker: invalid reference format.
See 'docker run --help'.
bash-4.2# docker run docker.io/hello-world
Hello from Docker!
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
(amd64)
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker ID:
https://hub.docker.com/
For more examples and ideas, visit:
https://docs.docker.com/get-started/
bash-4.2#
I would expect the basic docker pull/run commands to pass and to use the images cached in the daemon even when their current tag doesn't contain a repository specified.
Added docker info
Containers: 3
Running: 1
Paused: 0
Stopped: 2
Images: 21
Server Version: 18.09.5
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: bb71b10fd8f58240ca47fbb579b9d1028eea7c84
runc version: 2b18fe1d885ee5083ef9f0838fee39b62d653e30
init version: fec3683
Security Options:
seccomp
Profile: default
Kernel Version: 4.14.35-1844.3.2.el7uek.x86_64
Operating System: Alpine Linux v3.9 (containerized)
OSType: linux
Architecture: x86_64
CPUs: 20
Total Memory: 125.5GiB
Name: runner-vppr4q7s-project-14503-concurrent-08qxbj
ID: HQ3U:HATA:TZUT:OLVS:MHRZ:F4DY:ENBD:Z5WH:FQBC:SGI3:BUUY:QIME
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
HTTP Proxy: xxxxxxxx
HTTPS Proxy: xxxxxxx
No Proxy: localhost,127.0.0.1,.xxxxxxxxxx
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
xxxxxxxxxxxx:5000
yyyyyyyyyyyy:5000
127.0.0.0/8
Live Restore Enabled: false
Product License: Community Engine
WARNING: API is accessible on http://0.0.0.0:2375 without encryption.
Access to the remote API is equivalent to root access on the host. Refer
to the 'Docker daemon attack surface' section in the documentation for
more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
Registries:
Additionally:
bash-4.2# docker tag docker.io/hello-world:latest hello-world:v1
Error parsing reference: "hello-world:v1" is not a valid repository/tag: invalid reference format
bash-4.2# docker tag docker.io/hello-world:latest some:2000/hello-world:v1
bash-4.2# docker tag docker.io/hello-world:latest docker.io/hello-world:v1
(ok)
And docker images doesn't show the docker.io/hello-world:latest and docker.io/hello-world:v1 but shows some:2000/hello-world:v1

docker run error(operation not support) after load busybox images on embeded playform

I built a docker form source for my embedded platform(armv7) and install them successfully. But I got an error(docker: Error response from daemon: operation not supported) when trying load arm32v7/busybox image
I built docker(Version: 18.09.4) and its dependencies with buildroot and install it successfully
2.Then I run dockerd with command "dockerd -s overlay &"
3.And I load armv7/busybox image which was saved from my notebook.
(As my embeded board was limited by gateway and can't connect the Internet, I use my notebook save image for my embeded board)
4.finally I load the image successfully and run it failed with "docker: Error response from daemon: operation not supported"
5.run docker info on board output like this
# docker info
WARN[1970-01-02T02:46:52.315076016Z] Could not get operating system name: Error opening /usr/lib/os-release: open /usr/lib/os-release: no such file or directory
WARN[1970-01-02T02:46:52.328707599Z] failed to retrieve docker-init version: exec: "docker-init": executable file not found in $PATH
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 1
Server Version: 18.09.4
Storage Driver: overlay
Backing Filesystem: tmpfs
Supports d_type: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version:
runc version: v1.0.0-rc7
init version: N/A (expected: )
Kernel Version: 4.9.37
OSType: linux
Architecture: armv7l
CPUs: 2
Total Memory: 498.3MiB
Name: (none)
ID: VS4X:CF4M:UNNY:QKJW:2PKQ:5ZUL:7N7C:24AK:O2VN:ZRLM:BUZO:5BHO
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
WARNING: the overlay storage-driver is deprecated, and will be removed in a future release.
1.on my notebook
leo#ubuntu:~$ sudo docker pull arm32v7/busybox
Using default tag: latest
latest: Pulling from arm32v7/busybox
2b35d97f9c81: Pulling fs layer
2b35d97f9c81: Pull complete
Digest: sha256:6b1ef683f696c503a0afb93d06684a9a70f8f793a90220eb0da569be116ce1d1
Status: Downloaded newer image for arm32v7/busybox:latest
leo#ubuntu:~$ sudo docker save arm32v7/busybox -o arm_busybox.tar
2.on my embeded board
# rz
rz waiting to receive.
Starting zmodem transfer. Press Ctrl+C to cancel.
Transferring arm_busybox.tar...
100% 1141 KB 1141 KB/sec 00:00:01 0 Errors
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
arm32v7/busybox latest 94491159407b Less than a second ago 944kB
# docker^C
# docker images rmi 94491159407b
"docker images" requires at most 1 argument.
See 'docker images --help'.
Usage: docker images [OPTIONS] [REPOSITORY[:TAG]]
List images
# docker rmi 94491159407b
Untagged: arm32v7/busybox:latest
Deleted: sha256:94491159407b8aca603c71cdcaf164be9e63ed17239b2b081ce3a6bf765f6e8a
Deleted: sha256:7dc29058f73fc3fe174d0cc6795bee0a4130ba807f971e6e0cf4a88d77a9fe53
#
# ls
arm_busybox.tar
# docker load -i arm_busybox.tar
7dc29058f73f: Loading layer [==================================================>] 1.16MB/1.16MB
Loaded image: arm32v7/busybox:latest
#
# docker run
"docker run" requires at least 1 argument.
See 'docker run --help'.
Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
Run a command in a new container
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
arm32v7/busybox latest 94491159407b Less than a second ago 944kB
# docker run arm32v7/busybox
docker: Error response from daemon: operation not supported.
See 'docker run --help'.
# docker run arm32v7/busybox ls
docker: Error response from daemon: operation not supported.
See 'docker run --help'.
# docker run arm32v7/busybox /bin/sh
docker: Error response from daemon: operation not supported.
See 'docker run --help'.
docker run arm32v7/busybox should return successfully. but get an error response.
why?

After CONFIG_TMPFS_XATTR and CONFIG_TMPFS_POSIX_ACL flags switch to [=y] (before compiling kernel),docker run don't return error, but block !!
I enable debug mode when starting dockerd. there is log of dockerd
# dockerd -D -s overlay
...
DEBU[1970-01-02T07:55:03.848247951Z] form data: {"AttachStderr":true,"AttachStdin":false,"AttachStdout":true,"Cmd":null,"Domainname":"","Entrypoint":null,"Env":[],"HostConfig":{"AutoRemove":false,"Binds":null,"BlkioDeviceReadBps":null,"BlkioDeviceReadIOps":null,"BlkioDeviceWriteBps":null,"BlkioDeviceWriteIOps":null,"BlkioWeight":0,"BlkioWeightDevice":[],"CapAdd":null,"CapDrop":null,"Cgroup":"","CgroupParent":"","ConsoleSize":[0,0],"ContainerIDFile":"","CpuCount":0,"CpuPercent":0,"CpuPeriod":0,"CpuQuota":0,"CpuRealtimePeriod":0,"CpuRealtimeRuntime":0,"CpuShares":0,"CpusetCpus":"","CpusetMems":"","DeviceCgroupRules":null,"Devices":[],"DiskQuota":0,"Dns":[],"DnsOptions":[],"DnsSearch":[],"ExtraHosts":null,"GroupAdd":null,"IOMaximumBandwidth":0,"IOMaximumIOps":0,"IpcMode":"","Isolation":"","KernelMemory":0,"Links":null,"LogConfig":{"Config":{},"Type":""},"MaskedPaths":null,"Memory":0,"MemoryReservation":0,"MemorySwap":0,"MemorySwappiness":-1,"NanoCpus":0,"NetworkMode":"default","OomKillDisable":false,"OomScoreAdj":0,"PidMode":"","PidsLimit":0,"PortBindings":{},"Privileged":false,"PublishAllPorts":false,"ReadonlyPaths":null,"ReadonlyRootfs":false,"RestartPolicy":{"MaximumRetryCount":0,"Name":"no"},"SecurityOpt":null,"ShmSize":0,"UTSMode":"","Ulimits":null,"UsernsMode":"","VolumeDriver":"","VolumesFrom":null},"Hostname":"","Image":"94491159407b","Labels":{},"NetworkingConfig":{"EndpointsConfig":{}},"OnBuild":null,"OpenStdin":false,"StdinOnce":false,"Tty":false,"User":"","Volumes":{},"WorkingDir":""}
DEBU[1970-01-02T07:55:03.907315451Z] container mounted via layerStore: &{/var/lib/docker/overlay/9efba7d0f8b20b508274373120276bfcead4c0afdc98ac6c813a41e64c61df9e/merged 0x2bdd510 0x2bdd510}
DEBU[1970-01-02T07:55:03.946627243Z] Calling POST /v1.39/containers/77d7e164a3a10e34bb25ff59852bdfac9c962639dedf543614d71107567f6417/attach?stderr=1&stdout=1&stream=1
DEBU[1970-01-02T07:55:03.947147743Z] attach: stdout: begin
DEBU[1970-01-02T07:55:03.953483993Z] Calling POST /v1.39/containers/77d7e164a3a10e34bb25ff59852bdfac9c962639dedf543614d71107567f6417/wait?condition=next-exit
DEBU[1970-01-02T07:55:03.954236410Z] attach: stderr: begin
DEBU[1970-01-02T07:55:03.964652451Z] Calling POST /v1.39/containers/77d7e164a3a10e34bb25ff59852bdfac9c962639dedf543614d71107567f6417/start
DEBU[1970-01-02T07:55:03.981005285Z] container mounted via layerStore: &{/var/lib/docker/overlay/9efba7d0f8b20b508274373120276bfcead4c0afdc98ac6c813a41e64c61df9e/merged 0x2bdd510 0x2bdd510}
DEBU[1970-01-02T07:55:03.982641076Z] Assigning addresses for endpoint boring_montalcini's interface on network bridge
DEBU[1970-01-02T07:55:03.982754368Z] RequestAddress(LocalDefault/172.17.0.0/16, <nil>, map[])
DEBU[1970-01-02T07:55:03.982917743Z] Request address PoolID:172.17.0.0/16 App: ipam/default/data, ID: LocalDefault/172.17.0.0/16, DBIndex: 0x0, Bits: 65536, Unselected: 65533, Sequence: (0xc0000000, 1)->(0x0, 2046)->(0x1, 1)->end Curr:2 Serial:false PrefAddress:<nil>
DEBU[1970-01-02T07:55:04.013580701Z] Assigning addresses for endpoint boring_montalcini's interface on network bridge
INFO[1970-01-02T07:55:04.015169910Z] /etc/resolv.conf does not exist
INFO[1970-01-02T07:55:04.015304618Z] No non-localhost DNS nameservers are left in resolv.conf. Using default external servers: [nameserver 8.8.8.8 nameserver 8.8.4.4]
INFO[1970-01-02T07:55:04.015357285Z] IPv6 enabled; Adding default IPv6 external servers: [nameserver 2001:4860:4860::8888 nameserver 2001:4860:4860::8844]
DEBU[1970-01-02T07:55:04.018542701Z] Programming external connectivity on endpoint boring_montalcini (dcf05afcaeb79ee2fc5fc4a6aceda37c6083f3a19fe608fabb4bb8d91f7e5f1b)
DEBU[1970-01-02T07:55:04.019416368Z] EnableService 77d7e164a3a10e34bb25ff59852bdfac9c962639dedf543614d71107567f6417 START
DEBU[1970-01-02T07:55:04.019500118Z] EnableService 77d7e164a3a10e34bb25ff59852bdfac9c962639dedf543614d71107567f6417 DONE
DEBU[1970-01-02T07:55:04.022324743Z] bundle dir created bundle=/var/run/docker/containerd/77d7e164a3a10e34bb25ff59852bdfac9c962639dedf543614d71107567f6417 module=libcontainerd namespace=moby root=/var/lib/docker/overlay/9efba7d0f8b20b508274373120276bfcead4c0afdc98ac6c813a41e64c61df9e/merged
DEBU[1970-01-02T07:55:04.030072118Z] event published ns=moby topic="/containers/create" type=containerd.events.ContainerCreate
INFO[1970-01-02T07:55:04.060624576Z] shim containerd-shim started address="/containerd-shim/moby/77d7e164a3a10e34bb25ff59852bdfac9c962639dedf543614d71107567f6417/shim.sock" debug=true pid=1383
DEBU[0000] registering ttrpc server
DEBU[0000] serving api on unix socket socket="[inherited from parent]"

mv root dir to a persistent path, not tmpfs, then：
stop dockerd
mv /var/lib/docker /root/docker
start dockerd
docker run arm32v7/busybox

Cannot exec to a running container

After running docker container,docker run -d --name nginx nginx, I cannot use "docker exec", docker exec nginx echo 123, on this container.
I'm receiving an error:
ERRO[2018-08-19T11:09:10.909894729+03:00] stream copy error: reading from a closed fifo
ERRO[2018-08-19T11:09:10.909988081+03:00] stream copy error: reading from a closed fifo
ERRO[2018-08-19T11:09:10.931102317+03:00] Error running exec 19c6ae3c5d796180e02577f037f6a1bd1453b70393098643719dea3537933ae2 in container: OCI runtime exec failed: exec failed: container_linux.go:348: starting container process caused "process_linux.go:86: executing setns process caused \"exit status 22\"": unknown`
OS: ubuntu 14.04
Kernel: 3.13.0-153-generic
Docker: Docker version 18.06.0-ce, build 0ffa825
Docker Info:
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 1
Server Version: 18.06.0-ce
Storage Driver: aufs
Root Dir: /var/lib/docker/165536.165536/aufs
Backing Filesystem: extfs
Dirs: 5
Dirperm1 Supported: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
apparmor
userns
Kernel Version: 3.13.0-153-generic
Operating System: Ubuntu 14.04.5 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 3.86GiB
Name: **************
ID: OL25:ISXX:RWR7:EY76:OQ6O:XLWG:ETWJ:FV2A:MC6A:ROP7:6DWD:DJX4
Docker Root Dir: /var/lib/docker/165536.165536
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Thanks!

That can happen when them use ENTRYPOINT instead of CMD. Check your image/container with "docker inspect". Your commandline argument becomes a CMD of ENTRYPOINT.
https://docs.docker.com/engine/reference/builder/#understand-how-cmd-and-entrypoint-interact

I could reproduce this issue whenever I executed docker run -it opensuse/leap followed by exit command. The container is actually stopped after exit command, but still showed running in docker ps.
Solution: Restart your docker daemon. And then try running your containers once again. If they stop, they won't show running status.
command: service docker restart
This worked in my case.

Please update your Kernel. Although Docker should work with most Kernel 3.10+ versions, there are often low level issues with older Kernels. See also https://github.com/moby/moby/issues/36084#issuecomment-364886573 for a seemingly same issue with a working solution:
updated to HWE ( 4.13.0-32-generic) and exec works again, however keep in mind that stock 16.04 uses 4.4.0 kernels - there should some kind of warning (at least) that specific versions combination will not work

sha256 of locally built docker image

How do I get the sha256 checksum of an already locally built docker image?
I want to use the checksum to annotate a FROM instruction in a derived image:
FROM name#sha256:checksum
I already tried checksums from docker inspect.
Neither the first nor the last of the checksums in the Layers list worked.
The one in "Id" did not work.
The one in "Parent" did not work.
The one in "Container" did not work.
The one in "Image" did not work.
Some of them I only tried out of desperation to finally find the correct checksum for my docker image, but I cannot find the correct checksum. Only thing I did not try yet, because of the number of layers, is to go through all of the layers in case they are in a random order. But to put them there like that would not make sense to begin with.
The error I see when I run docker build -t <some name> . in the directory of the Dockerfile of the derived image when it is not working is:
Step 1/7 : FROM name#sha256:<checksum> repository name not found: does not exist or no pull access
Info
Docker version: Docker version 17.05.0-ce, build 89658be (obtained via docker --version)
Output of docker info:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 3841
Server Version: 17.05.0-ce
Storage Driver: aufs
Root Dir: /var/lib/docker/aufs
Backing Filesystem: extfs
Dirs: 2620
Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9048e5e50717ea4497b757314bad98ea3763c145
runc version: 9c2d8d184e5da67c95d601382adf14862e4f2228
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-78-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 7.684GiB
Name: xiaolong-hp-pavilion
ID: QCJS:JPK4:KC7J:6MYF:WWCA:XQM2:7AF7:HWWI:BRZK:GT6B:D2NP:OJFS
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support

The checksum docker is looking for in the FROM line comes from the registry server. In the inspect output, you'll see this in the RepoDigest section:
docker inspect -f '{{.RepoDigests}}' $image_name
If you haven't pushed this image to a registry server, then you won't be able to use this hash value.
E.g.:
$ docker inspect -f '{{.RepoDigests}}' busybox:latest
[busybox#sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f]
$ cat df.testsha
FROM busybox#sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f
CMD echo "hello world"
$ docker build -f df.testsha -t test-sha .
Sending build context to Docker daemon 23.35MB
Step 1/2 : FROM busybox#sha256:32f093055929dbc23dec4d03e09dfe971f5973a9ca5cf059cbfb644c206aa83f
---> 00f017a8c2a6
Step 2/2 : CMD echo "hello world"
---> Running in c516e5b6a694
---> 68dc47866183
Removing intermediate container c516e5b6a694
Successfully built 68dc47866183
Successfully tagged test-sha:latest
$ docker run --rm test-sha
hello world