Develop Reference

Docker image list doesn't show images on private registry

We have a private harbor registry that's insecure. We use docker client on a centos7 VM to push /pull images. We lost the docker client centos7 VM so have installed a new one. The issue I see is I log into the registry but when I do "docker image list" or "docker images" it doesn't show the images previously loaded. I'm not sure why?
[udmuser1#vtc-spk-auto10 ~]$ docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
If I do a docker load -i image on the new linux VM then docker push I do see the image when doing "docker image list" on the registry.
[udmuser1#vtc-spk-auto10 ~]$ docker image list
REPOSITORY TAG IMAGE ID CREATED SIZE
harbor01.ims.net/library/f5-fluentd v1.4.2 b96d9e18a71c 9 months ago 495 MB
I'm unclear why I don't see the images that were loaded by the previous linux VM.
Thanks for any input on this.
John

Your local Docker client would show you images that are part of its docker daemon in other words the images present on your client. You would need to setup synchronization if you want similar images on both the ends.

The container Registry is a place where you push/pull images to and from.
Your local Docker Client contains only the images that fulfil the criteria:
The image was pulled from a registry
The image was build (on that machine)
The container images you are not synchronized with your registry, you need to explicitly push and pull those images.

Your private repository and local machine are two different things. You can't get to the images in your private repository if you lose access to it.

To list all image repositories that contain at least one tagged image, run this curl command:
curl https://registry.io/v2/_catalog
{"repositories":["alpine","postgres"]}
If there are image repositories in a registry that don't possess a single tag, and instead only possess digests e.g. ubuntu#sha256:ac13c5d2, those will be omitted from the output. If a registry contained ubuntu#sha256:ac13c5d2, alpine:latest, and postgres:15.1, Output from /v2/_catalog would read as {"repositories":["alpine","postgres"]}.
Images can be obtained in a more granular and complete method through use of:
https://registry.io/v2/{image}/manifests/{digest} for images with digests
https://registry.io/v2/{image}/tags/list for images with tags

`docker images --digests` with and without tag give different answers

I am trying to figure out how to determine the digest of an image on my local machine.
If I ask docker images to tell me about the digests for my image, it will happily tell me the correct answer:
rcv#mymachine:~$ docker images -a --digests docker.myregistry.net/myproject/myimage
REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE
docker.myregistry.net/myproject/myimage 8.0.0-rc9 sha256:56993a4bdf42a6337c1e9a32603c8758d9a67b42b525c18c6d500b8688f50c47 2198f19aede7 3 days ago 1.84GB
However, if I try asking specifically about the tag I'm interested in it will tell me that there's no digest.
rcv#mymachine:~$ docker images -a --digests docker.myregistry.net/myproject/myimage:8.0.0-rc9
REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE
docker.myregistry.net/myproject/myimage 8.0.0-rc9 <none> 2198f19aede7 3 days ago 1.84GB
I've been alternating between building this image locally, and just pulling it back down from the registry. Is it possible that docker images is confused, or am I missing some subtle difference between the above two commands?
Thanks!

That appears to be a bug in the docker CLI. This shouldn't have any impact on the underlying digest. If you know the image you want to query, it's probably easier to inspect that image for the digest:
$ docker image inspect nginx:latest --format '{{index .RepoDigests 0}}'
nginx#sha256:644a70516a26004c97d0d85c7fe1d0c3a67ea8ab7ddf4aff193d9f301670cf36

How can I check the local image is up to date with registry image?

I would like to find out the latest timestamp for an image in a private Docker registry using the v2 API without first pulling the image to my local and compare it into local image created date.
Is that possible with script or curl with awk ?

You can execute the pull command to make sure your local docker repo is up-to-date.
If you try pull the image, docker will compare the remote image digest with local image digest. If the digests are equal, docker won't update the image and will say it is up-to-date.
Example below:
docker pull myrepo/app:v0.1
car0.1: Pulling from myrepo
Digest: sha256:cb7b50c26124ffba06fd559fa86751e5fe9b4a49990fc8dbf4dfaf0fb9d58206
Status: Image is up to date for myrepo/app:v0.1

docker pull returning image not found

docker pull localhost:21518/master:latest
Getting following response:
Trying to pull repository localhost:21518/master ...
Pulling repository localhost:21518/master
Error: image master:latest not found
Whereas docker images returns
REPOSITORY TAG IMAGE ID CREATED SIZE
localhost:21518/master latest e9f29fbf9931 6 hours ago 703 MB
Why image is not getting pulled?

docker images shows the list of cached images and not repository images. I got confused that docker images showing images from repository as repository is also running on local machine.
Needed to do docker push to get image in repository.

Why doesn't my newly-created docker have a digest?

I have been following the Docker tutorial here, and built a test image on my local OSX machine by committing changes to an existing image and tagging it with three different labels:
# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
adamatan/sinatra devel fccb6b4d21b4 8 minutes ago 469.5 MB
adamatan/sinatra junk fccb6b4d21b4 8 minutes ago 469.5 MB
adamatan/sinatra latest fccb6b4d21b4 8 minutes ago 469.5 MB
However, none of these images has a digest:
# docker images --digests adamatan/sinatra
REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE
adamatan/sinatra devel <none> fccb6b4d21b4 9 minutes ago 469.5 MB
adamatan/sinatra junk <none> fccb6b4d21b4 9 minutes ago 469.5 MB
adamatan/sinatra latest <none> fccb6b4d21b4 9 minutes ago 469.5 MB
Other test images I have created with a Dockerfile do have a digest.
Why do some images have a digest and some don't? Is it related to the way the images were created (Dockerfile or not)?

Firstly, Please keep in mind that a digest could represent a manifest, a layer or a combination of them (we normally called that combination an image).
Manifest is a new term that introduced with Docker registry V2. Here is a short description fetched from Docker Registry V2 slides page21 ~ page23:
[Manifest] describes the components of an image in a single object
Layers can be fetched immediately, in parallel.
When you get the digests with command docker images --digests, here the digest is the SHA256 hash of image manifest, but image ID is the hash code of the local image JSON configuration (this configuration is different from manifest). In this case, if an image doesn't have an associated manifest, the digest of that image will be "none".
Normally, two scenarios could make an image doesn't have associated manifest:
This image has not been pushed to or pulled from a V2 registry.
This image has been pulled from a V1 registry.
To generate a manifest, the easiest way is to push the image to a V2 registry (V1 registry will not works). Docker client will generate a manifest locally, then push it with image layers to registry. When you pull the image back, the image will has a manifest.
Once the manifest existing, your image digest should not be "none".

Yes it is related to how the images were created. Docker can be a real stinker at times.
This may be helpful for you in this case.

I was also facing this issue (digest was none).
Reason was when I can the docker image and image was listed in docker images.
At this point, I was checking for the digest value using
docker images --digest
and the digest value comes as <none>.
Resolution:
Push the image in your docker repository, then image will show the digest value.