前言
docker 的仓库支持一个 tag 下多个架构镜像, 这是如何实现的呢? 抓包看看其数据交互流程
前提
错误处理
执行命令buildx
报错:
ERROR: Multi-platform build is not supported for the docker driver.
Switch to a different driver, or turn on the containerd image store, and try again.
Learn more at https://docs.docker.com/go/build-multi-platform/
修复: 执行命令docker buildx create --use desktop-linux
. 参考链接
构建
Dockerfile:
FROM hub.hujingnb.com/hj-public/debian
RUN date > /tmp/date.txt
构建命令:
docker buildx build --platform linux/amd64,linux/arm64 -t hub.hujingnb.com/hj-public/test1:new --push .
抓包接口调用(2张图连续的, 1张图放不下了):
接口调用说明:
method | 接口 | 说明 | OCI 对应 |
---|---|---|---|
HEAD | /v2/hj-public/debian/manifests/latest |
判断远端此镜像是否存在(每个架构) | /v2/<name>/manifests/<reference> |
GET | /v2/hj-public/debian/manifests/sha256:520ce6d85... |
获取镜像 manifests(多架构的). 内容参考: [多架构manifest](#method 接口 说明 OCI 对应 HEAD /v2/hj-public/debian/manifests/latest 判断远端此镜像是否存在(每个架构) /v2/<name>/manifests/<reference> GET /v2/hj-public/debian/manifests/sha256:520ce6d85... 获取镜像 manifests(多架构的). 内容参考: 多架构manifest /v2/<name>/manifests/<reference> GET /v2/hj-public/debian/manifests/sha256:d15e83b3... 获取镜像 manifests(每个架构. 内容参考: 镜像manifests /v2/<name>/manifests/<reference> GET /v2/hj-public/debian/blobs/sha256:8ea8... 获取上一步拿到的所有 blob /v2/<name>/blobs/<digest> … 中间步骤和普通的镜像上传一样. 可参考之前的文章 HEAD /v2/hj-public/test1/manifests/new 判断远端 manifests 是否存在. /v2/<name>/manifests/<reference> PUT /v2/hj-public/test1/manifests/new 上传manifests. 内容参考: 多架构manifest /v2/<name>/manifests/<reference>) | /v2/<name>/manifests/<reference> |
GET | /v2/hj-public/debian/manifests/sha256:d15e83b3... |
获取镜像 manifests(每个架构. 内容参考: [镜像manifests](#method 接口 说明 OCI 对应 HEAD /v2/hj-public/debian/manifests/latest 判断远端此镜像是否存在(每个架构) /v2/<name>/manifests/<reference> GET /v2/hj-public/debian/manifests/sha256:520ce6d85... 获取镜像 manifests(多架构的). 内容参考: 多架构manifest /v2/<name>/manifests/<reference> GET /v2/hj-public/debian/manifests/sha256:d15e83b3... 获取镜像 manifests(每个架构. 内容参考: 镜像manifests /v2/<name>/manifests/<reference> GET /v2/hj-public/debian/blobs/sha256:8ea8... 获取上一步拿到的所有 blob /v2/<name>/blobs/<digest> … 中间步骤和普通的镜像上传一样. 可参考之前的文章 HEAD /v2/hj-public/test1/manifests/new 判断远端 manifests 是否存在. /v2/<name>/manifests/<reference> PUT /v2/hj-public/test1/manifests/new 上传manifests. 内容参考: 多架构manifest /v2/<name>/manifests/<reference>) | /v2/<name>/manifests/<reference> |
GET | /v2/hj-public/debian/blobs/sha256:8ea8... |
获取上一步拿到的所有 blob | /v2/<name>/blobs/<digest> |
... | 中间步骤和普通的镜像上传一样. 可参考之前的文章 | ||
HEAD | /v2/hj-public/test1/manifests/new |
判断远端 manifests 是否存在. | /v2/<name>/manifests/<reference> |
PUT | /v2/hj-public/test1/manifests/new |
上传manifests. 内容参考: [多架构manifest](#method 接口 说明 OCI 对应 HEAD /v2/hj-public/debian/manifests/latest 判断远端此镜像是否存在(每个架构) /v2/<name>/manifests/<reference> GET /v2/hj-public/debian/manifests/sha256:520ce6d85... 获取镜像 manifests(多架构的). 内容参考: 多架构manifest /v2/<name>/manifests/<reference> GET /v2/hj-public/debian/manifests/sha256:d15e83b3... 获取镜像 manifests(每个架构. 内容参考: 镜像manifests /v2/<name>/manifests/<reference> GET /v2/hj-public/debian/blobs/sha256:8ea8... 获取上一步拿到的所有 blob /v2/<name>/blobs/<digest> … 中间步骤和普通的镜像上传一样. 可参考之前的文章 HEAD /v2/hj-public/test1/manifests/new 判断远端 manifests 是否存在. /v2/<name>/manifests/<reference> PUT /v2/hj-public/test1/manifests/new 上传manifests. 内容参考: 多架构manifest /v2/<name>/manifests/<reference>) | /v2/<name>/manifests/<reference> |
至此, 一次多架构镜像构建并上传就完成了.
手动创建 manifests
我们也可以手动创建多架构, 而不是用 buildx. 命令如下:
bash
# 假设仓库中已经存在: image:amd64 image:arm64 2个镜像
docker manifest create --insecure --amend image:new image:arm64 image:amd64
docker manifest annotate image:new image:arm64 --os=linux --arch=arm64
docker manifest annotate image:new image:amd64 --os=linux --arch=amd64
docker manifest push --insecure --purge image:new
此时的接口调用, 直接跳到上面的最后2步: HEAD/PUT manifests
接口.
拉取
其实在上一步构建的时候已经能够看到拉取的接口调用了. 在每次构建的时候, 要把不同架构的基础镜像拉倒本地进行构建.
这里就简单放一张接口调用流程, 命令: docker pull --platform=linux/arm64 hub.hujingnb.com/hj-public/test1:new
:
总结
单独镜像的推拉, 可以参考之前的文章
可以看到, 实现多架构时, 与非多架构镜像的唯一区别, 就是额外加了一个 manifests 类型, 用来将单架构镜像整合为多架构.
附件
多架构manifest
json
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests":
[
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:b4df0c22aa74c1aa7e1941619c4c63b2e3b1b1dc57436ecc6515e547b6888dab",
"size": 481,
"platform":
{
"architecture": "386",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:651dd02a84abdd528e35e73d483aec5c361078bf169919bd3dac7bfe66d19290",
"size": 481,
"platform":
{
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:9dac568c16fc9d22304b66eb1be48e849c912c0c1f233b7c8233eee5834fc082",
"size": 481,
"platform":
{
"architecture": "arm",
"os": "linux",
"variant": "v5"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:e30e0f9e2580058251db6012e2886fa8b3971d980ae04c0d2e304190df601b4a",
"size": 481,
"platform":
{
"architecture": "arm",
"os": "linux",
"variant": "v7"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:d15e83b3662501593be46a5a2aef02c2f5b4a1826aa5bef8cd21e7047a497af8",
"size": 481,
"platform":
{
"architecture": "arm64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:bddc1b85037e49dcbeef083c2b2868c73e23d7443e3c13bc177762b90ddaf80f",
"size": 481,
"platform":
{
"architecture": "mips64le",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:e0d4150147fe4f2ecaf11fd532bd3d707d8632024f6743da58141b122a305887",
"size": 481,
"platform":
{
"architecture": "ppc64le",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:ed6e2e64d1f0a99ca795c481ca08ff62fc8e1efca022ae22c5604bb27e6c76c1",
"size": 481,
"platform":
{
"architecture": "s390x",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:785cf1dd62c0b02ce1fbf6cf615ef6eba5d4087385613ddcf26c221daac8e6a0",
"size": 566,
"annotations":
{
"vnd.docker.reference.digest": "sha256:b4df0c22aa74c1aa7e1941619c4c63b2e3b1b1dc57436ecc6515e547b6888dab",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform":
{
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:520be2ba49e9d29e94745580f96858c3960f5fcf1eaa2b8b6e2574d5bba4bc91",
"size": 566,
"annotations":
{
"vnd.docker.reference.digest": "sha256:651dd02a84abdd528e35e73d483aec5c361078bf169919bd3dac7bfe66d19290",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform":
{
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:edbe0bc83fdd4b6516399b43dcb4422c9b5e78a1a485fc8870554b7f1b59a501",
"size": 566,
"annotations":
{
"vnd.docker.reference.digest": "sha256:9dac568c16fc9d22304b66eb1be48e849c912c0c1f233b7c8233eee5834fc082",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform":
{
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:3d456f67aef005b6da1b9ae91c778314b6d79553917d7d37e6aa484eb8ea5a91",
"size": 566,
"annotations":
{
"vnd.docker.reference.digest": "sha256:e30e0f9e2580058251db6012e2886fa8b3971d980ae04c0d2e304190df601b4a",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform":
{
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:fe2aa90b281550a68cdc80208979c65acf8f64ca7ba709fe07fc38ed4eae7400",
"size": 566,
"annotations":
{
"vnd.docker.reference.digest": "sha256:d15e83b3662501593be46a5a2aef02c2f5b4a1826aa5bef8cd21e7047a497af8",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform":
{
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:5308441e25778d9e467114c998ed3faf9c4bc18df17702fdbe7fcf495ff44eb9",
"size": 566,
"annotations":
{
"vnd.docker.reference.digest": "sha256:bddc1b85037e49dcbeef083c2b2868c73e23d7443e3c13bc177762b90ddaf80f",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform":
{
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:264d85222bd6ff7a724dd33fa5071e6c3e1a30361989d52f2f7ca191ac7b9b20",
"size": 566,
"annotations":
{
"vnd.docker.reference.digest": "sha256:e0d4150147fe4f2ecaf11fd532bd3d707d8632024f6743da58141b122a305887",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform":
{
"architecture": "unknown",
"os": "unknown"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": "sha256:8f06e8c4e23717acbe73a0cd2f6ef9678b0c8c0387d67f7e604c85d43ba22cbf",
"size": 566,
"annotations":
{
"vnd.docker.reference.digest": "sha256:ed6e2e64d1f0a99ca795c481ca08ff62fc8e1efca022ae22c5604bb27e6c76c1",
"vnd.docker.reference.type": "attestation-manifest"
},
"platform":
{
"architecture": "unknown",
"os": "unknown"
}
}
]
}
其中后面几个 annotations 类型的内容, 是每个架构下的 manifests 证明文件. 用于镜像签名.
镜像manifests
json
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:fe997a1b6216319619839e4ffe4bf083b70e58e751d5a26837254dc113b743f6",
"size": 579
},
"layers": [{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:c1e0ef7b956a07c7b090256aa16cbb0550a34d0625d1d23c5b1a76e92a58d01e",
"size": 49584978
}]
}