Slide 1
Slide 1 text
Manifests, blobs et tags
Les images de conteneurs enfin digest(es)
Yves Brissaud
DevoxxFR 2025
Slide 2
Slide 2 text
Yves Brissaud
𝕏
🦋
@_crev_
@yves.brissaud.name
Slide 3
Slide 3 text
• Nécessité
• Docker Hub → Images
• Pull analytics → Images, tags, pull
• Docker Scout → Images, tags, structure interne
• Curiosité
• Idées
Pourquoi ?
Slide 4
Slide 4 text
✓ Build & Inspect
✓ Push & Registry
✓ Pull & Tags
✓ Update
✓ Etendre
𐄂
Specifications théoriques
https://github.com/opencontainers/image-spec
Plan
Slide 5
Slide 5 text
Build
Slide 6
Slide 6 text
Build
• Image de base
• Multiples architectures
• SSC materials
• Multiples tags
Slide 7
Slide 7 text
Build
• Image de base
• Multiples architectures
• SSC materials
• Multiples tags
FROM alpine
COPY <
Slide 8
Slide 8 text
Build
• Image de base
• Multiples architectures
• SSC materials
• Multiples tags
$ docker build \
--platform linux/amd64,linux/arm64 \
--attest type=sbom \
--attest type=provenance,mode=max \
--tag localhost:5001/devoxx:latest \
--tag localhost:5001/devoxx:1 \
--tag localhost:5001/devoxx:1.0 \
--tag localhost:5001/devoxx:1.0.0 \
--push \
.
Slide 9
Slide 9 text
Inspect
Slide 10
Slide 10 text
Inspect
• Extraire l’image
• Explorer à partir de
index.json
$ mkdir image && cd image
$ docker save localhost:5001/devoxx:latest | tar x
$ code .
Slide 11
Slide 11 text
Image Index
application/vnd.oci.image.index.v1+json
linux/amd64 manifest
application/
vnd.oci.image.manifest.v1+json
linux/arm64 manifest
application/
vnd.oci.image.manifest.v1+json
attestation-manifest
application/
vnd.oci.image.manifest.v1+json
attestation-manifest
application/
vnd.oci.image.manifest.v1+json
Slide 12
Slide 12 text
Image Index application/vnd.oci.image.index.v1+json
linux/amd64 linux/arm64 attestation-manifest attestation-manifest
config blob
layer
layer
…
config blob
layer
layer
…
“Image"
Multi-platform
Image
config blob config blob
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
Slide 13
Slide 13 text
Push
Slide 14
Slide 14 text
Push
/ Pourquoi une registry et pas juste des archives ?
✓Déduplication
✓Metadata (tags)
✓Versions
Slide 15
Slide 15 text
Registry
Blobs
/ PUSH
v2
blobs
sha256
1c 5a bb …
1c7e35ae… 5a0523cd… bb124008…
Slide 16
Slide 16 text
Registry
Tags
/ PUSH
v2
repositories
_manifests
tags
latest
current index
sha256
link
link
1
current index
sha256
link
link
1.0
…
Slide 17
Slide 17 text
Registry
Tags
/ PUSH
v2
repositories
_manifests
tags
latest
current index
sha256
link
link
1
current index
sha256
link
link
1.0
…
Slide 18
Slide 18 text
Registry
Tags
/ PUSH
v2
repositories
_manifests
tags
latest
current index
sha256
link
link
1
current index
sha256
link
link
1.0
…
my/image:latest
Slide 19
Slide 19 text
Registry
Tags
/ PUSH
v2
repositories
_manifests
tags
latest
current index
sha256
link
link
1
current index
sha256
link
link
1.0
…
my/image:latest@sha256:…
Slide 20
Slide 20 text
Registry
/ PUSH
v2
repositories
_manifests
tags
latest
current index
sha256
link
link
1
current index
sha256
link
link
1.0
…
blobs
sha256
1c 5a bb …
1c7e3… 5a052… bb124…
Slide 21
Slide 21 text
Registry
/ PUSH
v2
repositories
_manifests
tags
latest
current index
sha256
link
link
1
current index
sha256
link
link
1.0
…
blobs
sha256
1c 5a bb …
1c7e3… 5a052… bb124…
Slide 22
Slide 22 text
Pull
Slide 23
Slide 23 text
Pull
/ pull version linux/amd64 du tag latest
1.Convertir tag en digest
2.Sélectionner l’image pour la plate-forme
3.Télécharger les blobs config et layer
Slide 24
Slide 24 text
Pull
/ Convertir tag en digest
HTTP/1.1 200 OK
content-type: application/vnc.oci.image.index.v1+json
docker-content-digest: sha256:bb12408994b47cd38d2
71756538fae38211912e1fc81b5bd2c8e6c1189e55f7a
docker-distribution-api-version: registry/2.0
HEAD /v2/devoxx/manifests/latest
Slide 25
Slide 25 text
Registry
/ PUSH
v2
repositories
_manifests
tags
latest
current index
sha256
link
link
1
current index
sha256
link
link
1.0
…
blobs
sha256
1c 5a bb …
1c7e3… 5a052… bb124…
Slide 26
Slide 26 text
Pull
/ Sélectionner le manifest
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"digest": “sha256:5a9523cb0b6df3ab430767d86c0672a75c53caa…”,
"size": 668,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
GET /v2/devoxx/manifests/sha256:…
Slide 27
Slide 27 text
Image Index application/vnd.oci.image.index.v1+json
linux/amd64 linux/arm64 attestation-manifest attestation-manifest
config blob
layer
layer
…
config blob
layer
layer
…
config blob config blob
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
Slide 28
Slide 28 text
Pull
/ Sélectionner le manifest
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.oci.image.config.v1+json",
"digest": "sha256:74031e380ebc651f1a88ccc475cb6ba373deb99f1dd08abacf91133b02fa973e",
"size": 802
},
"layers": [{
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:f18232174bc91741fdf3da96d85011092101a032a93a388b79e99e69c2d5c870",
"size": 3642247
}, {
"mediaType": "application/vnd.oci.image.layer.v1.tar+gzip",
"digest": "sha256:9e7f22e90c58fde28040a694fe740d6fccf15abdd630d47484445063d21c15d4",
"size": 118
}
]
}
GET /v2/devoxx/manifests/sha256:5a9523…
Slide 29
Slide 29 text
Image Index application/vnd.oci.image.index.v1+json
linux/amd64 linux/arm64 attestation-manifest attestation-manifest
config blob
layer
layer
…
config blob
layer
layer
…
config blob config blob
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
Slide 30
Slide 30 text
Pull
/ Télécharger les blobs config et layer
$ docker pull --platform linux/amd64 localhost:5001/devoxx:latest
latest: Pulling from devoxx
9e7f22e90c58: Pull complete
Digest: sha256:bb12408994b47cd38d271756538fae38211912e1fc81b5bd2c8e6c1189e55f7a
Status: Downloaded newer image for localhost:5001/devoxx:latest
localhost:5001/devoxx:latest
GET /v2/devoxx/blobs/sha256:…
GET /v2/devoxx/blobs/sha256:…
…
Slide 31
Slide 31 text
Image Index application/vnd.oci.image.index.v1+json
linux/amd64 linux/arm64 attestation-manifest attestation-manifest
config blob
layer
layer
…
config blob
layer
layer
…
config blob config blob
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
Slide 32
Slide 32 text
Pull
/ Requests
HEAD /v2/devoxx/manifests/
GET /v2/devoxx/manifests/![]()
GET /v2/devoxx/manifests/![]()
GET /v2/devoxx/blobs/
GET /v2/devoxx/blobs/
GET /v2/devoxx/blobs/
→ conversion tag vers digest
→ image index JSON
→ image manifest JSON
→ config blob
→ layer blob
→ layer blob
Slide 33
Slide 33 text
Pull
/ pull version linux/amd64 du tag latest 1
1.Convertir tag en digest
2.Sélectionner l’image pour la plate-forme
3.Télécharger les blobs config et layer
Slide 34
Slide 34 text
Pull
/ pull version linux/amd64 du tag latest 1
Identique
Manifests déjà
téléchargés
Blobs déjà
téléchargés
1.Convertir tag en digest
2.Sélectionner l’image pour la plate-forme
3.Télécharger les blobs config et layer
Slide 35
Slide 35 text
Pull
/ Requests
HEAD /v2/devoxx/manifests/
GET /v2/devoxx/manifests/![]()
GET /v2/devoxx/manifests/![]()
GET /v2/devoxx/blobs/
GET /v2/devoxx/blobs/
GET /v2/devoxx/blobs/
→ conversion tag vers digest
→ image index JSON
→ image manifest JSON
→ config blob
→ layer blob
→ layer blob
Slide 36
Slide 36 text
Registry
/ PUSH
v2
repositories
_manifests
tags
latest
current index
sha256
link
link
1
current index
sha256
link
link
1.0
…
blobs
sha256
1c 5a bb …
1c7e3… 5a052… bb124…
Slide 37
Slide 37 text
Update
Slide 38
Slide 38 text
Update
/ Nouvelle image
•Editer / ajouter un layer
•Tags existant et
supplémentaire
$ docker build \
--platform linux/amd64,linux/arm64 \
--attest type=sbom \
--attest type=provenance,mode=max \
--tag localhost:5001/devoxx:latest \
--tag localhost:5001/devoxx:1 \
--tag localhost:5001/devoxx:1.0 \
--tag localhost:5001/devoxx:1.0.1 \
--push \
.
Slide 39
Slide 39 text
Image Index application/vnd.oci.image.index.v1+json
linux/amd64 linux/arm64 attestation-manifest attestation-manifest
config blob
layer
layer
…
config blob
layer
layer
…
config blob config blob
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
Slide 40
Slide 40 text
Registry
/ PUSH
v2
repositories
_manifests
tags
latest
current index
sha256
link
link
1.0.0
current index
sha256
link
link
1
…
blobs
sha256
1c 5a bb …
1c7e3… 5a052… bb124…
link
1.0.1
current index
sha256
link
link
Slide 41
Slide 41 text
Etendre
Slide 42
Slide 42 text
Etendre
/ OCI Artifacts Everywhere
Slide 43
Slide 43 text
Image Index application/vnd.oci.image.index.v1+json
linux/amd64 linux/arm64 attestation-manifest attestation-manifest
config blob
layer
layer
…
config blob
layer
layer
…
config blob config blob
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
layer
application/vnd.in-toto+json
Slide 44
Slide 44 text
Etendre
/ OCI Artifacts Everywhere
$ helm pull oci://docker.io/username/repo --version 0.1.0
$ docker compose -f oci://docker.io/username/repo:latest up
$ docker model pull ai/llama3.1:8B-Q4_K_M
Slide 45
Slide 45 text
Etendre
/ OCI Artifacts Everywhere
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"config": {
"mediaType": "application/vnd.docker.ai.model.config.v0.1+json",
"size": 445,
"digest": "sha256:0a7e802a3fcd88654d0a0fc45d1f4f45fe34b2e52d39a77abb357b2ee720f9ed"
},
"layers": [{
"mediaType": "application/vnd.docker.ai.gguf.v3",
"size": 4920739200,
"digest": "sha256:15f25f7d652061d381368a2f6fa8b2fc6a6c179530cf73080e2a71ff5cd390f1"
}, {
"mediaType": "application/vnd.docker.ai.license",
"size": 7627,
"digest": "sha256:64e1b2889b7892e6bbe7a7ed5bfe6ff793c61f9d584345f8f41cf9f5cb30a369"
}, {
"mediaType": "application/vnd.docker.ai.license",
"size": 4691,
"digest": "sha256:a568f2ebc73cec3fd74ba2afd992d4e945a8c7a9d851f9b66163aac834b7b859"
}]
}
ai/llama3.1:8B-Q4_K_M
Slide 46
Slide 46 text
Etendre
/ OCI Artifacts Everywhere
{
"config": {
"size": "4.58 GiB",
"architecture": "llama",
"format": "gguf",
"parameters": "8.03 B",
"quantization": "IQ2_XXS/Q4_K_M"
},
"descriptor": {
"created": "2025-04-03T13:02:48.564612+02:00"
},
"rootfs": {
"diff_ids": [
"sha256:15f25f7d652061d381368a2f6fa8b2fc6a6c179530cf73080e2a71ff5cd390f1",
"sha256:64e1b2889b7892e6bbe7a7ed5bfe6ff793c61f9d584345f8f41cf9f5cb30a369",
"sha256:a568f2ebc73cec3fd74ba2afd992d4e945a8c7a9d851f9b66163aac834b7b859"
],
"type": "rootfs"
}
}
ai/llama3.1:8B-Q4_K_M
Slide 47
Slide 47 text
Etendre
/ OCI Artifacts Everywhere
==> Downloading https://ghcr.io/v2/homebrew/core/htop/manifests/3.4.1
==> Fetching htop
==> Downloading https://ghcr.io/v2/homebrew/core/htop/blobs/sha256:275705a…
==> Downloading https://ghcr.io/v2/homebrew/core/golangci-lint/manifests/2.1.1
==> Fetching golangci-lint
==> Downloading https://ghcr.io/v2/homebrew/core/golangci-lint/blobs/sha256:f76c577…
Homebrew
Slide 48
Slide 48 text
Etendre
/ OCI Artifacts Everywhere
✓ Wasm modules
✓ Docker volumes
✓ Dev containers
✓ …
? Documentation
? Runbooks
? …
Slide 49
Slide 49 text
Merci 🙏
𝕏
🦋
@_crev_
@yves.brissaud.name
Session
Feedback
Slides