github.com/pwn-term/docker@v0.0.0-20210616085119-6e977cce2565/cli/docs/reference/commandline/manifest.md (about) 1 --- 2 title: "manifest" 3 description: "The manifest command description and usage" 4 keywords: "docker, manifest" 5 --- 6 7 ```markdown 8 Usage: docker manifest COMMAND 9 10 Manage Docker image manifests and manifest lists 11 12 Options: 13 --help Print usage 14 15 Commands: 16 annotate Add additional information to a local image manifest 17 create Create a local manifest list for annotating and pushing to a registry 18 inspect Display an image manifest, or manifest list 19 push Push a manifest list to a repository 20 21 ``` 22 23 ## Description 24 25 The `docker manifest` command by itself performs no action. In order to operate 26 on a manifest or manifest list, one of the subcommands must be used. 27 28 A single manifest is information about an image, such as layers, size, and digest. 29 The docker manifest command also gives users additional information such as the os 30 and architecture an image was built for. 31 32 A manifest list is a list of image layers that is created by specifying one or 33 more (ideally more than one) image names. It can then be used in the same way as 34 an image name in `docker pull` and `docker run` commands, for example. 35 36 Ideally a manifest list is created from images that are identical in function for 37 different os/arch combinations. For this reason, manifest lists are often referred 38 to as "multi-arch images". However, a user could create a manifest list that points 39 to two images -- one for windows on amd64, and one for darwin on amd64. 40 41 ### manifest inspect 42 43 ```bash 44 manifest inspect --help 45 46 Usage: docker manifest inspect [OPTIONS] [MANIFEST_LIST] MANIFEST 47 48 Display an image manifest, or manifest list 49 50 Options: 51 --help Print usage 52 --insecure Allow communication with an insecure registry 53 -v, --verbose Output additional info including layers and platform 54 ``` 55 56 ### manifest create 57 58 ```bash 59 Usage: docker manifest create MANIFEST_LIST MANIFEST [MANIFEST...] 60 61 Create a local manifest list for annotating and pushing to a registry 62 63 Options: 64 -a, --amend Amend an existing manifest list 65 --insecure Allow communication with an insecure registry 66 --help Print usage 67 ``` 68 69 ### manifest annotate 70 71 ```bash 72 Usage: docker manifest annotate [OPTIONS] MANIFEST_LIST MANIFEST 73 74 Add additional information to a local image manifest 75 76 Options: 77 --arch string Set architecture 78 --help Print usage 79 --os string Set operating system 80 --os-version string Set operating system version 81 --os-features stringSlice Set operating system feature 82 --variant string Set architecture variant 83 84 ``` 85 86 ### manifest push 87 88 ```bash 89 Usage: docker manifest push [OPTIONS] MANIFEST_LIST 90 91 Push a manifest list to a repository 92 93 Options: 94 --help Print usage 95 --insecure Allow push to an insecure registry 96 -p, --purge Remove the local manifest list after push 97 ``` 98 99 ### Working with insecure registries 100 101 The manifest command interacts solely with a Docker registry. Because of this, 102 it has no way to query the engine for the list of allowed insecure registries. 103 To allow the CLI to interact with an insecure registry, some `docker manifest` 104 commands have an `--insecure` flag. For each transaction, such as a `create`, 105 which queries a registry, the `--insecure` flag must be specified. This flag 106 tells the CLI that this registry call may ignore security concerns like missing 107 or self-signed certificates. Likewise, on a `manifest push` to an insecure 108 registry, the `--insecure` flag must be specified. If this is not used with an 109 insecure registry, the manifest command fails to find a registry that meets the 110 default requirements. 111 112 ## Examples 113 114 ### Inspect an image's manifest object 115 116 ```bash 117 $ docker manifest inspect hello-world 118 { 119 "schemaVersion": 2, 120 "mediaType": "application/vnd.docker.distribution.manifest.v2+json", 121 "config": { 122 "mediaType": "application/vnd.docker.container.image.v1+json", 123 "size": 1520, 124 "digest": "sha256:1815c82652c03bfd8644afda26fb184f2ed891d921b20a0703b46768f9755c57" 125 }, 126 "layers": [ 127 { 128 "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", 129 "size": 972, 130 "digest": "sha256:b04784fba78d739b526e27edc02a5a8cd07b1052e9283f5fc155828f4b614c28" 131 } 132 ] 133 } 134 ``` 135 136 ### Inspect an image's manifest and get the os/arch info 137 138 The `docker manifest inspect` command takes an optional `--verbose` flag 139 that gives you the image's name (Ref), and architecture and os (Platform). 140 141 Just as with other docker commands that take image names, you can refer to an image with or 142 without a tag, or by digest (e.g. `hello-world@sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f`). 143 144 Here is an example of inspecting an image's manifest with the `--verbose` flag: 145 146 ```bash 147 $ docker manifest inspect --verbose hello-world 148 { 149 "Ref": "docker.io/library/hello-world:latest", 150 "Digest": "sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f", 151 "SchemaV2Manifest": { 152 "schemaVersion": 2, 153 "mediaType": "application/vnd.docker.distribution.manifest.v2+json", 154 "config": { 155 "mediaType": "application/vnd.docker.container.image.v1+json", 156 "size": 1520, 157 "digest": "sha256:1815c82652c03bfd8644afda26fb184f2ed891d921b20a0703b46768f9755c57" 158 }, 159 "layers": [ 160 { 161 "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", 162 "size": 972, 163 "digest": "sha256:b04784fba78d739b526e27edc02a5a8cd07b1052e9283f5fc155828f4b614c28" 164 } 165 ] 166 }, 167 "Platform": { 168 "architecture": "amd64", 169 "os": "linux" 170 } 171 } 172 ``` 173 174 ### Create and push a manifest list 175 176 To create a manifest list, you first `create` the manifest list locally by 177 specifying the constituent images you would like to have included in your 178 manifest list. Keep in mind that this is pushed to a registry, so if you want to 179 push to a registry other than the docker registry, you need to create your 180 manifest list with the registry name or IP and port. 181 This is similar to tagging an image and pushing it to a foreign registry. 182 183 After you have created your local copy of the manifest list, you may optionally 184 `annotate` it. Annotations allowed are the architecture and operating system 185 (overriding the image's current values), os features, and an architecture variant. 186 187 Finally, you need to `push` your manifest list to the desired registry. Below are 188 descriptions of these three commands, and an example putting them all together. 189 190 ```bash 191 $ docker manifest create 45.55.81.106:5000/coolapp:v1 \ 192 45.55.81.106:5000/coolapp-ppc64le-linux:v1 \ 193 45.55.81.106:5000/coolapp-arm-linux:v1 \ 194 45.55.81.106:5000/coolapp-amd64-linux:v1 \ 195 45.55.81.106:5000/coolapp-amd64-windows:v1 196 197 Created manifest list 45.55.81.106:5000/coolapp:v1 198 ``` 199 200 ```bash 201 $ docker manifest annotate 45.55.81.106:5000/coolapp:v1 45.55.81.106:5000/coolapp-arm-linux --arch arm 202 ``` 203 204 ```bash 205 $ docker manifest push 45.55.81.106:5000/coolapp:v1 206 Pushed manifest 45.55.81.106:5000/coolapp@sha256:9701edc932223a66e49dd6c894a11db8c2cf4eccd1414f1ec105a623bf16b426 with digest: sha256:f67dcc5fc786f04f0743abfe0ee5dae9bd8caf8efa6c8144f7f2a43889dc513b 207 Pushed manifest 45.55.81.106:5000/coolapp@sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f with digest: sha256:b64ca0b60356a30971f098c92200b1271257f100a55b351e6bbe985638352f3a 208 Pushed manifest 45.55.81.106:5000/coolapp@sha256:39dc41c658cf25f33681a41310372f02728925a54aac3598310bfb1770615fc9 with digest: sha256:df436846483aff62bad830b730a0d3b77731bcf98ba5e470a8bbb8e9e346e4e8 209 Pushed manifest 45.55.81.106:5000/coolapp@sha256:f91b1145cd4ac800b28122313ae9e88ac340bb3f1e3a4cd3e59a3648650f3275 with digest: sha256:5bb8e50aa2edd408bdf3ddf61efb7338ff34a07b762992c9432f1c02fc0e5e62 210 sha256:050b213d49d7673ba35014f21454c573dcbec75254a08f4a7c34f66a47c06aba 211 212 ``` 213 214 ### Inspect a manifest list 215 216 ```bash 217 $ docker manifest inspect coolapp:v1 218 { 219 "schemaVersion": 2, 220 "mediaType": "application/vnd.docker.distribution.manifest.list.v2+json", 221 "manifests": [ 222 { 223 "mediaType": "application/vnd.docker.distribution.manifest.v2+json", 224 "size": 424, 225 "digest": "sha256:f67dcc5fc786f04f0743abfe0ee5dae9bd8caf8efa6c8144f7f2a43889dc513b", 226 "platform": { 227 "architecture": "arm", 228 "os": "linux" 229 } 230 }, 231 { 232 "mediaType": "application/vnd.docker.distribution.manifest.v2+json", 233 "size": 424, 234 "digest": "sha256:b64ca0b60356a30971f098c92200b1271257f100a55b351e6bbe985638352f3a", 235 "platform": { 236 "architecture": "amd64", 237 "os": "linux" 238 } 239 }, 240 { 241 "mediaType": "application/vnd.docker.distribution.manifest.v2+json", 242 "size": 425, 243 "digest": "sha256:df436846483aff62bad830b730a0d3b77731bcf98ba5e470a8bbb8e9e346e4e8", 244 "platform": { 245 "architecture": "ppc64le", 246 "os": "linux" 247 } 248 }, 249 { 250 "mediaType": "application/vnd.docker.distribution.manifest.v2+json", 251 "size": 425, 252 "digest": "sha256:5bb8e50aa2edd408bdf3ddf61efb7338ff34a07b762992c9432f1c02fc0e5e62", 253 "platform": { 254 "architecture": "s390x", 255 "os": "linux" 256 } 257 } 258 ] 259 } 260 ``` 261 262 ### Push to an insecure registry 263 264 Here is an example of creating and pushing a manifest list using a known 265 insecure registry. 266 267 ```bash 268 $ docker manifest create --insecure myprivateregistry.mycompany.com/repo/image:1.0 \ 269 myprivateregistry.mycompany.com/repo/image-linux-ppc64le:1.0 \ 270 myprivateregistry.mycompany.com/repo/image-linux-s390x:1.0 \ 271 myprivateregistry.mycompany.com/repo/image-linux-arm:1.0 \ 272 myprivateregistry.mycompany.com/repo/image-linux-armhf:1.0 \ 273 myprivateregistry.mycompany.com/repo/image-windows-amd64:1.0 \ 274 myprivateregistry.mycompany.com/repo/image-linux-amd64:1.0 275 276 $ docker manifest push --insecure myprivateregistry.mycompany.com/repo/image:tag 277 ``` 278 279 > **Note** 280 > 281 > The `--insecure` flag is not required to annotate a manifest list, 282 > since annotations are to a locally-stored copy of a manifest list. You may also 283 > skip the `--insecure` flag if you are performing a `docker manifest inspect` 284 > on a locally-stored manifest list. Be sure to keep in mind that locally-stored 285 > manifest lists are never used by the engine on a `docker pull`.