docker manifest (original) (raw)

Experimental

This command is experimental.

Experimental features are intended for testing and feedback as their functionality or design may change between releases without warning or can be removed entirely in a future release.

The docker manifest command by itself performs no action. In order to operate on a manifest or manifest list, one of the subcommands must be used.

A single manifest is information about an image, such as layers, size, and digest. The docker manifest command also gives you additional information, such as the OS and architecture an image was built for.

A manifest list is a list of image layers that is created by specifying one or more (ideally more than one) image names. It can then be used in the same way as an image name in docker pull and docker run commands, for example.

Ideally a manifest list is created from images that are identical in function for different os/arch combinations. For this reason, manifest lists are often referred to as "multi-arch images". However, a user could create a manifest list that points to two images -- one for Windows on AMD64, and one for Darwin on AMD64.

manifest inspect

manifest create

manifest annotate

manifest push

Working with insecure registries

The manifest command interacts solely with a registry. Because of this, it has no way to query the engine for the list of allowed insecure registries. To allow the CLI to interact with an insecure registry, some docker manifestcommands have an --insecure flag. For each transaction, such as a create, which queries a registry, the --insecure flag must be specified. This flag tells the CLI that this registry call may ignore security concerns like missing or self-signed certificates. Likewise, on a manifest push to an insecure registry, the --insecure flag must be specified. If this is not used with an insecure registry, the manifest command fails to find a registry that meets the default requirements.

Inspect an image's manifest object

Inspect an image's manifest and get the os/arch info

The docker manifest inspect command takes an optional --verbose flag that gives you the image's name (Ref), as well as the architecture and OS (Platform).

Just as with other Docker commands that take image names, you can refer to an image with or without a tag, or by digest (e.g. hello-world@sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f).

Here is an example of inspecting an image's manifest with the --verbose flag:

Create and push a manifest list

To create a manifest list, you first create the manifest list locally by specifying the constituent images you would like to have included in your manifest list. Keep in mind that this is pushed to a registry, so if you want to push to a registry other than the docker registry, you need to create your manifest list with the registry name or IP and port. This is similar to tagging an image and pushing it to a foreign registry.

After you have created your local copy of the manifest list, you may optionallyannotate it. Annotations allowed are the architecture and operating system (overriding the image's current values), os features, and an architecture variant.

Finally, you need to push your manifest list to the desired registry. Below are descriptions of these three commands, and an example putting them all together.

Inspect a manifest list

Push to an insecure registry

Here is an example of creating and pushing a manifest list using a known insecure registry.

Note

The --insecure flag is not required to annotate a manifest list, since annotations are to a locally-stored copy of a manifest list. You may also skip the --insecure flag if you are performing a docker manifest inspecton a locally-stored manifest list. Be sure to keep in mind that locally-stored manifest lists are never used by the engine on a docker pull.