Juggling with Docker manifests like an artist

Photo found on unsplash by Tri Eptaroka Mardiana

Last week I gave you a slight introduction in how you can easily build multiarch Docker images for your IoT projects. Instead of publishing a simple image you have to work with docker manifests for achieving plattform agnostic Docker images.

In more complex scenarios like multistage CI/CD pipelines it can be a bit more challenging to work with manifests instead of plain Docker images. E.g. moving manifests between different registries is not possible with the Docker cli.

In this article I want to guide you to use buildx to push our resulting manifest to a local registry and from there with different tags to other remote registries.

For demonstration purposes I have setup two local registries running on different local ports:

• Port 5000 shall represent our “local” registry
• Port 5001 shall represent the “remote” registry

Now we just start off by building and pushing our demo manifest into the local registry.

docker buildx build -t localhost:5000/hello-medialesson:demo --push . --platform=linux/arm64 --platform=linux/amd64 --platform=linux/arm/v7

We can validate that everything has worked as we expected by running

docker buildx imagetools inspect localhost:5000/hello-medialesson:demo

So now the manifest resides in the local registry. In the next step we want to transfer this manifest to another registry with another tag e.g.: localhost:5001/hello-medialesson:latest

To achieve this i’d like to introduce crane which is a tool developed by google for working with container registries. It can be installed directly as cli tool for different ecosystems. In this demonstration i’d like to use it dockerized since this should provide most portability.

We can utilize the copy command of crane cli to push the local image to a remote registry:

docker run --rm --net=host -v crane-vol:/home/nonroot gcr.io/go-containerregistry/crane copy localhost:5000/hello-medialesson:demo localhost:5001/hello-medialesson:latest

After that we can verify that everything has worked by running:

docker buildx imagetools inspect localhost:5001/hello-medialesson:latest

The volume mapping -v crane-vol:/home/nonroot is not needed in this simple use case but very useful when you need to authenticate with a remote repository first:

docker run --rm -v crane-vol:/home/nonroot gcr.io/go-containerregistry/crane auth login -u {user} -p {password} {registry}

When you authenticate with a registry crane safes the credentials under the path /home/nonroot. The aforementioned volume mapping takes care that all files in this path are safed outside of the container. So subsequent calls can reuse the files stored here.

Conclusion

Crane is a powerful tool for exteneded Docker workloads. Crane provides additional functionality to work with the Docker registry APIs besides the copy command and is worth a look.