[QUESTION]为什么带sha256码的镜像可以迁移成功，但是下载不了

[Maxatom]

[https://github.com//issues/4194 porter success](#4168)

这个镜像我按作者给的模板迁移到ducker hub了，但是下载不了

# crictl pull docker.io/anjia0532/google-containers.ingress-nginx.kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
E1127 19:05:24.112411 3598845 remote_image.go:171] "PullImage from image service failed" err="rpc error: code = NotFound desc = failed to pull and unpack image \"docker.io/anjia0532/google-containers.ingress-nginx.kube-webhook-certgen@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f\": failed to unpack image on snapshotter overlayfs: unexpected media type application/octet-stream for sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f: not found" image="docker.io/anjia0532/google-containers.ingress-nginx.kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f"
FATA[0057] pulling image: rpc error: code = NotFound desc = failed to pull and unpack image "docker.io/anjia0532/google-containers.ingress-nginx.kube-webhook-certgen@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f": failed to unpack image on snapshotter overlayfs: unexpected media type application/octet-stream for sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f: not found 

最新的ingress-nginx文件镜像是带sha256编码的：

  spec:
      containers:
      - args:
        - create
        - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
        - --namespace=$(POD_NAMESPACE)
        - --secret-name=ingress-nginx-admission
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.4.4@sha256:a9f03b34a3cbfbb26d103a14046ab2c5130a80c3d69d526ff8063d2b37b9fd3f
        imagePullPolicy: IfNotPresent
        name: create
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
            - ALL
          readOnlyRootFilesystem: true
          runAsNonRoot: true

[anjia0532]

这么大个报错，没看到吗？
另外你这也不符合docker命名规范啊，一般是 库/命名空间/镜像[:tag 或者 @sha256摘要]。

https://docs.docker.com/reference/cli/docker/image/pull/

你来个 库/命名空间/镜像:tag@sha256摘要 是肯定不行。

当然你直接 库/命名空间/镜像@sha256摘要 也不行，因为转存后，摘要必然不一样，所以我直接禁止转存摘要了。目前仅支持 库/命名空间/镜像:tag

以 #4196 的 https://github.com/anjia0532/gcr.io_mirror/actions/runs/12049892756/job/33597614425 为例

要拉的是 registry.k8s.io/ingress-nginx/controller:v1.11.3@sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7|linux/arm64

转存成了 {"status":"v1.11.3: digest: sha256:428b951ac3933d12bff16d3fb986ecaa0371c1f1979e1697d40a08388cebb60c size: 3466"}
你会发现 sha256:d56f135b6462cfc476447cfe564b83a45e8bb7da2774963b00d12161112270b7 变成了 sha256:428b951ac3933d12bff16d3fb986ecaa0371c1f1979e1697d40a08388cebb60c

即使成功了也没啥用 https://hub.docker.com/layers/anjia0532/google-containers.ingress-nginx.controller/v1.11.3/images/sha256-428b951ac3933d12bff16d3fb986ecaa0371c1f1979e1697d40a08388cebb60c?context=explore 除非你拉取后，自己看真实摘要，自己替换yaml脚本。