I am collecting some data for my project.
Is it possible to know what is the latest tagged images’ version. Without having the image through the api. I want to keep a set of images data, and run experiments, since latest images will change iver time, I want their version to keep my experiments consistent.
Is it possible to know what the ‘latest’ image is based on? For example, nginx is debian based in default if im not wrong. Is there a way for me to retrieve this information through api? I dont want to go through web scraping.
2
Answers
None of the Docker image metadata includes any sort of version string. The low-level
docker inspectcommand includes a lot of debugging information and isn’t normally useful, but if you do look at it, there’s no version there beyond the image’s tag. Its actual format is the raw response from the "Inspect an image" Engine HTTP endpoint.That means, in general, that you can’t look at a
...:latesttag and find out what version of software is installed in it. Often other sources like a Docker Hub image page (for example, https://hub.docker.com/_/nginx) will have a tag listing, or there is some way to run the image to find out. Also see for example How can I list all tags for a Docker image on a remote registry?If you do specifically care about what versions of software are being used, a better practice is to avoid the
...:latesttag entirely. Don’t, for example, build your application imageFROM python:latestand then try to deduce that it was Python 3.13 after the fact; explicitly specifypython:3.13. For software you’re building yourself, your CI system should be able to give a unique image for each build, maybe based on a source control revision ID or a time stamp.If you’ve recorded that
registry.example.com/myapp:20241119has one result butregistry.example.com:20241120has another, for example, then you can easily re-run the experiment by just using the old image tag. You don’t need to worry about "what islatestanyways".The most you can do for this is check the digest of the various tags to see which digest matches. And you can list the tags for a list of things to compare.
It tends to be a lot easier to know about each repo and find the specific tag you want with a semver comparison when they use that.
This is going to significantly depend on the image in question. There’s no common way to lookup this detail for every image. If the image is packaged with OCI media types, it has the ability to include annotations, and OCI has specified the
org.opencontainers.image.base.nameannotation that specifies what you’re looking for.Specifically with nginx, they have switched to the OCI media types, and they even have the annotation defined, but only on the platform specific images and not the top level index:
Some images will even specify when they are based on scratch rather than a base image:
Docker has been updating their official images with this, but expect older images and images provided by others to be much less likely to include the data.
When that data is not included, you can check the image history to get an idea of how it was created, looking for commands like dpkg/apt, apk, or rpm/yum/dnf, which will give you an idea of the distribution. That can be seen with
regctl image config nginx.Disclaimer, I’m the author of regclient/regctl and a maintainer of the linked OCI spec. Other options to remotely inspect images include
docker buildx imagetools inspect nginx, though that pulls a lot more data for similar requests. There’s also crane, skopeo, and oras, each of which has a different syntax but similar functionality. Each of these tools are client interfaces to the OCI distribution-spec.