skip to Main Content

i saw a stackoverflow answer where immutable tags are mentioned and googled further to understand what they exactly are, found a article where they said

A static, or immutable, tag always points to the same image. This is useful when you depend on a specific revision of an image For example, if you use the tag 3.4.13-debian-10-r8, this tag will always refer to v3.4.13 revision 8 of the image. The use of this tag ensures that users get the same image every time.

not much of an expert in docker, does the above quoted text mean whether it points to same image with same version, or does it mean it points to same base image with updated versions as well?

also in the same answer, it was mentioned about moving tag here,

what does it mean by moving tag?

2

Answers


  1. In the registry, all content is content addressable, referenced by a digest (currently sha256). If you pull an image with its digest, it is always the same thing since the digest for the image layers and configuration are packaged in a manifest that has its own digest, resulting in something that looks like a Merkle tree.

    Since humans are not good at understanding and remembering digests, we have tags. These tags are readable strings that get translated to the digest by the registry. The tags are effectively a pointer.

    On most registries, you can push a new image to a tag, replacing where the tag points. If you have a tag for v1.0, you may also push a tag for v1, and any user that wants the latest release of v1 pulls the v1 tag. So when you push v1.1, you also push v1, changing that pointer. Those are mutable tags, or what some may describe as a moving tag.

    Some registries support immutable tags, so that once the tag is pushed, it can never reference a different digest. If the registry doesn’t support this, some organizations may implement this as policy. That said, you’re depending on the registry and the administrators to be well behaved, so security will still recommend using digests when you really want immutable images.

    Login or Signup to reply.
  2. That article is referring to a standard practice that is commonly used by container image developers that publish images using semantic versioning (semver).

    For example:

    v3 -> latest major version
    v3.1 -> latest major.minor version
    v3.1.2 -> typically does not change (major.minor.patch version)
    

    The latest major and major.minor versions are "moving" tags since the image developers will update the images those tags point to.

    The major.minor.patch version should be "immutable" since the image it refers to should never change.

    Some developers extend semver to include the base image (that’s the debian-10 part).

    However, all tags can be changed. Tags are just human readable strings that point to a digest. Digests are references to docker images that are truly immutable (can never change).

    To view the digests of your local images, run this:

    docker images --digests
    

    Digests start with sha256:

    To pull a docker image using a digest, you would run:

    docker pull NAME@sha256:xxx
    

    Which tag or digest you use is a matter of your security practices. It’s often best practice to use the latest major.minor version as the patches will have security updates. However, some organizations vet every image before use and want the guarantee that they’re pulling the exact image they have already vetted, in which case they’ll use digests.

    Docs:

    docker images

    docker pull

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search