I have few Docker images in Docker Trusted Registry. All these images are created FROM another image which is in DTR. And I want to migrate these images to another registry to decommission DTR. If I pull the image from Docker DTR and create a new image with a new tag by giving command docker tag DTRIMAGE:tag NEWREGISTRY:tag and push to new registry, will those images work fine once DTR is decommissioned? Or we need to build the image from dockerfile again and push it to new registry for every base image and subsequent images?
2
Answers
i wouldn’t see why they wont work. you change the tags like you described and now the images will work fine.
it does not rely on the
Dockerfileanymore ,Dockerfileis to make the image and after that you can use the image how ever you want.you can even use them as a base image again (with the new registry name and tag)
There are a few things you will lose:
Pulling an image will dereference the platform from multi-platform images, so if you are pushing multi-platform images, you will lose that in a pull/push method.
The digest may change on the image if the code serializing the manifest is different. There’s a good chance this won’t happen if the image was pushed with docker both times, but not a guarantee.
If the images are signed with Notary v1, those signatures are associated with the image name and you will need to resign them with the new image name (that is not an issue with sigstore/cosign and notation, but the Docker client doesn’t pull those signatures yet).
The easier way to copy images between registries is to use a standalone tool specifically for that purpose. Tools that do this include Google’s crane, Redhat’s skopeo, and my own regclient/regctl. These will copy the image without changing them, so the digest is unmodified, multi-platform images are copied, and layers that are already on the destination registry don’t need to be pulled to your docker local engine.