Docker Diaries: Pinning-by-digest

One thing you need to know when using Docker is: tags are mutable. Thus, the latest tag is not always the latest version of the images. Latest just the tag which is applied to an image by default which does not have a tag. Maintainers(or bots) need to maintain the latest tag manually for their docker images.

About a week ago, we had to move an application that we previously deployed with Docker. We have followed a simple way, such as zipped and moving the folder to the new server. But we haven’t been maintaining this application for a while. When new versions were released and we tried to install it on the new server, we couldn’t get the application up because the latest tag pulled the new version. We had to find out which version the latest tag we installed was for. We found the solution in digests. An immutable identifier for the docker images. We found the digest of the image installed on the old server with the latest tag and replaced the image of docker-compose.yml on the new server with this digest. Bingo.

Digests time saver for that kind of scenarios.

Finding digest:

docker image ls --digests

Pull that image by digest guarantees that every instance of the service (on any node) runs exactly the same version of the image.

Example: Using digests at docker-compose.yml file:

Digests also prevent race-conditions; if a new image is pushed while a deploy is in progress, different nodes may be pulling the images at different times, so some nodes have the new image, some have the old one.

Dockerized days!