Docker, a popular containerization platform, offers flexibility and ease of managing different versions of software. However, for those who need to pull a specific version of a Docker image, rather than the latest, understanding how to do so is crucial, especially for those keen on deploying only audited versions. This article provides insights based on community answers on how to achieve this.
Pulling a Specific Image by Digest
The most straightforward method to pull a specific Docker image version is by using its digest. A digest is a unique identifier for a Docker image. To pull an image using its digest, the syntax is as follows:
docker pull ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2
The challenge lies in finding the hash (digest) of the image. This hash is typically outputted during the push/pull process of the image. For automated builds, it’s often displayed at the end. However, it’s worth noting that the docker inspect command might not reveal this hash. Therefore, in some cases, you may need to delete and pull the image again to view the hash.
Tagging Each Build
Another effective method is to tag each build with a specific identifier. This approach gives you more control and makes it easier to pull a specific version later. Here’s how to tag and pull a specific build:
Tagging the build:
docker build -t $NAMESPACE/$APP_NAME:$BUILD_SHA1 .
docker tag \
$NAMESPACE/$APP_NAME:$SHA1 \
$DOCKER_REGISTRY/$NAMESPACE/$APP_NAME:$SHA1
docker push $DOCKER_REGISTRY/$NAMESPACE/$APP_NAME:$SHA1
Pulling the specific tag:
docker pull $DOCKER_REGISTRY/$NAMESPACE/$APP_NAME:$SHA1
Verifying the Image in the Docker Repo
Before pulling an image, it’s recommended to verify if the image exists in the specific Docker repository. This can be done using the Docker registry API. By making a simple HTTP GET request, you can confirm the presence of the image. The request is structured as follows:
FullURL = DomainAndPort + "/v2/" + imageName + "/blobs/sha256:" + imageHash;
For example, a working request might look like:
http://10.10.9.84:5000/v2/hello-world/blobs/sha256:8089101ead9ce9b8c68d6859995c98108e1022c23beaa55754acb89d66fd3381
Entering this URL in a browser should return a JSON object describing the image. If the sha256 hash is invalid, the API will return an error message indicating a digest mismatch.
Conclusion
Pulling a specific build ID in Docker is not only possible but is also a best practice for those who prioritize deploying audited versions. By using the methods of pulling by digest, tagging each build, and verifying images in the Docker repo, users can have greater control and assurance over the versions they deploy. This approach is crucial for maintaining consistency and security in a Dockerized environment.