visit
docker pull golang
docker pull yugabytedb/yugabyte
docker pull quay.io/keycloak/keycloak-x
When an image is pulled using only the name, the image tagged latest
is pulled. If there is no image with the tag latest
, then no image will be pulled.
docker pull golang:latest
docker pull golang:1.17.1
docker pull yugabytedb/yugabyte:latest
docker pull yugabytedb/yugabyte:2.9.0.0-b4
docker pull quay.io/keycloak/keycloak-x:latest
docker pull quay.io/keycloak/keycloak-x:15.0.2
An image like golang
is available for multiple os/arch, example: windows/amd64
, linux/amd64
, etc. In such cases, docker automatically pulls the appropriate image for the os/arch the pull command is run on.
docker manifest inspect --verbose golang:1.17.1
# sample output
[
{
"Ref": "docker.io/library/golang:1.17.1@sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25a",
"Descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25a",
"size": 1796,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
.
.
.
A common thing that happens with a tag is that it could be reused. For example an image pulled using golang:latest
today may be completely different from an image pulled in 6 months.
Tags that look like version numbers can have the same behavior. There is no guarantee that an image pulled using golang:1.17.1
today (on say linux/amd64
) will be the same when pulled 6 months later (again on linux/amd64
).
Caution needs to be exercised in production environments when pulling an image using the latest
tag since it makes rollbacks harder.
A digest is an id that is automatically created during build time and cannot be changed (immutable). When an image is pulled using a digest, a docker pull
will download the same image every time on any os/arch. This is called image pinning.
First, determine the image name:tag
you wish to use. Then get the digest as follows:
docker manifest inspect --verbose golang:1.17.1
# sample output
[
{
"Ref": "docker.io/library/golang:1.17.1@sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25a",
"Descriptor": {
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"digest": "sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25a",
"size": 1796,
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
.
.
.
docker manifest inspect --verbose yugabytedb/yugabyte:2.9.0.0-b4
docker manifest inspect --verbose quay.io/keycloak/keycloak-x:15.0.2
The above command returns a JSON response. Look for the digest
in the Descriptor
.
# golang 1.17.1 for linux/amd64
docker pull golang@sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25a
# yugabyte 2.9.0.0-b4 for linux/amd64
docker pull yugabytedb/yugabyte@sha256:974219f34a18afde9517b27f3b81403c3a08f6908cbf8d7b717097b93b11583d
# keycloak-x 15.0.2 for linux/amd64
docker pull quay.io/keycloak/keycloak-x@sha256:a6b7be1808b8443dde696c5f108be1cb6e7641d6b281ef7598df012c1d6871f8
Note: Comments added above only for readability.
name
or name:tag
.name@sha256:digest
to pull your base image(s). This ensures that the same final image is built on any machine.name:tag
where a tag represents a version number, for example v21.10.1
. Avoid using the latest
tag since it makes rollbacks harder.name@sha256:digest
if possible. If you choose to use name:tag
, be mindful that tags can be reused. Avoid using the latest
tag since it makes rollbacks harder.name
, or name:tag
or name@sha256:digest
.name
or name:tag
will automatically download the appropriate image for the os/arch the pull command is run on.docker manifest inspect --verbose <name:tag>
to view os/arch’s of an image and to get the digest.name@sha256:digest
to download the same image on any os/arch.latest
tag in a product environment since it makes rollbacks hard.