how to keep docker images if pulling newer image - docker

I'm using some docker images, which I have pulled from a registry:
docker pull registry.example.com/project/backend:latest
docker pull registry.example.com/project/frontend:latest
Now there is a new version on the server registry. If I do a new pull, I will overwrite the current images. But I need to keep the current working images in case I do get some problems with the newest latest images.
So, how do I create a kind of backup of my running backend:latest and frontend:latest? After that I can pull the latest latest image and in case I need to, I can use the old working images...

To keep the current image on your local environment you can use docker tag
docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
For example:
docker tag registry.example.com/project/backend:latest registry.example.com/project/backend:backup
Then when you pull the latest, the registry.example.com/project/backend:backup still existing

Pulling an image never deletes an existing image. However, if you have an image with the same name, the old image will become unnamed, and you'll have to refer to it by its image ID.
You've now seen the downside to using :latest tags. This is why it is better to reference an image by a specific version tag that the maintainer won't re-push.

First, you shouldn't be using latest in production environments. Rather define a tag you confirmed working.
And instead of executing stuff in an image to set it up, you should write a Dockerfile and make the installation repeatable and create your local image. That's actually one of the main reasons why docker is used.

Related

How do I get the last push of an image with the x.x tag if I already have an old push of an x.x image?

In 2019, I made a pull image of Python 3.6. After that, I was sure that the image was self-updating (I did not use it actively, I just hoped that the latest pushes themselves were pulled from the repository or something like that), but I was surprised when I accidentally noticed the download/creation date is 2019.
Q: How does image pull work? Are there flags so that the layer hash/its relevance* is checked every time the image is built? Perhaps there is a way to set this check through the docker daemon config file? Or do I have to delete the base image every time to get a new image?
What I want: So that every time I build my images, the base image is checked for the last push (publication of image) in the docker hub repository.
Note: I'm talking about images with an identical tag. Also, I'm not afraid to re-build my images, there is no purpose to preserve them.
Thanks.
You need to explicitly docker pull the image to get updates. For your custom images, there are docker build --pull and docker-compose build --pull options that will pull the base image (though there is not a "pull" option for docker-compose up --build).
Without this, Docker will never check for updates for an image it already has. If your Dockerfile starts FROM python:3.6 and you already have a local image with that name and tag, Docker just uses it without contacting Docker Hub. If you don't have it then Docker will pull it, once, and then you'll have it locally.
The other thing to watch for is that the updates do eventually stop. If you look at the Docker Hub python image page you'll notice that there are no longer rebuilds for Python 3.5. If you pin to a very specific patch version, the automated builds generally only build the latest patch version for each supported minor version; if your image is FROM python:3.6.11 it will never get updates because 3.6.12 is the latest 3.6.x version.

Updating container on VM. How?

I specified a docker image when creating a small VM. Because of this feature, I expected a fairly hands-off way of updating the container to the latest image, but I can't find any documentation on how to do that, or at least a method that works. What the documentation says is that updating the configuration will cause the container to be updated to the latest image and the VM will be stopped & restarted, but this doesn't happen.
I've only been able to update the container by using the Cloud shell from the container registry page. Am I missing a more obvious way to do this?
Docker Tags
The version of the image is specified in the tag.
If you want the most recent, use the latest tag.
Otherwise, a version can be specified.
Example:
fedora/httpd:version1.0 will grab fedora image with version1.0.
fedora/httpd:latest will grab the latest fedora image.
Check what versioning format your image is using, and specify a version when pulling the image.
Updating your container to use newest image
To do this, you likely need to just stop the container, specify the image you want to use, and run the new container.
The key here is to trigger a new pull from the registry. If you are using the latest tag, the latest image should be pulled from the registry. Your important data/configuration should all be made persistent through volume mounting, etc. So you should just be able to plug-and-play with this new image.
If you are looking for the simplest way, maybe try writing a script to stop your running container, pull the latest image, and run this image.
It is slightly challenging to give an exact answer on this issue because there a couple ways to go about it.
Documentation for Docker Pull and Docker Tag
Use Tag for image instead of latest.
use something like this
Image: name_of_imgae:1.0

Docker pull - force download

Is there a possibility to force pull of docker image?
I have redeployed docker image to another repository, but when I invoke
docker pull anotherrepo:port/my/image
nothing gets downloaded, instead I get info:
Digest: sha256:somehash
and that image is up to date.
docker rm/rmi doesn't work because the image is downloaded from originalrepo:port/my/image and I don't want to stop/delete it onyl for test purposes.
Is there possible to force pull to check if the image is correctly pushed?
The following should work. You add a temporary tag to avoid deletion of the image, delete the original tag and then pull:
docker tag "$originalTag" "tmpTag"
docker rmi "$originalTag"
docker pull "$originalTag"
docker rmi "tmpTag"
I think the answer lies in digests.
Images that use the v2 or later format have a content-addressable identifier called a digest. As long as the input used to generate the image is unchanged, the digest value is predictable.
Source: https://docs.docker.com/engine/reference/commandline/images/#list-the-full-length-image-ids
Maybe you don't need to verify if the push was successful, as Docker could be doing that automatically by using digests, but I'm not sure if this is indeed the case.
The only other way I can think of would be to pull from a different machine which has access to the new repository.

What happens when the base image of my image gets updated?

I have images based on microsoft/aspnet:4.6.2, when those (my) images were built, the microsoft/aspnet:4.6.2 was pulled down in order to build my own image. So, in my local computer I have the microsoft/aspnet:4.6.2 image. Let's say the base image gets updated, Microsoft finds a bug with the image and decided to make a fix maintaining the tag, so it's still called microsoft/aspnet:4.6.2 but it actually is a different image than it was when I built my own.
So I have two questions:
1. Everytime my image gets pulled down, it will get the base image as it was when I built my image, right? (it seems obvious but I need to check)
2. If I notice (web hook, trigger?) there's a newer version of microsoft/aspnet:4.6.2 can I just run the docker build command again and the newer image would get pulled down? Keep in mind the old base image is in my file system (called the same). Is Docker smart enough to realize that I have an older version of that base image and it'll download the latest version of it?
Hope I made myself clear
Your image, as downloaded by someone, will always remain the same. An image relies on specific layers to give the image it's SHA256 checksum. Modifying parent layers would modify the checksum used to reference the image, so that would become a new image. The only way for that image to change is if the image is referenced by a tag and the local tag changes, either manually or by pulling the image tag again.
docker build will use the a local image first by default. You either need to run docker build --pull, separately docker pull or docker rmi IMAGE for the build to use the latest tagged image.
The Docker Hub build service has a build feature to automatically rebuild when any specified image's are updated in the hub.
use the —no-cache option during docker build if you need latest released base images else docker will always use the image available locally unless you do a cleanup post docker build
yes. (internally it uses IMAGE ID, not the name, to refer base images)
IIRC not smart by default. (there is a --pull switch in docker build )

Docker: How to prevent the use of latest image from docker registry?

I was using centos image from https://registry.hub.docker.com/u/blalor/centos/
For some reason Blalor decided to remove passwd from the list of packages installed on the base image and my dockers stopped working on new deployments. Why does not docker know the build which was used for my dockers? I have had to change my base images now and change every server's docker image.
I could not use the tag feature because there is the tagging for the blalor's images? Do I have to use the source code and host the centos image myself so that it does not change again?
You do not need to use sources. If you have a working image, you can do docker history <your image> to see the image ID that was used and tag the proper one into shortfellow/centos. If you do not have a working image, on the link you provided, there is a build detail section with the history of build. You can see that on January 13th, 2014, it has been built and the image then was a531daec9f98. You can do FROM a531daec9f98 on your dockerfile to make sure it will never change or you can docker tag a531daec9f98 shortfellow/centos (you will need to docker pull a531daec9f98 before).
It is very similar to git in a sense that if you are using someone's repository, and if that someone does not use tags or branches, when he updates his reposiroty and you re pull, you will have the latest version with the new changes. In order to get back to the version you liked, you need to find the commit id. The solution would be to fork the repository. Which you can do on Docker by tagging the image under you username and pushing to a registry (docker push username/image)

Resources