FROM dockerimage:latest pulls wrong image - docker

I have a client-web/base image I build using gitlab ci pipeline:
latest c4fba30df 204.03 MiB 6 days ago
version_2 c4fba30df 204.03 MiB 6 days ago
version_1 7904a77c0 153.69 MiB 2 months ago
these are the images in my docker repository: as you can see, the image with tag latest, is actually the latest image, having the same image id (c4fba30df) as the image with tag version_2.
I build another image that is built on top of base image:
FROM gitlab.faccousa.net:4567/faccos/client-web/base:latest
...
...
...
Yesterday, I built the above image file and it looks like it happened the following:
Step 1/6 : FROM gitlab.faccousa.net:4567/faccos/client-web/base:latest
---> 7904a77c0
But 7904a77c0 is the version_1, so the older image id.
Am I doing something wrong with the latest tag?
I know latest is misused by many people, but in this case I feel I have a CI the always builds my base image and tags it twice with:
actual tag
latest tag

When you docker run an image, or if a Dockerfile is built FROM an image, and Docker thinks it already has the image locally, it will use the image it already has. In your case, since you already have a ...:latest version, Docker just uses it; it doesn't ever check that there might be a different version of the image with the same tag elsewhere.
The most reliable approach to this is to never use the :latest tag anywhere:
FROM gitlab.faccousa.net:4567/faccos/client-web/base:version_2
If you have a lot of dependent images and the base image changes at all regularly, though, maintaining this can become a hassle.
Another option is to tell docker build to try to --pull the base image every time
docker build --pull -t ... .
with the downsides that this build will fail if the remote repository is unavailable, and builds will take somewhat longer even if the base image hasn't changed.

does base is your project name?
gitlab.example.com:port/user/projectname:latest
here's the full guide
its normal that your version_2 and latest have the same image id

Related

How do I get the last push of an image with the x.x tag if I already have an old push of an x.x image?

In 2019, I made a pull image of Python 3.6. After that, I was sure that the image was self-updating (I did not use it actively, I just hoped that the latest pushes themselves were pulled from the repository or something like that), but I was surprised when I accidentally noticed the download/creation date is 2019.
Q: How does image pull work? Are there flags so that the layer hash/its relevance* is checked every time the image is built? Perhaps there is a way to set this check through the docker daemon config file? Or do I have to delete the base image every time to get a new image?
What I want: So that every time I build my images, the base image is checked for the last push (publication of image) in the docker hub repository.
Note: I'm talking about images with an identical tag. Also, I'm not afraid to re-build my images, there is no purpose to preserve them.
Thanks.
You need to explicitly docker pull the image to get updates. For your custom images, there are docker build --pull and docker-compose build --pull options that will pull the base image (though there is not a "pull" option for docker-compose up --build).
Without this, Docker will never check for updates for an image it already has. If your Dockerfile starts FROM python:3.6 and you already have a local image with that name and tag, Docker just uses it without contacting Docker Hub. If you don't have it then Docker will pull it, once, and then you'll have it locally.
The other thing to watch for is that the updates do eventually stop. If you look at the Docker Hub python image page you'll notice that there are no longer rebuilds for Python 3.5. If you pin to a very specific patch version, the automated builds generally only build the latest patch version for each supported minor version; if your image is FROM python:3.6.11 it will never get updates because 3.6.12 is the latest 3.6.x version.

how to keep docker images if pulling newer image

I'm using some docker images, which I have pulled from a registry:
docker pull registry.example.com/project/backend:latest
docker pull registry.example.com/project/frontend:latest
Now there is a new version on the server registry. If I do a new pull, I will overwrite the current images. But I need to keep the current working images in case I do get some problems with the newest latest images.
So, how do I create a kind of backup of my running backend:latest and frontend:latest? After that I can pull the latest latest image and in case I need to, I can use the old working images...
To keep the current image on your local environment you can use docker tag
docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]
For example:
docker tag registry.example.com/project/backend:latest registry.example.com/project/backend:backup
Then when you pull the latest, the registry.example.com/project/backend:backup still existing
Pulling an image never deletes an existing image. However, if you have an image with the same name, the old image will become unnamed, and you'll have to refer to it by its image ID.
You've now seen the downside to using :latest tags. This is why it is better to reference an image by a specific version tag that the maintainer won't re-push.
First, you shouldn't be using latest in production environments. Rather define a tag you confirmed working.
And instead of executing stuff in an image to set it up, you should write a Dockerfile and make the installation repeatable and create your local image. That's actually one of the main reasons why docker is used.

What happens when the base image of my image gets updated?

I have images based on microsoft/aspnet:4.6.2, when those (my) images were built, the microsoft/aspnet:4.6.2 was pulled down in order to build my own image. So, in my local computer I have the microsoft/aspnet:4.6.2 image. Let's say the base image gets updated, Microsoft finds a bug with the image and decided to make a fix maintaining the tag, so it's still called microsoft/aspnet:4.6.2 but it actually is a different image than it was when I built my own.
So I have two questions:
1. Everytime my image gets pulled down, it will get the base image as it was when I built my image, right? (it seems obvious but I need to check)
2. If I notice (web hook, trigger?) there's a newer version of microsoft/aspnet:4.6.2 can I just run the docker build command again and the newer image would get pulled down? Keep in mind the old base image is in my file system (called the same). Is Docker smart enough to realize that I have an older version of that base image and it'll download the latest version of it?
Hope I made myself clear
Your image, as downloaded by someone, will always remain the same. An image relies on specific layers to give the image it's SHA256 checksum. Modifying parent layers would modify the checksum used to reference the image, so that would become a new image. The only way for that image to change is if the image is referenced by a tag and the local tag changes, either manually or by pulling the image tag again.
docker build will use the a local image first by default. You either need to run docker build --pull, separately docker pull or docker rmi IMAGE for the build to use the latest tagged image.
The Docker Hub build service has a build feature to automatically rebuild when any specified image's are updated in the hub.
use the —no-cache option during docker build if you need latest released base images else docker will always use the image available locally unless you do a cleanup post docker build
yes. (internally it uses IMAGE ID, not the name, to refer base images)
IIRC not smart by default. (there is a --pull switch in docker build )

How to find out about docker image updates via commandline

I use Docker 17.04.0-ce on Ubuntu 16.04.
Some month ago I pulled the docker image »busybox« using »docker pull busybox«. By default docker will use the »latest« tag for this.
When I list all available images it will list this image with a tag and ID:
> docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest 7968321274dc 3 months ago 1.11MB
As far as I know the tag »latest« may be treated the same as »master« in Git. So I would like to know: did something change since I pulled this image the last time? Is my local »latest« version up to date with the »latest« version on Docker Hub?
To use the git comparison again: Git would tell me that my local branch is behind the remote branch by »x« commits.
I tried docker search busybox, but this does not show any information like tags or creation date.
Question 1: How do I find out about newer docker images via commandline?
Question 2: How can I list all tags of an repository via commandline?
PS: On Docker Hub I can see all tags of the »busybox« repo and that the »latest« tag was updated/created „1 month ago“: https://hub.docker.com/r/library/busybox/tags/
Tag Name Compressed Size Last Updated
latest 678 KB a month ago
So there indeed is a difference to my local image, which was created „3 months ago“. The only way to tell the difference seems to be the date however.

How can I see Dockerfile for each docker image?

I have the following docker images.
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest 48b5124b2768 2 months ago 1.84 kB
docker/whalesay latest 6b362a9f73eb 22 months ago 247 MB
Is there a way I can see the Dockerfile of each docker image on my local system?
The answer at Where to see the Dockerfile for a docker image? does not help me because it does not exactly show the Dockerfile but the commands run to create the image. I want the Dockerfile itself.
As far as I know, no, you can't. Because a Dockerfile is used for building the image, it is not packed with the image itself. That means you should reverse engineer it. You can use docker inspect on an image or container, thus getting some insight and a feel of how it is configured. The layers an image are also visible, since you pull them when you pull a specific image, so that is also no secret.
However, you can usually see the Dockerfile in the repository of the image itself on Dockerhub. I can't say most repositories have Dockerfiles attached, but the most of the repositories I seen do have it.
Different repository maintainers may opt for different ways to document the Dockerfiles. You can see the Dockerfile tab on the repository page if automatic builds are set up. But when multiple parallel versions are available (like for Ubuntu), maintainers usually opt to put links the Dockerfiles for different versions in the description. If you take a look here: https://hub.docker.com/_/ubuntu/, under the "Supported tags" (again, for Ubuntu), you can see there are links to multiple Dockerfiles, for each respective Ubuntu version.
As the images are downloaded directly from the Dockerhub, only the image is pulled from the docker hub into your machine. If you want to see the dockerfile, then you can go to docker hub and type the image name and version name in the tag format (e.g ubuntu:14.04) this will open the image along with Docker file details. Also keep in mind, only if the owner of the image shared their Dockerfile, you can see it. Otherwise not. Most official images will not provide you with Dockerfile.
Hope it helps!
You can also regenerate the dockerfile from an image or use the docker history <image name> command to see what is inside.
check this: Link to answer
TL;DR
So if you have a docker image that was built by a dockerfile, you can recover this information (All except from the original FROM command, which is important, I’ll grant that. But you can often guess it, especially by entering the container and asking “What os are you?”). However, the maker of the image could have manual steps that you’d never know about anyways, plus they COULD just export an image, and re-import it and there would be no intermediate images at that point.
One approach could be to save the image in a image.tar file. Next extract the file and try to explore if you can find Dockerfile in any of the layer directories.
docker image save -o hello.tar hello-world
This will output a hello.tar file.
hello.tar is the compressed output image file and hello-world is the name of the image you are saving.
After that, extract the compressed file and explore the image layer directories. You may find Dockerfile in one of the directories.
However, there is one thing to note, if the image was built while ignoring the Dockerfile in the .dockerignore. Then you will not find the Dockerfile by this approach.

Resources