Introducing immutable tags

[hgrattenthaler]

I would very much appreciate if this repository offered immutable tags (i.e. by date, as in other docker repositories), such that one can reference images in a stable way without fixing the platform. Or is there a smart alternative to avoid this (possibly cumbersome) practice? I cannot be the only one to require stability and multi-platform support.

[tianon]

Unfortunately, none of the official images support immutable tags like you describe.

However, this is the exact use case for pull-by-digest, wherein you'll get exactly the same bits every time you pull, verified by a cryptographic sha256 digest. 😄

For example:

$ docker pull gcc:12.1.0@sha256:ef7e8180a14e95f6722c7bf41192d0b30ce3e3cde127cded5ae0dfaffc254309

(The "tag" in this command is ignored - I like to include it simply to help me remember where the digest came from and how to update it in the future.)

[hgrattenthaler]

Do you mean that Docker Official Images has a policy where this is forbidden? Isn't the repository maintained by you, personally? Thanks, I knew about digests, of course, although you had no way of knowing. The obvious issue with that is that you sacrifice multi-platform compatibility. I know one can work around that (under some limitations) using multi-stage builds, but this is simply impractical and imo should not be solved on the "puller" end anyway.

[yosifkit]

The digest can be the manifest list (aka image index) which then references all the platform-specific digests, but apparently it is not shown on the Docker hub UI (docker/roadmap#262) or via docker manifest inspect and so is not easy to find.

https://github.com/estesp/manifest-tool will show it:

$ docker run -it --rm mplatform/manifest-tool inspect gcc:11
Unable to find image 'mplatform/manifest-tool:latest' locally
latest: Pulling from mplatform/manifest-tool
6241eae99c3b: Pull complete 
4d9aece15e00: Pull complete 
Digest: sha256:4e019dd89c754f5e15b581b60b89287d0d2b38251dec233085cb063f740db970
Status: Downloaded newer image for mplatform/manifest-tool:latest
Name:   gcc:11 (Type: application/vnd.docker.distribution.manifest.list.v2+json)
Digest: sha256:a5226837fed4f8e8e297c058d01b22db04612a4e341689289bbdcdf6f9b85627   <<<<<<<---- manifest digest
 * Contains 6 manifest references:
[1]     Type: application/vnd.docker.distribution.manifest.v2+json
[1]   Digest: sha256:181b784eadc0cc36b073f61c30fe03fdce13790aabab41f1dc10422b0d5020fb
[1]   Length: 2216
[1] Platform:
[1]    -      OS: linux
[1]    -    Arch: amd64
[1] # Layers: 9
     layer 01: digest = sha256:d836772a1c1f9c4b1f280fb2a98ace30a4c4c87370f89aa092b35dfd9556278a
     layer 02: digest = sha256:66a9e63c657ad881997f5165c0826be395bfc064415876b9fbaae74bcb5dc721
     layer 03: digest = sha256:d1989b6e74cfdda1591b9dd23be47c5caeb002b7a151379361ec0c3f0e6d0e52
     layer 04: digest = sha256:c28818711e1ed38df107014a20127b41491b224d7aed8aa7066b55552d9600d2
     layer 05: digest = sha256:5084fa7ebd744165b15df008a9c14db7fc3d6af34cce64ba85bbaa348af594a3
     layer 06: digest = sha256:817a5f86fc464bacf7da258048cb04361531a06821e4aa995d4be7528db416cc
     layer 07: digest = sha256:a530cf723acdbdcdf632428b3e53879ed42114b21e9a408d660612e7fe8fff3c
     layer 08: digest = sha256:31635f9ec37daf2b42b819e536bff41226e4bea12b012b2c6826503e20f7dfbc
     layer 09: digest = sha256:fa31b681737208e9995b08e7250ace4d6672ba9e1c99dce6c25e99cd079c8f48

[2]     Type: application/vnd.docker.distribution.manifest.v2+json
[2]   Digest: sha256:fe66522fa905569147d483e7f8e1d765360b218c76be3098a4a392847e04f608
[2]   Length: 2215
[2] Platform:
[2]    -      OS: linux
[2]    -    Arch: arm
[2]    - Variant: v5
[2] # Layers: 9
     layer 01: digest = sha256:458c615f383e394cdb1d249caac254a3148895cc59ef0f317e0c342507c0a43e
     layer 02: digest = sha256:5d79ef49a3b907a2575e08477212bfbd57aca6b32371844cdce520dc7a2e688e
     layer 03: digest = sha256:b3cf6d68feaf378688713585399ee409bdef4481481b83d4896d6861cb380c90
     layer 04: digest = sha256:a7e72d965a8962ee5d2e575801caee59ea34cef71d8b95f502fc38b6c201c9f1
     layer 05: digest = sha256:fdcd88eaff219dbfcdb23531f2eafd976029dc72583a3f209631b1ff580652c0
     layer 06: digest = sha256:b09e6469a303dcd9e8dd0151495b9caf8cc08427b0ca50626c8ccd524621cd0e
     layer 07: digest = sha256:b55c24430cdfa2fa2c50e02d62930aab8b2d811f0ebfaf4b934ad0a410d2d5e9
     layer 08: digest = sha256:178248b6bb08b60de7fee0c1431a43fb0b809280f521c08d16be6ba95f1af809
     layer 09: digest = sha256:de4fe6da18112f3b94febecaafd770cb4d9962f2c14ce3500b51fa629278f2d3

[3]     Type: application/vnd.docker.distribution.manifest.v2+json
[3]   Digest: sha256:6371f8db7486a1699e6b7c01edbb709eb1646d78f15d5247f72bc9ba023872f1
[3]   Length: 2214
[3] Platform:
[3]    -      OS: linux
[3]    -    Arch: arm
[3]    - Variant: v7
[3] # Layers: 9
     layer 01: digest = sha256:a8a55ed160b9a554de2e46b828d606a0829d8d9f19c79bc47eddac683aeb2b91
     layer 02: digest = sha256:5042ae471fd57ff8851607bf0b66366fbd0a499a0ce088f1fb39c5a1caf4123e
     layer 03: digest = sha256:70da2acc639b7236796e6cb2a0b0e3a21e6f32f8a507bdbfb823a510caf8e75a
     layer 04: digest = sha256:34f084d2e4e20e27a866ad87c0a2098498eddc9f471988ea44068990b299a29c
     layer 05: digest = sha256:c906e18d849e9c3e642b6247a1dadc627d6902a581866ab147dc84e01b7e3ee1
     layer 06: digest = sha256:a2ed3188bcc310baaec405555a476c5f46e5ba57371799d9d613c814cc345cc9
     layer 07: digest = sha256:6c8a80f4571069c14c750a65215161a8c0d0334b8ac6dec2b8361679e3719768
     layer 08: digest = sha256:861df463738bedb9ca37ddd3a53f2875dd3aec245ea73f7c3f7592676f5c906d
     layer 09: digest = sha256:cc00b9e8f851b2039f7b493aa9f02f8e98b20ffdd34f19d5769762ed745a76c4

[4]     Type: application/vnd.docker.distribution.manifest.v2+json
[4]   Digest: sha256:29ad60334335ee0404990864647ff90ceb0a0df34bd77b91ef4b6c39e5af3360
[4]   Length: 2216
[4] Platform:
[4]    -      OS: linux
[4]    -    Arch: arm64
[4]    - Variant: v8
[4] # Layers: 9
     layer 01: digest = sha256:cfc947b533a3ed8b8ce79820c7fe5e7634bf9c08479ed0aee1e74ee7b4f2b068
     layer 02: digest = sha256:9ca36aa4204d2a708dcd1d41d1d4a128b095f8d88a2f9544f89799c36914e356
     layer 03: digest = sha256:1fdcd2014de70fbce8c43a70cd1f42bceab4f1e35953db987fc318dbc0fb0d26
     layer 04: digest = sha256:e288b20a616767a00416e22f7d8ee6390ba5b48061d92577f55bdb11121e6946
     layer 05: digest = sha256:9c814ed089439a4f3618519b0ae7ef02da9c1c3fc1535824d633ca1f76e78dbf
     layer 06: digest = sha256:ddc38eb8c93a04de743ef1f5885fb48bce857cbc736f3b34922c294848f8421f
     layer 07: digest = sha256:220d41203c1be6f607c6bb3346714b41d652dbb694b7feb58e588856fe7d68b3
     layer 08: digest = sha256:52ceec4a50f610ff74a6b4a30c2b9327a7b562751355aa2459d9743846e6863d
     layer 09: digest = sha256:724a220f3acef3cd5a851acd9eec158409eafc3a4798daa1f14052c0210aea4b

[5]     Type: application/vnd.docker.distribution.manifest.v2+json
[5]   Digest: sha256:98f2dc7ce0dd0f46d8b09cfc3d66981a1979a7a11af4f240145f922f150cb9ba
[5]   Length: 2216
[5] Platform:
[5]    -      OS: linux
[5]    -    Arch: ppc64le
[5] # Layers: 9
     layer 01: digest = sha256:6fb3da208bae11b3dc38c4ab84ad048c030a1da966740d02681a11866ba2230c
     layer 02: digest = sha256:9d2a30a7318ed1b186e7256f827804f771cea47e407c808c195652c113a8fa70
     layer 03: digest = sha256:47aa97483fc0d20d5f0cd3402c6024c5f7caf39032e7639cf722a5757a4d8db1
     layer 04: digest = sha256:6b1036d55d350bbc47910146e3b955674d10daf9ffb0eca5858cf3316f125392
     layer 05: digest = sha256:9039771dbccda63ba682623e69508431610cd9456ef4e4ac34ca45ec22341e83
     layer 06: digest = sha256:cb538da113215e2dab69de8b417bf56c0fd38db37c108673943129099429d828
     layer 07: digest = sha256:df23b8953993db4d613bd2cfed742193ca6e84d0425bbd2cf7d0082afdcca1a8
     layer 08: digest = sha256:91c5723d12d85e26be14bae717bc456f4f2293d4d5ffe7bf5b10833f5ec61685
     layer 09: digest = sha256:5608b366d8c431e1e16acb59d80e6a01a33e4ed78345a6b23a8eb26d3cfa3bd5

[6]     Type: application/vnd.docker.distribution.manifest.v2+json
[6]   Digest: sha256:1a351030d2357e5b1da03919e8a55b8decc37e550ea00cb5328357f7d649c182
[6]   Length: 2216
[6] Platform:
[6]    -      OS: linux
[6]    -    Arch: s390x
[6] # Layers: 9
     layer 01: digest = sha256:c8c4856949e70ae5ad889cfc6a747677ca43e6945c3d56e2d4e3ea5e17da91a2
     layer 02: digest = sha256:85304dce7d82a20f3528edaa2f642b51acaa7ad37bf801bff37fb58285e162d5
     layer 03: digest = sha256:b6cbadc5d6341427c002ee8974edf24880be07e7dc4f99c9007435edf337f950
     layer 04: digest = sha256:dd57258941e6f27be345136fea0ab731687b040d44631f55e4efcb475508b078
     layer 05: digest = sha256:9323fe7b03f8327e965ce25afaf756752dce8aadeedd53f4b1c220f6a412c48b
     layer 06: digest = sha256:01eb3312f0d1205b1593f31fb01203ff5bf2495a1e084cc08be669ef0f29e9a5
     layer 07: digest = sha256:aea6889962b0166c128413336d0094a9a4fe6e702b6c84f49a0c8822f9a285bf
     layer 08: digest = sha256:cff69f5cc6df7a3dae40bd79ec4b50b202223c1aa96d062e3a7f7b47c91a61a2
     layer 09: digest = sha256:df8189412d60674050fead531adbe35ef399d1fb29c38b597bf0721d14710f8d

[yosifkit]

As far as immutable tags, the official images are strictly designed not to be that way in order to provide periodically updated images (with available security fixes and other OS package updates). We rely on the manifest digests to provided users with immutable "snapshots".

[hgrattenthaler]

@yosifkit Thanks a ton, that's really helpful! I consider the problem solved as I don't see any responsibility on your end as maintainers of the gcc repo. Instead, I will wait for the docker roadmap issue you mentioned to be implemented. In the meantime, I'll use https://github.com/estesp/manifest-tool.

[marcindulak]

Probably to be reconsidered if dockerhub adds tags immutability docker/roadmap#85

[tianon]

If you want an "immutable" deployment, that's what the content addressable image digests are designed for; see docker-library/official-images#12277 for some examples and additional discussion around that.