CODEWITHSUNDEEP
docker
DarthWader
DarthWader

Reputation: 1046

What happens when you push a new image with same old tag?

I am new to Docker.

I have containerized my Django app and it successfully runs on exposed ports when I run the container.

I want to know what happens when I update my app (make changes in code) and build the image again and tag it again 'latest' when I already have an image 'latest'? Does it replace the old image?

Upvotes: 6

Views: 7911

Answers (2)

Jess
Jess

Reputation: 3725

As mentioned in the Manifest digest section, pushing a modified image using an existing tag untags the previously pushed image, resulting in an orphaned (or "dangling") image. The previously pushed image's manifest--and its layer data--remains in the registry. Consider the following sequence of events:

  1. Push image acr-helloworld with tag latest: docker push myregistry.azurecr.io/acr-helloworld:latest

  2. Check manifests for repository acr-helloworld:

    Azure CLI

    az acr manifest list-metadata --name acr-helloworld --registry myregistry

    Output

    [
  {
    "digest": "sha256:d2bdc0c22d78cde155f53b4092111d7e13fe28ebf87a945f94b19c248000ceec",
    "tags": [
      "latest"
    ],
    "timestamp": "2018-07-11T21:32:21.1400513Z"
  }
]

  3. Modify acr-helloworld Dockerfile

  4. Push image acr-helloworld with tag latest: docker push myregistry.azurecr.io/acr-helloworld:latest

  5. Check manifests for repository acr-helloworld:

    Azure CLI

    az acr manifest list-metadata --name acr-helloworld --registry myregistry

    Output

    [
  {
 "architecture": "amd64",
 "changeableAttributes": {
   "deleteEnabled": true,
   "listEnabled": true,
   "quarantineDetails": "{\"state\":\"Scan Passed\",\"link\":\"https://aka.ms/test\",\"scanner\":\"Azure Security Monitoring-Qualys Scanner\",\"result\":{\"version\":\"2020-05-13T00:23:31.954Z\",\"summary\":[{\"severity\":\"High\",\"count\":2},{\"severity\":\"Medium\",\"count\":0},{\"severity\":\"Low\",\"count\":0}]}}",
   "quarantineState": "Passed",
   "readEnabled": true,
   "writeEnabled": true
 },
 "configMediaType": "application/vnd.docker.container.image.v1+json",
 "createdTime": "2020-05-16T04:25:14.3112885Z",
 "digest": "sha256:eef2ef471f9f9d01fd2ed81bd2492ddcbc0f281b0a6e4edb700fbf9025448388",
 "imageSize": 22906605,
 "lastUpdateTime": "2020-05-16T04:25:14.3112885Z",
 "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
 "os": "linux",
 "timestamp": "2020-05-16T04:25:14.3112885Z"
  }
]

The tags array is removed from meta-data when an image is untagged. This manifest still exists within the registry, along with any unique layer data that it references. To delete such orphaned images and their layer data, you must delete by manifest digest.

The article above is from Azure Container Registry.

Upvotes: 1

thaJeztah
thaJeztah

Reputation: 29077

The short answer: yes, the new tag "overwrites" the previous tag

The longer answer: tags work a bit similar to how tags work in Git; the tag references a specific version (a content-addressable digest) of an image, and can be updated to point to a different version.

When overwriting the tag, the old image itself isn't overwritten, but the tag is now pointing to the new version of the image you pushed. The old image can still be pulled (and run) if you reference it by its digest.

For example, when you pull the busybox:latest image, you see its digest printed after pulling:

docker pull busybox:latest

# 7c9d20b9b6cd: Pull complete 
# Digest: sha256:fe301db49df08c384001ed752dff6d52b4305a73a7f608f21528048e8a08b51e
# Status: Downloaded newer image for busybox:latest
# docker.io/library/busybox:latest

So instead of the above, you could also pull the image by digest:

docker pull busybox@sha256:fe301db49df08c384001ed752dff6d52b4305a73a7f608f21528048e8a08b51e

# sha256:fe301db49df08c384001ed752dff6d52b4305a73a7f608f21528048e8a08b51e: Pulling from library/busybox
# Digest: sha256:fe301db49df08c384001ed752dff6d52b4305a73a7f608f21528048e8a08b51e
# Status: Image is up to date for #busybox@sha256:fe301db49df08c384001ed752dff6d52b4305a73a7f608f21528048e8a08b51e
# docker.io/library/busybox@sha256:fe301db49df08c384001ed752dff6d52b4305a73a7f608f21528048e8a08b51e

While newer versions of the busybox:latest image may arrive on Docker Hub, you can still run the old versions if you know their digest;

docker run --rm busybox@sha256:fe301db49df08c384001ed752dff6d52b4305a73a7f608f21528048e8a08b51e echo 'hello from busybox'

# hello from busybox

Upvotes: 7

Related Questions