Pulling Images by Digest

Explore how Docker image digests provide a secure, immutable way to pull and manage images. Understand the risks of mutable tags and how content hashes help ensure exact image versions in your containers.

We'll cover the following...

The problem with tags
Image hashes and layer hashes
Content hashes vs. distribution hashes
Playground

The problem with tags

So far, we’ve seen how to pull and work with images using names (tags). While this is the most common method, it has a problem—tags are mutable. This means it’s possible to tag an image incorrectly or give a new image the same tag as an older one. An extremely common example is the latest tag. For example, pulling the alpine:latest tag a year ago will not pull the same image as pulling the same tag today.

Example

Let’s consider a quick example outlining one potential implication of trusting mutable tags. Imagine we have an image called golftrack:1.5, and we get a warning that it has a critical vulnerability. We build a new image containing the fix and push the new image to the same repository with the same tag. Take a moment to consider what just happened and the implications.

We have an image called golftrack:1.5 that’s being used by lots ...

1.About the Course

2.An Overview of Containers

3.Docker and Container-Related Standards and Projects

4.The Big Picture

5.The Docker Engine

6.Working with Images

7.Working with Containers

8.Containerizing an Application

9.Conclusion

10.Appendix: Getting Docker

Pulling Images by Digest

The problem with tags

Example