No internet connection
  1. Home
  2. Ideas

Use 'stable' tag for Docker images

By Dashamir Hoxha @dashohoxha2021-03-26 09:31:28.127Z

Sorry, for writing in the forum. I would prefer to open an issue on GitHub, but they are disabled for your project.

I see that in docker-compose.yml you use heavily ${VERSION_TAG}, for example https://github.com/debiki/talkyard-prod-one/blob/master/docker-compose.yml#L19

Why not use instead the tag stable or something like this. Then you can move the stable tag to the latest stable version of the image in your docker repo, and docker-compose will pick the latest stable version.

Updating could be as simple as this: docker-compose build --pull

Of course, I don't know all the details and intricacies of your project and it is quite possible that I could be missing something important.

  • 3 replies
  1. KajMagnus @KajMagnus2021-03-29 15:07:08.287Z

    Thanks for suggesting this idea. Actually currently I think I don't want to do this, some problems:

    It's harder to revert to a previous version — it's harder to know which version was running, previously, when they both had the same "stable" tag.

    More ways to install and upgrade, adds some extra work for me, when people ask for help. I'd need to ask how they do when upgrading Talkyard: do they use the standard installation & upgrade scripts, or do they pull the latest "stable" images?

    In the future: Hashes, no tags?

    In the future, what's on my mind is to stop using tags, and instead use SHA256 hashes to identify the correct images, combined with reproducible builds. — This is good for security.

    But then allowing people to rely on the "stable" tag now, when the long term plan is to abandon Docker image tags, could cause confusion. (Everyone's custom made scripts would need to get rewritten, and quite a lot, some time in the future.)

    1. DDashamir Hoxha @dashohoxha2021-03-29 15:47:04.849Z

      Maybe you are right. I am maintaining a NextCloud instance and got the idea from them: https://hub.docker.com/_/nextcloud
      The tag stable is floating from one version to the next, as it becomes stable. It has worked pretty well for me. I run the update command, and if there is new version labeled as stable, it is downloaded and the container rebuilt.

      There was a problem with the last stable version, so I pulled the image of a previous version, labeled it locally as stable, and started the container with the old image. This was kind of reverting to a previous version and it was very smooth and easy. I don't even know how to contact the support of NextCloud.

      Maybe your project has its own specifics, but I would suggest to look at what other projects are doing, before trying to invent your own mechanics of upgrading and reverting.

      1. KajMagnus @KajMagnus2021-03-31 14:26:40.782Z

        I pulled the image of a previous version, labeled it locally as stable, and started the container with the old image

        Yes, and, well, you're an unusual person in that you write your own Docker-Scripts :- )
        I'd guess 50 – 90% ? of those who use Docker would find doing that a bit complicated, and would want a bit help.

        Hmm, at the same time, people would probably need help with following Ty's own less-standard up/downgrade instructions.

        The tag stable is floating from one version to the next, as it becomes stable. It has worked pretty well for me.

        Yes I think this works well, me too. At the same time, when pulling the latest stable tag, one cannot be sure that the image(s) one then downloads, are the exact same ones, as the ones from the CI build server. Meaning, the supply chain attack risk, is a little bit higher. (Hence, long term plans: SHA256 hashes instead)