The basics An exemplary docker image has the following 3 parts: Name (required, user-specified at build time) Tag (optional, user-specified at build time) Digest (automatically generated at build time) Pull an image using name Examples: docker pull golang

docker pull yugabytedb/yugabyte

docker pull quay.io/keycloak/keycloak-x When an image is pulled using only the name, the image tagged is pulled. If there is no image with the tag , then no image will be pulled. latest latest Pull an image using name:tag Examples: docker pull golang:latest

docker pull golang:1.17.1

docker pull yugabytedb/yugabyte:latest

docker pull yugabytedb/yugabyte:2.9.0.0-b4

docker pull quay.io/keycloak/keycloak-x:latest

docker pull quay.io/keycloak/keycloak-x:15.0.2 An image like is available for multiple os/arch, example: , , etc. In such cases, docker automatically pulls the appropriate image for the os/arch the pull command is run on. golang windows/amd64 linux/amd64 Use this command to view os/arch’s of an image: docker manifest inspect --verbose golang:1.17.1

# sample output
[
  {
    "Ref": "docker.io/library/golang:1.17.1@sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25a",
    "Descriptor": {
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "digest": "sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25a",
      "size": 1796,
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    .
    .
    . A common thing that happens with a tag is that it could be reused. For example an image pulled using today may be completely different from an image pulled in 6 months. golang:latest Tags that look like version numbers can have the same behavior. There is no guarantee that an image pulled using today (on say ) will be the same when pulled 6 months later (again on ). golang:1.17.1 linux/amd64 linux/amd64 Caution needs to be exercised in production environments when pulling an image using the tag since it makes rollbacks harder. latest Pulling an image using name@sha256:digest A digest is an id that is automatically created during build time and cannot be changed (immutable). When an image is pulled using a digest, a will download the same image every time on any os/arch. This is called image pinning. docker pull First, determine the image you wish to use. Then get the digest as follows: name:tag docker manifest inspect --verbose golang:1.17.1

# sample output
[
  {
    "Ref": "docker.io/library/golang:1.17.1@sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25a",
    "Descriptor": {
      "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "digest": "sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25a",
      "size": 1796,
      "platform": {
        "architecture": "amd64",
        "os": "linux"
      }
    },
    .
    .
    .

docker manifest inspect --verbose yugabytedb/yugabyte:2.9.0.0-b4

docker manifest inspect --verbose quay.io/keycloak/keycloak-x:15.0.2 The above command returns a JSON response. Look for the in the . digest Descriptor Examples: # golang 1.17.1 for linux/amd64
docker pull golang@sha256:232a180dbcbcfa7250917507f3827d88a9ae89bb1cdd8fe3ac4db7b764ebb25a

# yugabyte 2.9.0.0-b4 for linux/amd64
docker pull yugabytedb/yugabyte@sha256:974219f34a18afde9517b27f3b81403c3a08f6908cbf8d7b717097b93b11583d

# keycloak-x 15.0.2 for linux/amd64
docker pull quay.io/keycloak/keycloak-x@sha256:a6b7be1808b8443dde696c5f108be1cb6e7641d6b281ef7598df012c1d6871f8 Note: Comments added above only for readability. So what should you use? Well, that depends on your use case. A general guideline that I use for my workflows is: Experimenting on your local machine? It’s ok to pull using or . name name:tag Building an image for production? Use to pull your base image(s). This ensures that the same final image is built on any machine. name@sha256:digest Deploying an image to a production environment? If the image was built by your team (or company), it’s ok to use where a tag represents a version number, for example . Avoid using the tag since it makes rollbacks harder. name:tag v21.10.1 latest If the image was built by your team (or company), use if possible. If you choose to use , be mindful that tags can be reused. Avoid using the tag since it makes rollbacks harder. not name@sha256:digest name:tag latest Quick Recap A docker image usually has 3 parts: name, tag, and digest. Images can be pulled using , or or . name name:tag name@sha256:digest Some images are multi-architecture images. Pulling a multi-architecture image using or will automatically download the appropriate image for the os/arch the pull command is run on. name name:tag Use to view os/arch’s of an image and to get the digest. docker manifest inspect --verbose <name:tag> Pull an image using to download the same image on any os/arch. name@sha256:digest Avoid using the tag in a product environment since it makes rollbacks hard. latest Thank you for taking the time to read this article. I hope the information here helps you with image pulls for your use cases and workflows.

2022 - HackerNoon Contributor of the Year - Docker

Read My Stories

Nominated for 2022 - HackerNoon Contributor of the Year - Docker

Too Long; Didn't Read

In your car, at home, or at work — Bosch technology shapes many areas of life.

Docker Images: Name Vs. Tag Vs. Digest

Too Long; Didn't Read

Company Mentioned

Vijay Savanth

About Author

TOPICS

Languages

THIS ARTICLE WAS FEATURED IN...

Docker Images: Name Vs. Tag Vs. Digest

Too Long; Didn't Read

Company Mentioned

Vijay Savanth

About Author

TOPICS

Languages

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES