roadmap icon indicating copy to clipboard operation
roadmap copied to clipboard
verified publisher icon docker

Docker Hub Immutable Image Tags Natively

Open ingshtrom opened this issue 5 years ago • 6 comments

Tell us about your request I would like Docker Hub to support immutable image tags. I don't want unintended changes to be introduced when I make a different change to my image.

Let's look at an example:

If I have a Docker file that looks like this...

FROM fluentd:v1.9.1-1.0
RUN <some_custom_configuration>

and I make a change like this...

FROM fluentd:v1.9.1-1.0
- RUN <some_custom_configuration>
+ RUN <some_custom_configuration> \
+   && echo "Docker is rad"

I'm relying on the author of library/fluentd:v1.9.1-1.0 to NOT modify the existing tag. If they do and I don't realize it (this is very easy to miss) then I have more changes introduced into my environment than I expected.

Which service(s) is this request for? Docker Hub

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? I'm trying to avoid unintentional changes into our team's production environment and avoid having to put digest SHA's in our dockerfiles along with comments that match the digest sha.

Are you currently working around the issue? We can work around this by providing a digest SHA in the Dockerfile, but now how do you know what version of the image is that you are basing your container image off of? You have to use that digest sha and revert look up the image tag somewhere? (honestly, I'm not sure if this is possible in Docker Hub or from the engine, already?)

-FROM fluentd:v1.9.1-1.0
+ # NOTE: this is from `fluentd:v1.9.1-1.0`
+FROM fluentd@sha256:af335887b3a1c7f23b2d54aba84a7c4e0cddd50e70d18ee5a4feb281133bf608
RUN <some_custom_configuration> \
  && echo "Docker is rad"

Additional context Add any other context or screenshots about the feature request here.

ingshtrom avatar May 04 '20 20:05 ingshtrom

+1

tlvu avatar Oct 06 '20 17:10 tlvu

Not that it really resolves the underlying request (which, I want the ability to specify immutable tags in my docker hub repo so +1 on the request), but you can specify tags with sha sums. They're fluff, they have no effect, but they can make things a bit more self documenting

FROM fluentd:v1.9.1-1.0@sha256:af335887b3a1c7f23b2d54aba84a7c4e0cddd50e70d18ee5a4feb281133bf608

mariadb-JeffBachtel avatar Oct 07 '20 15:10 mariadb-JeffBachtel

We've had several incidents of overwriting production images with test images. This cannot be prevented in build scripts, because anyone with push access (which is needed to publish images) can do this. It would be amazing to have protected tags in a similar way to Github's protected branches, or even better, like Git's annotated (immutable) tags.

alexec avatar Dec 29 '20 20:12 alexec

Having existing image tag overrideable is a huge security risk.

Someone can setup an auto-build repo, perform the auto build to claim the image is from an inoffensive code, then override the image built by auto build with malicious image.

User is fooled into thinking the malicious image is from the auto build with was originally from the inoffensive code.

tlvu avatar Dec 31 '20 16:12 tlvu

+1

hlalli avatar Sep 06 '22 18:09 hlalli

+1

matheuscscp avatar Dec 31 '23 11:12 matheuscscp