Proposal: add explicit "--pull" flag to "docker run" for controlling image pulling behavior

[tianon]

Description

This is a bit of a combination of #10693 and #13331 (and was discussed briefly during the maintainer meeting today with @thaJeztah and @cpuguy83, where we determined that we ought to have a new, clean proposal).

The TL;DR of the problem is that currently, the Docker CLI will automatically perform a docker pull if the image does not exist, and will not ever perform a pull if the specified image does exist. This is especially irritating because docker build has a --pull flag which will always-pull, and docker service (and friends) will do digest-resolution, which results in the same general effect as doing a pull-before-run (although in a cluster-wide deterministic way).

Use Cases

We discussed a few use cases, and in the context of docker run, there are three main use cases that we feel would be useful to accommodate:

1. pull if missing (current behavior, likely what users expect at this point, and necessary for backwards compatibility anyhow)
2. do not pull (useful for systems where "pulling" is something that administrators often want tight control over to ensure they don't ever run an image from an unexpected source, or as an atomic "run-if-available-but-not-otherwise" which is complicated to get right without something like this)
3. always pull (just like service update, etc -- usefulness here speaks for itself)

Proposed Solution

What we discussed is a new --pull flag on docker run, but with a tri-state instead of a simple boolean like docker build's (perhaps choosing a new name so that docker build can grow the new flag and eventually phase out --pull as well?):

1. --pull=missing
2. --pull=never
3. --pull=always

Since this pulling behavior isn't currently part of the API, this should be reasonably simple to implement, and would be a CLI-only feature (just like the existing pulling behavior is).

There is some precedent for this with docker stack deploy's --resolve-image flag, which is one of always, changed, or never. We also discussed the possibility of doing digest resolution during docker run (as docker service does), but determined that it's likely going to be too big of a surprise for users to take that leap as well (since then the digest ends up in the container metadata, where users are likely already fairly used to doing things like docker run some-image:some-version and then docker ps | grep some-image:some-version, or similar).

Picture of a Cute Animal

[thaJeztah]

Thanks!

/cc @endophage @stevvooe

[stevvooe]

Note that docker service create has this:

 --no-resolve-image                   Do not query the registry to resolve image digest and supported platforms

It would be good to get these consistent, something like pull-policy that is neatly contained.

[endophage]

Conceptually this seems entirely reasonable.

[ldano]

+1 on a docker run --pull function to give us the latest image regardless if the image name is the same.

[NabilZaman]

Has there been further discussion on this or reason it hasn't moved forward? Is there a specific fear among maintainers that this proposal doesn't address?

[ldano]

Hi Nabil, +Eco No movement on Moby as far as I know. Was there a specific need? Thanks, Leo Sent from my Verizon, Samsung Galaxy smartphone

…

-------- Original message -------- From: Nabil Zaman <notifications@github.com> Date: 3/19/18 9:11 PM (GMT-08:00) To: moby/moby <moby@noreply.github.com> Cc: Leo Dano <ldano@qualcomm.com>, Comment <comment@noreply.github.com> Subject: Re: [moby/moby] Proposal: add explicit "--pull" flag to "docker run" for controlling image pulling behavior (#34394) Has there been further discussion on this or reason it hasn't moved forward? Is there a specific fear among maintainers that this proposal doesn't address? - You are receiving this because you commented. Reply to this email directly, view it on GitHub<#34394 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AHFmdvtUaw3o_QvpWTbckUxv3EEzQ95iks5tgIF3gaJpZM4Os9Mk>.

[NabilZaman]

Hey Leo, I don't have any needs/use-cases that haven't been brought up in linked issue #13331. But I thought the case for this feature was justified there. I was interested in catching up on where this proposal stood.

[jhoblitt]

I tend to smack into the lack of a --pull flag on docker run as I periodically forget that it does not exist but expect run's behavior to be roughly symmetric with docker build. This can be fairly frustrating under some workflows. An example would be wanting to run from a CI constructed docker image using a generic tag, such as latest. (Yes, I could use a pull+run shell alias but then it wouldn't be present under all scenarios, such as one-off testing on a EC2 instance)

[galindro]

@thaJeztah is this feature included in the current roadmap?