34

I would like to always pull a specific version, rather than just the latest.

A random example: https://registry.hub.docker.com/u/aespinosa/jenkins/builds_history/9511/

I am doing this because I only want to deploy versions that I have audited. Is this currently possible? Or am I forced to fork them and make my own?

Improve this question
2
  • not sure if this will work, but have you tried docker pull <your build id>? Commented Aug 22, 2014 at 11:24
  • Yes, that doesn't work unfortunately Commented Aug 26, 2014 at 9:09

3 Answers 3

Reset to default
56

You can pull a specific image by digest by using the following syntax:

docker pull ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2

If you need to find the hash, it is output when pushing/pulling the image. Some automated builds output it at the end. I tried looking for the hash with docker inspect but it didn't appear to be there, so you'll have to delete the image and pull it again to view the hash.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Using docker ce 17.05, I'm able to retrieve digest from local image: docker images --digest
or docker image inspect --format='{{index .RepoDigests 0}}' $IMAGE for a specific image
For docker 20.10: docker inspect --format='{{.Image}}' $IMAGE
6

The way I do it is to tag each build

docker build -t $NAMESPACE/$APP_NAME:$BUILD_SHA1 .
docker tag \
    $NAMESPACE/$APP_NAME:$SHA1 \
    $DOCKER_REGISTRY/$NAMESPACE/$APP_NAME:$SHA1
docker push $DOCKER_REGISTRY/$NAMESPACE/$APP_NAME:$SHA1

and then you pull the specific tag

docker pull $DOCKER_REGISTRY/$NAMESPACE/$APP_NAME:$SHA1
Improve this answer

2 Comments

So looks like I'll have to keep a fork of my own
But tags are not immutable, how is this secure without immutability?
0

In addition to Joel's answer, you might want to verify the image exists on a specific Docker repo before trying to pull the image. The easiest way I know is using the Docker registry API. Make a simple HTTP GET request. Assemble the string like this -

FullURL = DomainAndPort + "/v2/" + imageName + "/blobs/sha256:" + imageHash;

An example request that works for me on our network repo -
http://10.10.9.84:5000/v2/hello-world/blobs/sha256:8089101ead9ce9b8c68d6859995c98108e1022c23beaa55754acb89d66fd3381

Entering that string into a Chrome browser returns a JSON object describing the image. If you enter an invalid sha256 hash then the API returns -

{"errors":[{"code":"DIGEST_INVALID","message":"provided digest did not match uploaded content","detail":{}}]}

For more details see "Pulling a Layer" in https://docs.docker.com/registry/spec/api/

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.