3

Let's say I'm maintaining a piece of software that I version following the semver spec. I am also maintaining a docker image for said software, tagged with version tags.

What do I do if I need to publish an updated docker image even though the underlying software hasn't change? Maybe there is a security issue in the base image I use, and I need to bump its version in all older docker images. Or perhaps there just is something wrong with the docker image itself, that I need to fix.

Let's say there's an issue with the image myapp:1.5.2. I can see a these options:

  1. I bump the patch version of of the docker image, but not the underlying software. Suddenly the patch version numbers are out of sync - myapp:1.5.3 will be running MyApp 1.5.2.

  2. I create a "fake" release of the underlying software, just so I have an opportunity to publish a new docker image. I now have a release of MyApp 1.5.3 that is exactly identical to MyApp 1.5.2, just that it comes in a different docker image tagged 1.5.3.

  3. I quietly just push a new version of the image to the hub, overwriting the old myapp:1:5:2. Even though MyApp is still following semver, the docker image for MyApp is not since it's been modified after its release.

  4. Something completely different?

What is best practice here? Does it make any difference if the Dockerfile is hosted in the same repo as the software or not?

jonrsharpe
1,3142 gold badges12 silver badges19 bronze badges
asked Aug 30, 2019 at 10:40

1 Answer 1

3

What you're describing is referred to as a "servicing release" in this blog post, "Docker Tagging: Best practices for tagging and versioning docker images" by Steve Lasker. As it sounds like you're using a stable tagging approach, changes to the image containing the same version of the software should use the same tag, as illustrated in the same post:

Diagram showing changing tag and digest over time

In your case, that's option 3; push a new version over an existing tag. Anyone using myapp:1.5.2 (or :latest, or :1 or :1.5 if you have those tags too) will get the updated container next time they pull, but the actual app still has the features they expected. If there are specific problems, they can still use the digest of the earlier release to pin a specific build.

answered Aug 30, 2019 at 11:07
2
  • 2
    SemVer also has the concept of build metadata added with a hyphen. You could have 1.5.2-2019年08月30日 as an additional tag denoting today's build, or you could simply have sequential build numbers. In any case, the most recent image with version 1.5.2 of the app should have that as a tag. Commented Aug 30, 2019 at 11:48
  • @Hans-MartinMosner true, I've also seen it done like <app version>-<base image version>. Commented Aug 30, 2019 at 12:43

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.