Dockerfile Best Practice | How to Select Base Image Tag
Hello MVP Java Subscribers, today your going to learn exactly how to specify your base image using Dockerfile best practices.
Always be as specific as possible when selecting a tag for your environments. The more specific you are the better guarantee you have that your docker environment will be reproducible.
So what’s the problem we’re trying to solve?
What version do you think your getting if you use openJDK’s “:latest” image tag today? Maybe today the latest jdk is version 16 but what will it be tomorrow? If you re-run all your integration tests tomorrow, maybe it will be jdk 16.01, who knows?!
The environment can change and will keep changing as long as you use the “:latest” tag. You’ve lost control of fixing your environment to a specific version. What if this new latest version introduced/exposed some bug or security flaw. Maybe your tests now start failing out of the blue and your left scratching your head as to why.
The problem is that you fell under a false sense of security by thinking you were always running the same environment! The :latest tag is just a convenience. It’s fine for experimenting and learning but never OK for your real work environments.
Docker Image Tag | Be Specific as HELL!
Be as specific as possible and then more! So is tag “azul/zulu-openjdk-alpine:13” better? Only slightly! Why?
Maybe its 13.0 and maybe it’s 13.04, you can’t be 100% sure. It really depends on the person who manually tagged it. Perhaps that someone didn’t want to take the time to be perfectly tag all the version numbers. What if next month, version 13.04 got tagged as 13.0 and that overrode the previous tag 13 you were using?
It’s like when we accidentally or intentionally override a file when copying. There is no guarantee you will get the exact same tag 13. So yes, it’s better but it’s not perfect. What’s the very best way?
I would even go further and use the image hash digest itself and use a comment to convey to the person reading the Dockerfile what the human readable tag is. Here is how you do it.
First, navigate to Docker Hub and navigate to the page that has the tag you want. You can see below the digest value. This value uniquely identifies that docker image build.
1 2 3 |
#The base image digest maps to TAG :13-jre FROM azul/zulu-openjdk-alpine:0566f725fbb9 |
Now if any one modifies the image it will change the hash digest. Even if someone re-tagged version 13 with version 13.04, you won’t be affected because your still using the hash digest from the previews real version 13.
You will know if something goes wrong (once you clear your cache) even before you run your tests. This means you won’t waste valuable time investigating failed tests. Even if that digest is no longer available because it got removed or cleaned up in the re-tagging process, that is good because you will know about it instantly.
By doing this (using digest) you have guaranteed your base image is 100% reproducible for you environment.
How to Select Base Image Tag | Summary
Plain and simple, use the image digest as your tag and a comment for us humans to know what it logically refers to! Only use :latest for fun.