Skip to content

Pin Docker images to specific tags

🚀 Feature Request

Summary

Adopt a deterministic image versioning strategy by pinning Docker images to specific tags instead of relying on :latest.

Problem to Solve / User Story

As a developer and operator, I want our services to use explicitly versioned Docker images so that:

  • Deployments are reproducible and stable across environments.
  • Upstream changes to :latest don’t introduce unexpected behavior into production.
  • We have full traceability of which version is running in any environment.

Currently, we use :latest tags, which are mutable and can silently change when new builds are pushed. This leads unnamed images in case of new docker images, because the previously downloaded one loses its tag and shows up as : (dangling).

Proposed Solution

Update all Docker Compose services to replace :latest with pinned version tags (e.g., mysql:9.0.1) for production. Optionally, pin to image digests (e.g., mysql:9.0.1@sha256:).

Optionally configure our container registry to enforce immutable tags.

Benefits

  • Reproducibility: The same build is deployed.
  • Predictability: Deployments won’t break unexpectedly due to upstream changes.
  • Auditability: Easier to track and roll back to a known working version.
  • Security: Only vetted, tested image versions are promoted to production.

Possible Drawbacks

  • All services need immutable tags.
  • More overhead in managing version bumps (but can be automated with tooling like Renovate).
  • Less flexibility for developers who may prefer :latest in local experiments.

Additional Context

  • Current setup: Docker Compose with pull_policy: always on some services.
  • Behavior observed: new upstream images replace existing tags, leaving dangling : images locally.
  • Proposed change aligns with container best practices from Docker, CNCF, and security guidance.

Relevant Logs or Screenshots (if applicable)

Bildschirmfoto_2025-08-19_um_12.07.43

Requirements or Dependencies

Needs version tags and immutable docker images across all services.

Alternatives Considered

  • Continue using :latest with frequent pruning => not recommended for production.
  • Use floating minor tags (e.g., mysql:9.0) for a balance between stability and auto-updates => possible for dev/test but not prod.

Links / References

Docker docs: why not to use latest