Docker tags are used to identify images by name. Multiple tags can be assigned to each image. Tags look like
my-image:latest, where the part before the colon defines the name of the image and the last section specifies the version.
You can tag an image without anything after the colon. Your image is automatically given
latest as release tag. This is a common source of confusion for newbies to Docker.
The problems with the latest
The semantics of the
latest label appear to suggest a special meaning beyond what actually exists. In reality,
latest is used as the default tag when you have not specified anything else. That is the nothing but time it will be used ̵
Here’s an example of the resulting problem:
# Creates my-image:latest (first image) docker build -t my-image # Updates my-image:latest (second image) docker build -t my-image:latest # Creates my-image:v1 (third image) docker build -t my-image:v1
If you run away now
docker run my-image:latest, would you like the second build image. The
v1 tag is completely independent of
latest, so building the third image has no effect on the existing two. If you want
my-image:v1 to also the
latest image, you need to manually tag and push it in a separate edit.
This creates a lot of confusion within the Docker ecosystem. Lots of image makers To do tag their latest releases with
latest. This gives the tag extra importance that Docker didn’t intend. Other authors use
latest for their development builds, while some don’t have
latest tag all the way.
The lack of consistency between image authors can make it unclear whether or not
latest is really the last image or not. The main rule of
latest is to never make assumptions about how a particular image will use the tag.
Avoid getting stuck on the latter
You may use the
latest tag of an image when a more specific alternative is available. Unless you know the author of the image is actively working it
latest tag attached to it may not deliver the version you expect.
Most images use semantic versioning to create release tags. It is much safer to consume
my-image:latest. If the author doesn’t keep it up
latest, you could end up with a very outdated image. Conversely, authors that To do maintain
latest often use the tag for their advanced development version. If you stick with it, it will likely deliver significant changes on a regular basis that you won’t be warned about.
Several container ecosystem projects are now warning against the use of
latest for this reason. Kubernetes notes that using
latest is not only unpredictable, but also makes it more difficult for you to control the for real image version used by your containers.
Roll back a container that was deployed with
latest is not immediately possible. You have no reference point to work with. Change an image tag from
2.1.0 lets you easily roll back the upgrade if needed. Container organization tools can’t help you “the new
latest image “back in” the old
More fundamentally, good tagging practice dictates that image tags must be immutable. Once a tag has been assigned, that tag cannot be reused by the same image. This allows downstream consumers to pin on specific versions, knowing that they will get the same picture every time.
latest breaks this system by being inherently changeable. If you use
latest, you have to accept change. As an image author, you make it more difficult for users to refer to your image with confidence if you only publish with the
Many tools rely on the use of image tags.
latest often receives special treatment that you should be aware of. Kubernetes will do that, for example always try a newer version of it
latest tag, even if a local already exists. Other tags are only fetched if they do not already exist in the cluster.
Better approaches to tagging
Try to stick to semantic versions when tagging images that will be publicly available. This is a widely accepted standard that helps communicate the magnitude of any change you are making to your image.
You have more options when creating images for private use. Images taken by a CI server can often be tagged with the SHA of the commit that ran the pipeline. This ensures that each pipeline creates a unique tag that will not be overwritten in the future. It also helps you match images in your container registry with the codebase changes that made them.
Finally, don’t think too much about it
latest label. You don’t have to keep it up to date with the “latest” version of your image. It is often best to ignore it completely unless you are running
docker build without a tag name it is never created. If you have a
latest tag, make sure to indicate what it refers to.
Docker’s apparent simplicity
latest tag masks a swamp of potential problems. You will encounter them both as an image author and as a consumer. The issues stem from the tag’s semantic inconsistency: while it sounds dynamic, it’s nothing more than a static tag assigned by Docker in the absence of a user-specified value.
You should pin against specific image versions whenever possible. This will help you avoid breaking changes and ambiguous behavior of third party utilities. As an image author, try to provide semantic release versions and make it clear how your project is being handled
latest. This helps potential users judge how to refer to your image.