stackoom
  简体   繁体   中英

Docker Registry - Do not allow pushing if the tag already exits (except for :latest tag)

 原文  2017-09-29 09:33:33       docker/ docker-registry

Question

I have a scenario where we need our private Docker Registry (v2) to not accept pushes to a tag if it already exists.

For example I have

192.168.0.77:5000/my-project:1.0.0

and someone pushes an update on the endpoint above. It should stop the push.

Then when the user pushes with tag 1.0.1 or any other, it will push successfuly.

I know Docker allows pushing on the same tag, however I wish to have this kind of workflow so we don't override each other's image this way and also these will co-relate with a Jenkins build (for transaction purposes).

Deployment Instructions (in bash)

 docker login -u admin -p fakepassword 192.168.0.77:5000
 docker tag my-project 192.168.0.77:5000/my-project:1.0.0
 docker push 192.168.0.77:5000/my-project:1.0.0

Can someone please advice a way of achieving this?

2 answers

solution1
 0  2022-06-26 16:56:56

This is what I use in my CI pipeline.

Check the value of $? , which contains the result of the most recent command - in your case a command that checks if the tag already exists: 

#!/bin/bash

docker manifest inspect $IMGNAME:$IMGTAG
RESULT=$?
if [ $RESULT == 0 ]; then
  echo success
else
  echo failed
fi

Save it as a file and call it script.sh

To run the script: sh ./script.sh

The script will return 'success' if the command is successful otherwise it will return 'failed'

solution2
 0  2022-07-09 14:46:08

The term you're looking for is immutable tags or tag locking. This is a feature of registry servers. If you trust the tooling pushing to the registry, then you can check for an existing tag with various tools:

  • docker manifest inspect (I'm not certain if this is always a remote pull, treat this as experimental)
  • docker buildx imagetools inspect (this command is hidden, which may mean it will change in the future)
  • crane (from Google's go-containerregistry)
  • regctl image digest (from myself, the digest does a HEAD request which is faster and better for registries that rate limit requests)
  • skopeo (from RedHat)

With each of these, you're looking for error conditions that trigger when the tag is missing and don't care about the output:

if regctl image digest ${some_image} >/dev/null 2>&1; then
  echo image exists, skip push
else
  echo image missing, push new tag
fi

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question “tag latest not found” on docker pull with private registry How to get a rolling latest tag in the docker registry Automatic Latest tag in private docker registry Registry allow duplicates of docker image:tag? Allow redeploy for “latest” docker tag in Nexus OSS Pushing a tag to private docker registry in artifactory fails from mac Github Package Registry not overwriting tag when pushing a docker image do I need to manually tag “latest” when pushing to docker public repository? Azure devops Pipelines: Cannot find Docker Image when Pushing to Azure Registry, 'tag ***/appname' Docker tagging without 'latest' tag?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM