It’s fair to say that 2014 was “The Year Of The Container” with Docker and the ecosystem growing at exponential rates. With fast movements and innovations happening it’s easy to overlook some early considerations and consider them best practice. One concern is focused on the use of the :latest tag in a Dockerfile.
The FROM instruction in your Dockerfile accepts either the image or an image and a tag. In the documentations it states that “If no tag is given to the FROM instruction, latest is assumed.”
Let’s take a closer look at how the :latest works with Node.js based on the official images. The list of tags for Node can be found on the Docker Hub Registry.
Firstly, node:latest will always point to the latest version. This has two side-effects. The first is that you’ll automatically be running future major releases which could include breaking changes for your application. If everyone uses node:latest then once 0.12 is released there will be a number of companies running 0.12 without being prepared. While we hope test coverage would capture potential issues it could have adverse effects.
The second is based on Docker’s ability to reuse base images. If a new minor release occurs between image builds then you’ll need to download and store these minor revisions. This increases space required on the build server along with the time required due to downloading the latest version of Node.js.
Given this we have three choices when picking our FROM instruction.
FROM node:latest
– Always download the latest stable, ignoring major/minor revisions.
FROM node:0.10
– We’re happy with any 0.10 releases, we’ll upgrade to 0.12 when we are ready.
FROM node:0.10.34
– We’ll manage the upgrade between minor versions.
The last one defines that we’ll always run against 0.10.34 of node, this gives us confidence that our base-line won’t change without us knowing.
While you may think this isn’t an issue because it’s only node, what about the latest version of ubuntu? As Dockerfiles become a long term foundation of a project, using “FROM ubuntu” could point to a different version than what the original developers intended. In future I will be using a fixed tag and upgrading when required.
One thought on “Dockerfile and the :latest tag anti-pattern”