Docker Registry - Do not allow pushing if the tag already exits (except for :latest tag)

Question

I have a scenario where we need our private Docker Registry (v2) to not accept pushes to a tag if it already exists.

For example I have

192.168.0.77:5000/my-project:1.0.0

and someone pushes an update on the endpoint above. It should stop the push.

Then when the user pushes with tag 1.0.1 or any other, it will push successfuly.

I know Docker allows pushing on the same tag, however I wish to have this kind of workflow so we don't override each other's image this way and also these will co-relate with a Jenkins build (for transaction purposes).

Deployment Instructions (in bash)

 docker login -u admin -p fakepassword 192.168.0.77:5000
 docker tag my-project 192.168.0.77:5000/my-project:1.0.0
 docker push 192.168.0.77:5000/my-project:1.0.0

Can someone please advice a way of achieving this?

https://stackoverflow.com/questions/32113330/check-if-imagetag-combination-already-exists-on-docker-hub — Walter Tross, Sep 29 '17 at 09:53
Does this answer your question? [Check if image:tag combination already exists on docker hub](https://stackoverflow.com/questions/32113330/check-if-imagetag-combination-already-exists-on-docker-hub) — Noam Yizraeli, Sep 10 '21 at 18:22

score 2 · Answer 1 · answered Jun 26 '22 at 16:56

This is what I use in my CI pipeline.

Check the value of $?, which contains the result of the most recent command - in your case a command that checks if the tag already exists:

#!/bin/bash

docker manifest inspect $IMGNAME:$IMGTAG
RESULT=$?
if [ $RESULT == 0 ]; then
  echo success
else
  echo failed
fi

Save it as a file and call it script.sh

To run the script:sh ./script.sh

The script will return 'success' if the command is successful otherwise it will return 'failed'

score 1 · Answer 2 · answered Jul 09 '22 at 14:46

The term you're looking for is immutable tags or tag locking. This is a feature of registry servers. If you trust the tooling pushing to the registry, then you can check for an existing tag with various tools:

docker manifest inspect (I'm not certain if this is always a remote pull, treat this as experimental)
docker buildx imagetools inspect (this command is hidden, which may mean it will change in the future)
crane (from Google's go-containerregistry)
regctl image digest (from myself, the digest does a HEAD request which is faster and better for registries that rate limit requests)
skopeo (from RedHat)

With each of these, you're looking for error conditions that trigger when the tag is missing and don't care about the output:

if regctl image digest ${some_image} >/dev/null 2>&1; then
  echo image exists, skip push
else
  echo image missing, push new tag
fi

Docker Registry - Do not allow pushing if the tag already exits (except for :latest tag)

2 Answers2