Docker command to check if a local container image is outdated?

[ismay]

Say compared to the remote image on dockerhub. I've been looking for a canonical way of doing this, but all I've been able to find is brittle bash scripts and the like. No official, recommended way of doing performing such a check. A stack overflow question also hasn't resulted in any definitive answers yet. Neither has this similar question.

Being able to verify whether a local image is outdated compared to its remote is pretty useful for development and staging environments (docker-cloud even allows you to set up auto updating containers for this). I know that there is the possibility of using a webhook to trigger a re-pull after a succesfull image build, but let's say I want to be able to initiate the check from my server, instead of having to have it listen.

Am I right in assuming that there is currently no docker command available to perform this check, or have I missed an obvious, docker native solution to this problem?

[thaJeztah]

No, there's currently no built-in option to check if an image is "outdated". Automatically updating containers is something that really differs per use-case; "blindly" updating to the latest image is non-trivial. For example some-image:latest can result in a completely different image (e.g. ubuntu:latest refers to the latest "LTS" release, which at some point switched from 14.04 to 16.04), at the same time, some-image:1.2.3 "looks" like a SemVer(ish) tag, but there's no guarantee, because its up to the image-author to decide on both the "tag" scheme, and what it means (basically, tags are just a free form "label").

For this reason, it's recommended to use an immutable identifier for your containers (for example ubuntu@sha256:aabbbcccddd); that allows you to test the exact image version you're running, and have a guarantee that it's the same version as was tested in your QA process.

Having said the above, there are some options;

• when using docker compose, you can docker-compose pull to pull the latest version of all images used in your compose stack
• when building images, you can docker build --pull ..... to force pulling the image defined in FROM before starting a build
• when using services; docker service update --force --image foo:bar <servicename> resolves the latest version of the specified foo:bar image, and "pins" all instances of the service to that version

I hope this answers your question. Please keep in mind that the GitHub issue tracker is not intended as a general support forum, but for reporting bugs and feature requests. For other type of questions, consider using one of;

• https://forums.docker.com
• the Docker community Slack channel
• StackOverflow

I'm going to close this issue because this is not a bug, but feel free to continue the conversation 👍

[jojomi]

There is a difference though between "blindly updating" and just getting notified the remote image changed (using the same tag), so that you can start your build and QA process.

[sbrl]

Indeed. A stable mechanism by which one can detect updates to a container without re-downloading the entire container every day would be awesome.

Security updates are extremely important, and with this feature missing isn't making it any easier to keep up to date.....

[LewisW]

Just thought I'd leave a message on here in case it helps any one in the future. You can try using Diun for this task. It checks for updates and then can notify you via a number of providers.