Can you tag a docker image in a remote repository without pulling it?

Asked 21/8, 2020 at 22:7 Answered 8/8 at 18:39

I occasionally need to do some manual promotion for a docker image.

The flow I use is:

$ docker pull registry.digitalocean.com/foo/bar:dev-123
$ docker tag registry.digitalocean.com/foo/bar:dev-123 registry.digitalocean.com/foo/bar:prd-123
$ docker push registry.digitalocean.com/foo/bar:prd-123

This involves pulling the image to my local host, tagging it there, and pushing it up again.

It seems to me there should be a way of tagging the image in the remote repository without the above faff, but I couldn't find an answer on Google.

Welltodo answered 21/8, 2020 at 22:7 Comment(0)

You can do this using skopeo, like this:

skopeo copy docker://some/image:oldtag docker://some/image:newtag

For example, if I have:

$ skopeo list-tags docker://larsks/skopeo-example
{
    "Repository": "docker.io/larsks/skopeo-example",
    "Tags": [
        "latest"
    ]
}

I can run:

$ skopeo copy docker://larsks/skopeo-example:latest docker://larsks/skopeo-example:newtag
Getting image source signatures
Copying blob df20fa9351a1 skipped: already exists
Copying config 0bce593a08 [--------------------------------------] 0.0b / 741.0b
Writing manifest to image destination
Storing signatures

And now I have:

$ skopeo list-tags docker://larsks/skopeo-example
{
    "Repository": "docker.io/larsks/skopeo-example",
    "Tags": [
        "latest",
        "newtag"
    ]
}

Aerobiosis answered 21/8, 2020 at 22:44 Comment(5)

It seems to me that behind the scences skopeo is doing the same thing? pulling the image, tagging it, and pushing it back up? – Welltodo 21/8, 2020 at 23:45

Possibly, yes, but (a) it's a single command rather than all that "faff", (b) just like docker itself, it only transfers layers that don't already exist on the target, so in many cases it won't be transferring all that much data, and (c) it doesn't look like the docker registry api provides a mechanism for tagging an image other than via a push operation, which means your options for making this simpler from an operations perspective are limited. – Aerobiosis 22/8, 2020 at 2:33

I think that skopeo copy solution is superior to docker tag in more secure environments as it does not require access to docker and root permissions (all other answers are effectively sudo docker tag, just masked by the membership of the docker group). – Jessee 23/8, 2023 at 16:31

Great, this did it for me - I was having permission-based issues with my GitLab CI (not being set up with docker daemon), and this was the only solution that worked. Thank you! – Tosh 13/2 at 20:47

@Juicy: Newer versions of skopeo copy efficiently, without downloading the entire image (I think since this PR). – Hourihan 8/8 at 18:42

This involves pulling the image to my local host, tagging it there, and pushing it up again.

It seems to me there should be a way of tagging the image in the remote repository without the above faff, but I couldn't find an answer on Google.

Fundamentally these 3 steps (pull/tag/push) are required if the registry is remote but there are some tricks to fast up that if the registry is own.

1.If the current docker host has the updated image in its local repository you can can skip the pull :

docker tag registry.digitalocean.com/foo/bar:dev-123 registry.digitalocean.com/foo/bar:prd-123
docker push registry.digitalocean.com/foo/bar:prd-123

2.If the remote registry is a private registry that you can connect to, you can strongly improve that (pulling and pushing may be slow according to the image size) by performing the task from the machine hosting that registry.
It would be only two quite fast steps now :

docker tag registry.digitalocean.com/foo/bar:dev-123 registry.digitalocean.com/foo/bar:prd-123
docker push registry.digitalocean.com/foo/bar:prd-123

3.If you cannot perform these tasks from that machine directly, you can still use the docker -H HOST way to connect to the remote Docker Daemon of that registry (if that is enabled of course):

docker -H registry.digitalocean.com tag registry.digitalocean.com/foo/bar:dev-123 registry.digitalocean.com/foo/bar:prd-123
docker -H registry.digitalocean.com  push registry.digitalocean.com/foo/bar:prd-123

For series of large images that I have to tag in private registries, I always favor these ways when possible.

Essayistic answered 22/8, 2020 at 7:48 Comment(1)

dille.name/blog/2018/09/20/… appears to contain a solution if you're willing to poke the HTTP API directly. Not my discovery (nor something I've tested yet), but it looks like this is possible despite the various comments saying otherwise. Found via forums.docker.com/t/tag-without-pull-push/12836/11 which describes the same issue and even has official responses of it being not possible. – Amar 6/10, 2022 at 23:0

Docker Buildx now supports efficient copying (docs):

docker buildx imagetools create --tag NEWIMAGE OLDIMAGE

(credit)

Hourihan answered 8/8 at 18:39 Comment(0)

Recommended topics

Hot tags