1. Oracle Container Runtime for Docker User's Guide
  2. Oracle Linux Container Image Tagging Conventions

9 Oracle Linux Container Image Tagging Conventions

Oracle follows several conventions when tagging container images for Oracle Linux. Users should be aware of these conventions to ensure that the best image is used for the purpose at hand to avoid unnecessary breakages in functionality and to help ensure that images continue to use the most recently patched software.

The slim Tag

Oracle releases minimal compressed versions of each Oracle Linux release. These images contain just enough operating system to run within a container and to perform installations of additional packages. These images are the recommended images for general use within builds and where scripted installation is likely to be used. The images that use this tag are maintained at the most current update level.

For example, to use the most recent version of an Oracle Linux 7 slim image, use the 7-slim tag. To use the most recent version of an Oracle Linux 8 slim image, use the 8-slim tag. 

docker pull oraclelinux:7-slim

FIPS compliant versions of images are tagged with the slim-fips tag. These images include compliant cryptographic package versions and most of the initial image setup required for container FIPS compliance. To use these images, you must enable FIPS mode on the host system.

The following slim-fips images are available:

  • oraclelinux:7-slim-fips:

    • The latest FIPS compliant versions Oracle Linux 7 cryptographic packages at the time of the release of the image are already installed;
    • The Oracle Linux 7.8 security validation repository is already enabled in the image yum configuration file, so that the container can retrieve system updates that include FIPS compliant cryptographic package versions;
    • The dracut-fips package required for container FIPS mode is already installed.

  • oraclelinux:8-slim-fips:

    • The latest FIPS compliant versions Oracle Linux 8 cryptographic packages at the time of the release of the image are already installed;
    • The Oracle Linux 8.4 security validation repository is already enabled in the image yum configuration file, so that the container can retrieve system updates that include FIPS compliant cryptographic package versions;
    • The /etc/system-fips file required for container FIPS mode in docker is already created.
    • Note that Oracle Linux 8 docker containers still require that you mount FIPS cryptographic policies from /usr/share/crypto-policies/back-ends/FIPS to /etc/crypto-policies/back-ends in the container. See Enabling FIPS Mode in Containers.

General Oracle Linux release Tags

Oracle Linux images are tagged at their release level and are maintained to always map to the latest corresponding update level. If you need a more complete operating system than the version provided in a slim image, you should use a release tag to obtain the latest image for that Oracle Linux image.

For example, to get the latest update release image for Oracle Linux 8, use the 8 tag: 

docker pull oraclelinux:8

Oracle Linux Update Level Tags

Oracle Linux images are tagged at their update level. The other tags described map onto the latest or most current update level for an Oracle Linux image.

Attention:

Do not directly use update level tags within your Dockerfile or within any of your builds unless you have a specific use case that requires a particular update level. Typical use cases involve trying to resolve an issue or bug that is only present at a particular update level of Oracle Linux.

Using an update level tag can result in your containers running unpatched software that may expose you to security issues and software bugs.

Update level tags use dot notation to indicate the update level. For example, Oracle Linux 8.2 is indicated using the 8.2 tag: 

docker pull oraclelinux:8.2

The latest Tag

Important:

Oracle does not provide this tag for Oracle Linux images. Use a slim image or a release tag instead. Oracle also recommends that users avoid dependency on this tag when working with other distribution or software images.

The use of a default often results in significant confusion and regularly breaks builds and scripted functionality for end users. For this reason, and to help encourage best practice when working with image tags, Oracle does not provide a latest tag for Oracle Linux images.

The following reasons for Oracle's decision on this help to explain why this tag is not available:

  • When the latest tag is used, it can result in significant jumps between distribution releases rather than simple update levels. This is usually not what a user intends when selecting the latest tag, or depending on tools to fall back to this tag by not specifying a tag at all. Expected functionality can change dramatically between releases resulting in changes to commands, options, configurations and available software.

  • There is no easy way to identify which latest image was used for a particular build, making it difficult to see the differences between two final build images. This problem tracking changes also makes it difficult to roll back to a known functioning base image if a new build fails.

  • Tagging an image with the latest tag is not automatic and it is possible for a more recent image to be available while the image tagged as latest has not been updated. This can lead to unexpected consequences.

  • There is no guarantee that all tools treat the latest tag the same. While some tools may default to always pulling an image tagged as latest from an upstream registry, other tools may default to a locally stored image also tagged as latest, even if it has fallen out of date.

This decision may result in errors in some tools that fall back to the latest tag when no tag is specified for an image. For example: 

docker pull docker.io/library/oraclelinux
Trying to pull docker.io/library/oraclelinux...
  manifest unknown: manifest unknown
Error: error pulling image "docker.io/library/oraclelinux": unable to pull docker.io/library/oraclelinux: 
unable to pull image: Error initializing source docker://oraclelinux:latest: Error reading manifest latest 
in docker.io/library/oraclelinux: manifest unknown: manifest unknown

Always specify the appropriate tag for the image that you intend to use! For example: 

docker pull oraclelinux:8