Ebirah Releases and Docker Image Pinning
#docker
Jonas Brømsø

Jonas Brømsø @jonasbn

About: Computer programmer, runner, LEGO builder, powernapper, yakshaver and father of 2 boys all squeezed in the few hours available.

Location:
Copenhagen, Denmark
Joined:
Jul 15, 2017

Ebirah Releases and Docker Image Pinning

Publish Date: May 19
0 0

It is the 19th. of May 2025 and I am behind on my blogging schedule, I am actually behind on a lot of schedules. But let's see if I can catch up a bit.

Yesterday I sat down to do a maintenance release of Ebirah 0.12.0, when looking at the repository I noticed that I had not tagged and released: 0.11.0, so with that out of the way I started to look at: 0.12.0.

The primary focus was the update of the base image from Perl 5.40.1 to Perl 5.40.2. I had recently updated my Docker tooling, but without noticing any changes until now.

My editor VSCode suggested that I pinned the Docker image to a specific version , a technique I have used and am using with GitHub Actions.

I thought this would be straight forward, but it turned out to be a bit more complicated than I expected. Not that it was complicated as such, I just did not concentrate enough on the task at hand.

To recap, you can ping a Docker image in various ways:

  • By using a specific version tag, e.g. perl:5.40.2
  • By using a digest, e.g. perl@sha256:1234567890abcdef...
  • By using a specific version tag with a digest, e.g. perl:5.40.2@sha256:1234567890abcdef...
  • etc.

I was using the version tag, but very mych wanted to pin to the SHA256 digest, since the version tag is just a pointer and it can be moved.

So I duck up the GitHub repository for the Docker base image and found the SHA256 digest for 5.40.2 and added it to my Dockerfile.

FROM perl:5.40.2-slim-bookworm@sha256:c2c67e0f54c53b3d6fca4946292d1a385e9cd119
Enter fullscreen mode Exit fullscreen mode

Tagged 0.12.0 and pushed it.

And it failed.

- InvalidDefaultArgInFrom: Default value for ARG perl:5.40.2-slim-bookworm@sha256:c2c67e0f54c53b3d6fca4946292d1a385e9cd119 results in empty or invalid base image name (line 1)
Dockerfile:1
--------------------
   1 | >>> FROM perl:5.40.2-slim-bookworm@sha256:c2c67e0f54c53b3d6fca4946292d1a385e9cd119
   2 |     
   3 |     # REF: https://docs.docker.com/engine/reference/builder/
--------------------
ERROR: failed to solve: failed to parse stage name "perl:5.40.2-slim-bookworm@sha256:c2c67e0f54c53b3d6fca4946292d1a385e9cd119": invalid checksum digest length
Enter fullscreen mode Exit fullscreen mode

I tried with the shorter digest, based on the error message:

invalid checksum digest length
Enter fullscreen mode Exit fullscreen mode

But that did not work either.

Dockerfile:3
--------------------
   1 |     # check=skip=InvalidDefaultArgInFrom
   2 |     ARG BASE_IMAGE=perl:5.40.2-slim-bookworm@sha256:c2c67e0
   3 | >>> FROM ${BASE_IMAGE}
   4 |     
   5 |     # Tag: r20250415.0 / c2c67e0f54c53b3d6fca4946292d1a385e9cd119
--------------------
ERROR: failed to solve: failed to parse stage name "perl:5.40.2-slim-bookworm@sha256:c2c67e0": invalid reference format
Enter fullscreen mode Exit fullscreen mode

After several attempts, I found it was my mistake was. I need to use the digest of the Docker image, not the GitHub repository commit as for GitHub Actions.

The digest for the Docker image can be resolved as follows. (StackOverflow has a good answer on this):

Either from existing images:

docker images --digests | ag "\bperl\b"
perl                                                          5.40.2-slim-bookworm                                                          sha256:ffca6fbf5d40c2dc3dac0fc11640e29feaabef54cf274e3d4cb24204ae62ccc2   7972f2367344   5 weeks ago     206MB
Enter fullscreen mode Exit fullscreen mode

Or when pulling the image manually (below example is for 5.40.2, to capture the excitement)

docker pull perl:5.40.2
5.40.2: Pulling from library/perl
de07ba6f486e: Already exists
84649bff67ea: Already exists
48a2a14f59a0: Already exists
0d41c7623f41: Already exists
ba5e16f28fc9: Pull complete
30654f08c59d: Pull complete
43fb7cb64f73: Pull complete
Digest: sha256:656b959619cba1f6d059c4ac637c2765bf0f3b63977a83bd989dcf7031d7b466
Status: Downloaded newer image for perl:5.40.2
docker.io/library/perl:5.40.2
Enter fullscreen mode Exit fullscreen mode

And if you already have the image and just want to see the digests and compare them for this example:

docker pull perl:5.40.2-slim-bookworm
5.40.2-slim-bookworm: Pulling from library/perl
Digest: sha256:ffca6fbf5d40c2dc3dac0fc11640e29feaabef54cf274e3d4cb24204ae62ccc2
Status: Image is up to date for perl:5.40.2-slim-bookworm
docker.io/library/perl:5.40.2-slim-bookworm
Enter fullscreen mode Exit fullscreen mode

Another interesting update to my tool, which got all this going was indicated in the error:

- InvalidDefaultArgInFrom: Default value for ARG perl:5.40.2-slim-bookworm@sha256:c2c67e0f54c53b3d6fca4946292d1a385e9cd119 results in empty or invalid base image name (line 1)
Enter fullscreen mode Exit fullscreen mode

I got the proper digests added and released 0.12.1 and pushed it, since I broke the previous release.

You can actually disable the tooling.

# check=skip=InvalidDefaultArgInFrom
Enter fullscreen mode Exit fullscreen mode

REF:

For reading up on why you should pin your Docker images, I recommend the following:

Feedback on Ebirah is always welcome, please open an issue or a pull request on the GitHub repository or you can read the about it on the GitHub page

Comments 0 total

    Add comment