×

The following sections provide an overview and instructions for using image tags in the context of container images for working with OpenShift Container Platform imagestreams and their tags.

Image tags

An image tag is a label applied to a container image in a repository that distinguishes a specific image from other images in an imagestream. Typically, the tag represents a version number of some sort. For example, here v3.11.59-2 is the tag:

registry.access.redhat.com/openshift3/jenkins-2-rhel7:v3.11.59-2

You can add additional tags to an image. For example, an image might be assigned the tags :v3.11.59-2 and :latest.

OpenShift Container Platform provides the oc tag command, which is similar to the docker tag command, but operates on imagestreams instead of directly on images.

Image tag conventions

Images evolve over time and their tags reflect this. Generally, an image tag always points to the latest image built.

If there is too much information embedded in a tag name, like v2.0.1-may-2019, the tag points to just one revision of an image and is never updated. Using default image pruning options, such an image is never removed. In very large clusters, the schema of creating new tags for every revised image could eventually fill up the etcd datastore with excess tag metadata for images that are long outdated.

If the tag is named v2.0, image revisions are more likely. This results in longer tag history and, therefore, the image pruner is more likely to remove old and unused images.

Although tag naming convention is up to you, here are a few examples in the format <image_name>:<image_tag>:

Table 1. Image tag naming conventions
Description Example

Revision

myimage:v2.0.1

Architecture

myimage:v2.0-x86_64

Base image

myimage:v1.2-centos7

Latest (potentially unstable)

myimage:latest

Latest stable

myimage:stable

If you require dates in tag names, periodically inspect old and unsupported images and istags and remove them. Otherwise, you can experience increasing resource usage caused by retaining old images.

Adding tags to imagestreams

An imagestream in OpenShift Container Platform comprises zero or more container images identified by tags.

There are different types of tags available. The default behavior uses a permanent tag, which points to a specific image in time. If the _permanent_tag is in use and the source changes, the tag does not change for the destination.

A tracking tag means the destination tag’s metadata is updated during the import of the source tag.

Procedure
  • You can add tags to an imagestream using the oc tag command:

    $ oc tag <source> <destination>

    For example, to configure the ruby imagestreams static-2.0 tag to always refer to the current image for the ruby imagestreams 2.0 tag:

    $ oc tag ruby:2.0 ruby:static-2.0

    This creates a new imagestreamtag named static-2.0 in the ruby imagestream. The new tag directly references the image id that the ruby:2.0 imagestreamtag pointed to at the time oc tag was run, and the image it points to never changes.

  • To ensure the destination tag is updated whenever the source tag changes, use the --alias=true flag:

    $ oc tag --alias=true <source> <destination>

Use a tracking tag for creating permanent aliases, for example, latest or stable. The tag only works correctly within a single imagestream. Trying to create a cross-imagestream alias produces an error.

  • You can also add the --scheduled=true flag to have the destination tag be refreshed, or re-imported, periodically. The period is configured globally at the system level.

  • The --reference flag creates an imagestreamtag that is not imported. The tag points to the source location, permanently.

    If you want to instruct OpenShift to always fetch the tagged image from the integrated registry, use --reference-policy=local. The registry uses the pull-through feature to serve the image to the client. By default, the image blobs are mirrored locally by the registry. As a result, they can be pulled more quickly the next time they are needed. The flag also allows for pulling from insecure registries without a need to supply --insecure-registry to the container runtime as long as the imagestream has an insecure annotation or the tag has an insecure import policy.

Removing tags from imagestreams

You can remove tags from an imagestream.

Procedure

To remove a tag completely from an imagestream run:

$ oc delete istag/ruby:latest

or:

$ oc tag -d ruby:latest

Referencing images in imagestreams

You can use tags to reference images in imagestreams using the following reference types.

Table 2. Imagestream reference types
Reference type Description

ImageStreamTag

An ImageStreamTag is used to reference or retrieve an image for a given imagestream and tag.

ImageStreamImage

An ImageStreamImage is used to reference or retrieve an image for a given imagestream and image sha ID.

DockerImage

A DockerImage is used to reference or retrieve an image for a given external registry. It uses standard Docker pull specification for its name.

When viewing example imagestream definitions you may notice they contain definitions of ImageStreamTag and references to DockerImage, but nothing related to ImageStreamImage.

This is because the ImageStreamImage objects are automatically created in OpenShift Container Platform when you import or tag an image into the imagestream. You should never have to explicitly define an ImageStreamImage object in any imagestream definition that you use to create imagestreams.

Procedure
  • To reference an image for a given imagestream and tag, use ImageStreamTag:

    <image_stream_name>:<tag>
  • To reference an image for a given imagestream and image sha ID, use ImageStreamImage:

    <image_stream_name>@<id>

    The <id> is an immutable identifier for a specific image, also called a digest.

  • To reference or retrieve an image for a given external registry, use DockerImage:

    openshift/ruby-20-centos7:2.0

    When no tag is specified, it is assumed the latest tag is used.

    You can also reference a third-party registry:

    registry.redhat.io/rhel7:latest

    Or an image with a digest:

    centos/ruby-22-centos7@sha256:3a335d7d8a452970c5b4054ad7118ff134b3a6b50a2bb6d0c07c746e8986b28e

Additional information