Tagging strategy matters
Never rely on :latest in production — it is a floating pointer that changes. Always use immutable version tags (e.g., 1.2.3 or git-sha) so you know exactly what is deployed and can roll back precisely.
📦 Registries, Tagging and Push/Pull Workflows
Store, version, and distribute Docker images using registries — from Docker Hub to Azure Container Registry. Learn tagging strategies, authentication, and promotion workflows.
🧒 Simple Explanation (ELI5)
A Docker registry is like a library for container blueprints. You write a book (build an image), give it a title and edition number (tag), and put it on the library shelf (push). Other people or servers can then borrow that exact edition (pull) and run it. Azure Container Registry is your company's private library — books are available only to authorized borrowers.
💡
🔧 Image Naming Format
text
# Full image name format: # registry/repository:tag # Docker Hub (registry is implicit for official images) nginx:1.25.3 myusername/myapp:2.1.0 # Azure Container Registry myacr.azurecr.io/myapp:1.2.3 myacr.azurecr.io/team/backend:git-a1b2c3d # GitHub Container Registry ghcr.io/myorg/myapp:v2.0.0
💻 Push/Pull Workflow
bash
# ---- Build and Tag ---- # Tag at build time docker build -t myapp:1.2.3 . # Re-tag an existing image (adds an alias, no data copy) docker tag myapp:1.2.3 myacr.azurecr.io/myapp:1.2.3 docker tag myapp:1.2.3 myacr.azurecr.io/myapp:latest # ---- Authentication ---- # Docker Hub docker login # Azure Container Registry (using az CLI) az acr login --name myacr # ACR with service principal (for CI/CD pipelines) docker login myacr.azurecr.io \ -u $SP_APP_ID \ -p $SP_PASSWORD # ---- Push ---- docker push myacr.azurecr.io/myapp:1.2.3 docker push myacr.azurecr.io/myapp:latest # ---- Pull ---- docker pull myacr.azurecr.io/myapp:1.2.3 # ---- List local images ---- docker image ls myacr.azurecr.io/myapp # Remove local image (does NOT delete from registry) docker rmi myacr.azurecr.io/myapp:1.2.3
🏷️ Tagging Strategies
Versioning Tags per Environment
Build CI
myapp:git-a1b2c3d
myapp:git-a1b2c3d
push
Dev Deploy
myapp:dev-latest
myapp:dev-latest
promote
Staging
myapp:1.2.3-rc1
myapp:1.2.3-rc1
release
Production
myapp:1.2.3
myapp:1.2.3
🐛 Debugging Scenario
Problem: docker push fails with "unauthorized: authentication required".
bash
# Step 1: confirm you are logged in docker info | grep -i username # Or check credentials store cat ~/.docker/config.json # Step 2: re-login az acr login --name myacr # Azure docker login registry.example.com # generic # Step 3: verify the image is tagged with the full registry path docker image ls | grep myacr # must include full ACR hostname # Step 4: check your account has push permissions az acr repository show-permissions --name myacr --repository myapp
🎯 Interview Questions
Why should you avoid using :latest in production?
:latest is a floating tag that changes every time a new image is pushed. In production, you need immutable deployments — you must know exactly which image is running, be able to reproduce it, and roll back to any prior version. With :latest, different pulls on different dates get different images. Use semantic versions (1.2.3) or git SHAs for deterministic, traceable deployments.
What is the difference between Docker Hub and Azure Container Registry?
Docker Hub is a public registry with free tier for public images. ACR is a private registry in your Azure subscription with: Azure AD integration (RBAC), geo-replication, tasks for image building, vulnerability scanning, content trust, and VNet integration. Use ACR for any proprietary production workloads in Azure; Docker Hub for community/public images.
Scenario: A CI pipeline builds the same Docker image 50 times a day. How do you keep storage costs down?
1. Use git SHA tags for each build and semantic version + environment tags for promotion. 2. Set ACR lifecycle policies to automatically delete untagged images and tags older than N days. 3. Use multi-stage builds to minimize final image size. 4. Enable ACR's built-in vulnerability scanning and auto-purge policies. 5. Share base image layers — ensure all apps use the same pinned base image so layers are deduplicated in the registry.
📋 Summary
- Image naming:
registry/repository:tag— all three parts matter. - Tag with immutable identifiers (git SHA, semver) — never rely on
:latestin production. - Authenticate before pushing:
az acr loginfor ACR,docker loginfor Docker Hub. - ACR offers RBAC, geo-replication, vulnerability scanning — preferred for Azure production workloads.