Description
docker compose provides a way to pin/resolve services.image digest using either --resolve-image-digests or --lock-image-digests. However, it doesn't seem to pin image digests for image mounts. I would expect that image pinning would also apply there (services.volumes.source for type "image").
Steps To Reproduce
With following compose.yaml:
services:
app:
image: busybox:latest
volumes:
- type: image
source: busybox:latest
target: /test_mountResolving image digests returns:
docker compose config --resolve-image-digests
name: test_compose
services:
app:
image: docker.io/library/busybox:latest@sha256:fd8d9aa63ba2f0982b5304e1ee8d3b90a210bc1ffb5314d980eb6962f1a9715d
networks:
default: null
volumes:
- type: image
source: busybox:latest
target: /test_mount
networks:
default:
name: test_compose_default`instead of
docker compose config --resolve-image-digests
name: test_compose
services:
app:
image: docker.io/library/busybox:latest@sha256:fd8d9aa63ba2f0982b5304e1ee8d3b90a210bc1ffb5314d980eb6962f1a9715d
networks:
default: null
volumes:
- type: image
source: busybox:latest@sha256:fd8d9aa63ba2f0982b5304e1ee8d3b90a210bc1ffb5314d980eb6962f1a9715d
target: /test_mount
networks:
default:
name: test_compose_default`I suppose same behavior is expected with --lock-image-digests.
Compose Version
docker compose version
Docker Compose version v5.1.3
docker-compose version
Docker Compose version v5.1.3
Docker Environment
docker info
Client:
Version: 26.1.5+dfsg1
Context: default
Debug Mode: false
Plugins:
agent: Docker AI Agent Runner (Docker Inc.)
Version: v1.57.0
Path: /usr/local/lib/docker/cli-plugins/docker-agent
ai: Docker AI Agent - Ask Gordon (Docker Inc.)
Version: v1.20.2
Path: /usr/local/lib/docker/cli-plugins/docker-ai
buildx: Docker Buildx (Docker Inc.)
Version: v0.34.0-desktop.1
Path: /usr/local/lib/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v5.1.3
Path: /usr/local/lib/docker/cli-plugins/docker-compose
debug: Get a shell into any image or container (Docker Inc.)
Version: 0.0.47
Path: /usr/local/lib/docker/cli-plugins/docker-debug
desktop: Docker Desktop commands (Docker Inc.)
Version: v0.3.0
Path: /usr/local/lib/docker/cli-plugins/docker-desktop
dhi: CLI for managing Docker Hardened Images (Docker Inc.)
Version: v0.0.3
Path: /usr/local/lib/docker/cli-plugins/docker-dhi
extension: Manages Docker extensions (Docker Inc.)
Version: v0.2.31
Path: /usr/local/lib/docker/cli-plugins/docker-extension
init: Creates Docker-related starter files for your project (Docker Inc.)
Version: v1.4.0
Path: /usr/local/lib/docker/cli-plugins/docker-init
mcp: Docker MCP Plugin (Docker Inc.)
Version: v0.42.1
Path: /usr/local/lib/docker/cli-plugins/docker-mcp
model: Docker Model Runner (Docker Inc.)
Version: v1.1.37
Path: /usr/local/lib/docker/cli-plugins/docker-model
offload: Docker Offload (Docker Inc.)
Version: v0.5.92
Path: /usr/local/lib/docker/cli-plugins/docker-offload
pass: Docker Pass Secrets Manager Plugin (beta) (Docker Inc.)
Version: v0.0.27
Path: /usr/local/lib/docker/cli-plugins/docker-pass
sandbox: (Docker Inc.)
Version: v0.12.0
Path: /usr/local/lib/docker/cli-plugins/docker-sandbox
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /usr/local/lib/docker/cli-plugins/docker-sbom
scout: Docker Scout (Docker Inc.)
Version: v1.20.4
Path: /usr/local/lib/docker/cli-plugins/docker-scout
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 38
Server Version: 29.5.2
Storage Driver: overlayfs
driver-type: io.containerd.snapshotter.v1
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 nvidia runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 77c84241c7cbdd9b4eca2591793e3d4f4317c590 (expected: )
runc version: v1.3.5-0-g488fc13e (expected: )
init version: de40ad0 (expected: )
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.6.87.2-microsoft-standard-WSL2
Operating System: Docker Desktop
OSType: linux
Architecture: x86_64
CPUs: 12
Total Memory: 15.52GiB
Name: docker-desktop
ID: 274db751-fa66-4f3a-81e0-7ac45e16bcb3
Docker Root Dir: /var/lib/docker
Debug Mode: false
HTTP Proxy: http.docker.internal:3128
HTTPS Proxy: http.docker.internal:3128
No Proxy: hubproxy.docker.internal
Labels:
com.docker.desktop.address=unix:///var/run/docker-cli.sock
Experimental: true
Insecure Registries:
hubproxy.docker.internal:5555
::1/128
127.0.0.0/8
Live Restore Enabled: false
Anything else?
No response
Description
docker compose provides a way to pin/resolve services.image digest using either
--resolve-image-digestsor--lock-image-digests. However, it doesn't seem to pin image digests for image mounts. I would expect that image pinning would also apply there (services.volumes.source for type "image").Steps To Reproduce
With following compose.yaml:
Resolving image digests returns:
docker compose config --resolve-image-digests name: test_compose services: app: image: docker.io/library/busybox:latest@sha256:fd8d9aa63ba2f0982b5304e1ee8d3b90a210bc1ffb5314d980eb6962f1a9715d networks: default: null volumes: - type: image source: busybox:latest target: /test_mount networks: default: name: test_compose_default`instead of
docker compose config --resolve-image-digests name: test_compose services: app: image: docker.io/library/busybox:latest@sha256:fd8d9aa63ba2f0982b5304e1ee8d3b90a210bc1ffb5314d980eb6962f1a9715d networks: default: null volumes: - type: image source: busybox:latest@sha256:fd8d9aa63ba2f0982b5304e1ee8d3b90a210bc1ffb5314d980eb6962f1a9715d target: /test_mount networks: default: name: test_compose_default`I suppose same behavior is expected with
--lock-image-digests.Compose Version
Docker Environment
Anything else?
No response