Is it safe to perform a Docker pull while the image is being run?

dwake · May 4, 2016, 9:23pm

If

I’m running a container off an image
While the container is running, I run “docker pull” on the digest of the same image that is running (expecting no change)

Is there any danger to the container?

Thanks.

dvohra · May 5, 2016, 4:20pm

If a Docker image is running it has already been pulled. What is the need to pull a Docker image again? The following command should list the Docker image if it is already running.

docker images

or

sudo docker images

dwake · May 5, 2016, 5:21pm

The use case is:

I am initially pulling and running an image, but do not have complete control over the pull and am unable to use Content Trust.
I want to perform a subsequent pull on the same machine using Content Trust to verify the integrity of the image
I want to be sure that this second pull will not affect the container that is already running

Thanks!

dvohra · May 5, 2016, 5:56pm

Is it the same tag of the Docker image? If so, it would have an effect as the image with the tag is already pulled and running. If a different tag image would not have an effect. The tag/version is the suffix in an image, for example
nginx:latest, the latest is the tag.

dwake · May 5, 2016, 6:10pm

Thanks for your reply. Would you mind saying a little more about why repulling the image (which would essentially be a no-op operation) would affect a container already running that image? Does the container not make its own copy of the image before it starts running?

dvohra · May 5, 2016, 6:19pm

A container does not make a copy of the image. Only one image is used regardless of how many containers are started.

dwake · May 5, 2016, 6:33pm

That’s very interesting – thanks! So what happens when a container makes changes to its own local filesystem. Is there a copy-on-write semantics?

dvohra · May 5, 2016, 6:48pm

The filesystem changes apply only to the filesystem being modified and not the filesystem on the host or the filesystem in an another container. Unless shared volumes are used, refer https://docs.docker.com/engine/userguide/containers/dockervolumes/

dvohra · May 5, 2016, 6:53pm

Also when deleting a Docker image, an image does not get deleted till all Docker containers making use of the image are deleted first.

dmaze · May 5, 2016, 7:06pm

I’m pretty sure there isn’t. This is in large part because I’m pretty sure pulling an image (hex digest) you already have is a no-op. Even some of the cases that the followup posts highlight seem to me like they should be safe.

Let’s say you

docker pull registry.example.com/image:latest
docker run -d -P --name container registry.example.com/image:latest
sleep 300
docker pull registry.example.com/image:latest

After the first docker pull, the tag registry.example.com/image:latest points to some image ID, say 12345678. The docker run creates a new container ID, say 9abcdef0, that points at that image ID. That pairing will never change as long as the container exists; you can’t docker rmi 12345678 without docker rm 9abcdef0 first.

So, the second docker pull hits one of two states. Either the tag still points at the same image ID, and the pull will not re-fetch it, in which case you’re in an unchanged state; or the tag points at a different image ID (2468ace0), in which case the pull gets the new image content, moves the tag to the new image ID, and leaves the old container running. In this last case, docker images will show that 2468ace0 has the tag registry.example.com/image:latest and 12345678 has the tag <none>; docker ps will show that container is running against untagged image 12345678.

The images themselves (and the underlying layers) are immutable; running containers have a copy-on-write layer on top of their topmost image layer. It’s not that docker rmi waits until the last dependent container exits, docker rmi fails and refuses to delete an image that still has a running container based on it.

dvohra · May 5, 2016, 7:48pm

Tested with a different Docker image, “mysql”, but the result should be the same with any Docker image.

Run the following commands.

sudo docker pull mysql:latest

sudo docker run --name mysql -e MYSQL_ROOT_PASSWORD=‘mysql’ -d mysql

sudo docker pull mysql:latest

The output from the second docker pull is as follows:
ubuntu@ip-172-30-4-84:~$ sudo docker pull mysql:latest
latest: Pulling from library/mysql
_efd26ecc9548: Already exists _
_a3ed95caeb02: Already exists _
_af2f7dea6ac4: Already exists _
_d347a60f2547: Already exists _
_c09d9d095950: Already exists _
_b21685660552: Already exists _
_7e224052b3b1: Already exists _
_4d4d034e642a: Already exists _
_0f382c7f0090: Already exists _
_259142cd69d8: Already exists _
_3b23b8618fda: Already exists _
Digest: sha256:c5ea4e7879084e75c839f6a3939f3a89519f1e72e5eb9a34b1d02128013c36a0
Status: Image is up to date for mysql:latest
ubuntu@ip-172-30-4-84:~$

dvohra · May 5, 2016, 7:54pm

The Docker container already running is not effected.

dwake · May 5, 2016, 8:23pm

OK – thanks, everyone, for your help! This is the answer I was hoping for.