Relying on base image versions / dependency lockdown

As a methodology, I want to use specific versions of all my dependencies: Debian packages, npm packages, or even Docker images.

My build server pulls images on a nightly basis from Docker Hub and creates an installation ISO. I need a way to enable that if I reference a specific Docker Hub image, it will always be the same image.

Let’s look at the Logstash Dockerfile base image:
FROM java:8-jre
It depends on Java 8, but not on a specific minor version.
In case that a new Java minor version introduces a breaking change, I want to rely on an image which has a fixed base and cannot change. Meaning, if I pull logstash:1.5.1 every night, it will always be the same and not change its JRE version.

I can take the Logstash Dockerfile, replicate it, and create my own image, basing on a specific base image such as java:8u66-jre.

However, is there any other solution I can use so that I will always be able to pull the exact same image?


Anyone? This is quite important for me. (bumping thread.)

this is really important for us also. A change to the rmq docker image just brought down our prod server. If we could lock it down, without having to fork the Dockerfile it would be great.