What happen to a swarm if loses conectivity to the registry


Hope someone can provide me some guidance on this doubt I’m facing,

Currently we have a docker swarm that get the images from a remote registry, due to some infraestructure changes the registry server is going to be decommisioned.

My question/concern is when the registry is gone the containers will start to fail, guessing the docker swarm is checking on the registry or it will fail when a docker service update is being triggered. Or swarm only checks the registry when a new image is requested?

Hope this make sense and someone can provide me some guidance.


Swarm will always try to pull the current image for a tag from the remote registry when the scheduler schedules a task that creates the container. Swarm looks up the current sha256 digest for a tag and pulls the image by digest (instead of “by tag” like docker-compose does). Even though an image with the correct image id might exist on a node, it will not be recognized as beeing tagged and therefor not used when deployed via repo:tag. It should work if the images are deployed via repo@sha256:{exact digest} instead.

It is possible to operate a swarm cluster in an air gapped environment, where images are imported to the local image cache using docker load. In this scenario the image from the image cache would be used, as the tag actualy exist and the image can be detected by the tag. Though, working without a registry will slow down deployments a lot.

Thus said: if you tag an existing image pulled from a remote registry by digest, you should see the same behavior like I described for air gapped anvironments.