Trusted content (original) (raw)
Docker Hub's trusted content provides a curated selection of high-quality, secure images designed to give developers confidence in the reliability and security of the resources they use. These images are stable, regularly updated, and adhere to industry best practices, making them a strong foundation for building and deploying applications. Docker Hub's trusted content includes, Docker Official Images, Verified Publisher images, and Docker-Sponsored Open Source Software images.
The Docker Official Images are a curated set of Docker repositories hosted on Docker Hub.
Docker recommends you use the Docker Official Images in your projects. These images have clear documentation, promote best practices, and are regularly updated. Docker Official Images support most common use cases, making them perfect for new Docker users. Advanced users can benefit from more specialized image variants as well as review Docker Official Images as part of yourDockerfile learning process.
Note
Use of Docker Official Images is subject toDocker's Terms of Service.
These images provide essential base repositories that serve as the starting point for the majority of users.
These include operating systems such asUbuntu andAlpine, programming language runtimes such asPython andNode, and other essential tools such asmemcached andMySQL.
The images are some of themost secure imageson Docker Hub. This is particularly important as Docker Official Images are some of the most popular on Docker Hub. Typically, Docker Official images have few or no packages containing CVEs.
The images exemplifyDockerfile best practicesand provide clear documentation to serve as a reference for other Dockerfile authors.
Images that are part of this program have a special badge on Docker Hub making it easier for you to identify projects that are part of Docker Official Images.
Supported tags and respective Dockerfile links
The repository description for each Docker Official Image contains aSupported tags and respective Dockerfile links section that lists all the current tags with links to the Dockerfiles that created the image with those tags. The purpose of this section is to show what image variants are available.
Tags listed on the same line all refer to the same underlying image. Multiple tags can point to the same image. For example, in the previous screenshot taken from the ubuntu Docker Official Images repository, the tags 24.04,noble-20240225, noble, and devel all refer to the same image.
The latest tag for a Docker Official Image is often optimized for ease of use and includes a wide variety of useful software, such as developer and build tools. By tagging an image as latest, the image maintainers are essentially suggesting that image be used as the default. In other words, if you do not know what tag to use or are unfamiliar with the underlying software, you should probably start with the latest image. As your understanding of the software and image variants advances, you may find other image variants better suit your needs.
Slim images
A number of language stacks such asNode.js,Python, andRuby have slim tag variants designed to provide a lightweight, production-ready base image with fewer packages.
A typical consumption pattern for slimimages is as the base image for the final stage of amulti-staged build. For example, you build your application in the first stage of the build using the latest variant and then copy your application into the final stage based upon the slim variant. Here is an example Dockerfile.
Alpine images
Many Docker Official Images repositories also offer alpine variants. These images are built on top of theAlpine Linuxdistribution rather than Debian or Ubuntu. Alpine Linux is focused on providing a small, simple, and secure base for container images, and Docker Official Images alpine variants typically aim to install only necessary packages. As a result, Docker Official Images alpine variants are typically even smaller than slim variants.
The main caveat to note is that Alpine Linux usesmusl libcinstead ofglibc. Additionally, to minimize image size, it's uncommon for Alpine-based images to include tools such as Git or Bash by default. Depending on the depth of libc requirements or assumptions in your programs, you may find yourself running into issues due to missing libraries or tools.
When you use Alpine images as a base, consider the following options in order to make your program compatible with Alpine Linux and musl:
- Compile your program against musl libc
- Statically link glibc libraries into your program
- Avoid C dependencies altogether (for example, build Go programs without CGO)
- Add the software you need yourself in your Dockerfile.
Refer to the alpine imagedescription on Docker Hub for examples on how to install packages if you are unfamiliar.
Codenames
Tags with words that look like Toy Story characters (for example, bookworm,bullseye, and trixie) or adjectives (such as focal, jammy, andnoble), indicate the codename of the Linux distribution they use as a base image. Debian release codenames arebased on Toy Story characters, and Ubuntu's take the form of "Adjective Animal". For example, the codename for Ubuntu 24.04 is "Noble Numbat".
Linux distribution indicators are helpful because many Docker Official Images provide variants built upon multiple underlying distribution versions (for example, postgres:bookworm and postgres:bullseye).
Other tags
Docker Official Images tags may contain other hints to the purpose of their image variant in addition to those described here. Often these tag variants are explained in the Docker Official Images repository documentation. Reading through the "How to use this image" and "Image Variants" sections will help you to understand how to use these variants.
The Docker Verified Publisher program provides high-quality images from commercial publishers verified by Docker.
These images help development teams build secure software supply chains, minimizing exposure to malicious content early in the process to save time and money later.
Images that are part of this program have a special badge on Docker Hub making it easier for users to identify projects that Docker has verified as high-quality commercial publishers.
The Docker-Sponsored Open Source Software (OSS) program provides images that are published and maintained by open-source projects sponsored by Docker.
Images that are part of this program have a special badge on Docker Hub making it easier for users to identify projects that Docker has verified as trusted, secure, and active open-source projects.
