Manage applicationsEstimated reading time: 2 minutes
With the introduction of the experimental
app plugin to the Docker CLI, DTR has been enhanced to include application management. In DTR 2.7, you can push an app to your DTR repository and have an application be clearly distinguished from individual and multi-architecture container images, as well as plugins. When you push an application to DTR, you see two image tags:
|Image||Tag||Type||Under the hood|
||Container image represented by OS and architecture (e.g.
||Uses Docker Engine. The Docker daemon is responsible for building and pushing the image.|
|Application with bundled components||
||Application||Uses the app client to build and push the image.
Notice the app-specific tags,
app-invoc, with scan results for the bundled components in the former and the invocation image in the latter. To view the scanning results for the bundled components, click “View Details” next to the
Click on the image name or digest to see the vulnerabilities for that specific image.
Parity with existing repository and image features
The following repository and image management events also apply to applications:
- DTR pushes
- Vulnerability scans
- Vulnerability overrides
- Immutable tags
- Promotion policies
- You cannot sign an application since the Notary signer cannot sign OCI (Open Container Initiative) indices.
- Scanning-based policies do not take effect until after all images bundled in the application have been scanned.
- Docker Content Trust (DCT) does not work for applications and multi-arch images, which are the same under the hood.
x509 certificate errors
fixing up "126.96.36.199/admin/lab-words:0.1.0" for push: failed to resolve "188.8.131.52/admin/lab-words:0.1.0-invoc", push the image to the registry before pushing the bundle: failed to do request: Head https://184.108.40.206/v2/admin/lab-words/manifests/0.1.0-invoc: x509: certificate signed by unknown authority
Check that your DTR has been configured with your TLS certificate’s Fully Qualified Domain Name (FQDN). See Configure DTR for more details. For
docker app testing purposes, you can pass the
--insecure-registries option for pushing an application`.
docker app push hello-world --tag 220.127.116.11/admin/lab-words:0.1.0 --insecure-registries 18.104.22.168 22.214.171.124/admin/lab-words:0.1.0-invoc Successfully pushed bundle to 126.96.36.199/admin/lab-words:0.1.0. Digest is sha256:bd1a813b6301939fa46e617f96711e0cca1e4065d2d724eb86abde6ef7b18e23.
See DTR 2.7 Release Notes - Known Issues for known issues related to applications in DTR.DTR, trusted registry, Docker apps