Prevent tags from being overwrittenEstimated reading time: 2 minutes
This topic applies to Docker Enterprise.
The Docker Enterprise platform business, including products, customers, and employees, has been acquired by Mirantis, inc., effective 13-November-2019. For more information on the acquisition and how it may affect you and your business, refer to the Docker Enterprise Customer FAQ.
By default, users with read and write access to a repository can push the same tag
multiple times to that repository. For example, when user A pushes an image to
library/wordpress:latest, there is no preventing user B
from pushing an image with the same name but a completely different functionality. This can make it difficult to trace the image back to the build that generated
To prevent tags from being overwritten, you can configure a repository to be immutable. Once configured, DTR will not allow anyone else to push another image tag with the same name.
Make tags immutable
You can enable tag immutability on a repository when you create it, or at any time after.
If you’re not already logged in, navigate to
https://<dtr-url>and log in with your UCP credentials. To make tags immutable on a new repository, do the following:
Follow the steps in Create a repository.
Click Show advanced settings, and turn on Immutability. Note that tag limits are enabled when immutability is enabled for a repository.
Select Repositories on the left navigation pane, and then click on the name of the repository that you want to view. Note that you will have to click on the repository name following the
/after the specific namespace for your repository.
Select the Settings tab, and turn on Immutability.
From now on, you will get an error message when trying to push a tag that already exists:
docker push dtr-example.com/library/wordpress:latest unknown: tag=latest cannot be overwritten because dtr-example.com/library/wordpress is an immutable repository