DevOpsLesson
DevOpsLesson

Free, comprehensive DevOps tutorials and learning roadmaps. Master Docker, Kubernetes, CI/CD, and more.

Stay Updated

Get notified about new tutorials and features.

Tutorials

  • What is DevOps?
  • Docker Tutorial
  • Terraform Tutorial
  • CI/CD Pipeline
  • All Tutorials

Roadmaps

  • DevOps Engineer
  • Cloud Engineer
  • SRE Path
  • All Roadmaps

Company

  • About Us
  • Blog
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 DevOpsLesson. All rights reserved.

DOCKERKUBERNETESTERRAFORMAWSCI/CDLINUXGITDEVOPS ROADMAPCLOUD ROADMAPSRE ROADMAPGIT CHEATSHEETDOCKER CHEATSHEETK8S CHEATSHEETTF CHEATSHEETLINUX CHEATSHEETDOCKERFILE LINTERYAML VALIDATORCRON PARSERREGEX TESTER

Docker Tutorial

Introduction to docker
Why Use Docker?
Docker vs Virtual Machines
Installing Docker
Key Docker Concepts
Docker Images
Docker Containers
Writing Dockerfiles
Docker Volumes

Image Naming & Tags

PreviousPrev
Next

Learn how Docker images are named, versioned, and organized using registries, repositories, and tags.

Docker Image Name

A Docker image name is basically an address. It tells Docker three things: where the image lives, what it is, and which version you want.

The full format looks like this:

registry/repository:tag
PartDescriptionDefault
registryWhere the image is storeddocker.io
repositoryThe image name (and optional namespace)-
tagVersion or variant of imagelatest

When you run docker pull nginx, Docker automatically expands it to docker.io/library/nginx:latest. The short name is just a convenient.

Here's a simple analogy: imagine ordering a book. The registry is the bookstore, the repository is the book title, and the tag is the book's edition.

Breaking Down a Real Docker Image Name

Let's look at some real examples to make this concrete:

# Just the image name - Docker fills in the rest automatically
nginx

# Same image, but with a specific version
nginx:1.25

# Lightweight version of the same image
nginx:1.25-alpine

# Full name written out completely
docker.io/library/nginx:latest

# An image published by a user or organization on Docker Hub
username/myapp:v2.0.0

# An image stored on a private company registry
myregistry.company.com/backend/api:production

# An image hosted on Google's registry
gcr.io/google-samples/hello-app:1.0

# An image on GitHub's registry, identified by a commit hash
ghcr.io/owner/repo:sha-abc1234

What Is a Docker Tag?

A tag is a label that points to a specific version of an image. The catch? Tags are mutable which means not permanent. They're more like sticky notes - someone can move them to point to a different image at any time. This is why using the latest tag in production is risky:

# Today this might download Node.js version 18
# Tomorrow it might download Node.js version 22
docker pull node:latest

# This will ALWAYS download exactly Node.js 20.11.0
docker pull node:20.11.0

Bottom line: For anything serious (production apps, CI/CD pipelines, team projects), always pin to a specific version tag. It saves you from mysterious bugs caused by unexpected version changes.


How to Tag Docker Images Like a Pro

Good tagging habits make your images easier to manage, understand, and reproduce. There are really only four questions a good tag can answer: what version is this, how big/lean is it, where does it go, and what exact code is inside it. Each strategy below answers one of those questions - once you know which question you're answering, the right tag style becomes obvious.

1. Semantic Versioning - answers "what version is this?"

Semantic versioning follows the MAJOR.MINOR.PATCH format, and it's the closest thing Docker has to a universal standard. Think of the three numbers as a report card, read left to right from "biggest change" to "smallest change":

  • MAJOR - something big changed. Old code might break if you upgrade across this number.
  • MINOR - new features were added, but nothing old was removed or broken.
  • PATCH - just bug fixes. Nothing new, nothing breaking.
myapp:1.0.0   # A specific patch release (most precise)
myapp:1.0     # Floats to the latest 1.0.x release
myapp:1       # Floats to the latest 1.x.x release

Easy way to remember it: the more numbers in the tag, the more "locked in" you are. One number is loose and will silently change under you; three numbers never move. For production, always reach for the full three-number tag - you want to know exactly what you're running, not "whatever the latest patch happens to be today."

2. Image Variant - answers "how big or lean is it?"

Many official images ship in different "flavors" of the same software, built on different base operating systems. The variant name usually shows up after a dash:

python:3.11-slim       # Smaller image, based on Debian, fewer pre-installed packages
python:3.11-alpine     # Tiniest option, based on Alpine Linux
python:3.11-bookworm   # Full Debian installation, heavy image as it has all packages installed

Easy way to remember it: picture ordering coffee. bookworm is the large cup with everything included - more room to work, more disk space used. slim is a medium cup with just the essentials trimmed out. alpine is the tiny espresso shot - fast and small, but it's brewed differently (Alpine uses musl instead of glibc), so it doesn't always taste right with every recipe. That's why Alpine images are popular for production (small, fast to pull, smaller attack surface) but are also the most likely to cause a strange compatibility bug, so always test before committing to one.

3. Tag by Environment - answers "where does this go?"

myapp:production     # For Production environment
myapp:staging-v2.1.0 # For Staging environment
myapp:dev-latest      # For Development environment

This kind of tag isn't really describing the code itself - it's a destination label, like a shipping sticker on a box. On its own it doesn't tell you what's inside, only where it's headed, which is why the best environment tags combine the destination with a real version, like staging-v2.1.0 above: now the tag answers both "where" and "what."

Easy way to remember it: if you can answer the question "where is this going?" just by reading the tag, it's an environment tag.

4. Tag with a Git Commit Hash - answers "what exact code is inside it?"

myapp:sha-a3f8c2d
myapp:v1.4.2-sha-a3f8c2d

A Git commit SHA is a unique fingerprint for one exact snapshot of your source code. Baking it into the tag means that if something breaks in production six months from now, you can read the tag straight off the running container, paste that SHA into git show, and see the exact lines of code that were live at that moment - no guessing, no "which version was this again?"

Easy way to remember it: SHA tags are your evidence trail. They don't replace a version number (you can have both, like v1.4.2-sha-a3f8c2d) - they just guarantee you can always trace a running container back to one specific commit.

Quick Reference

StrategyAnswersExampleBest for
Semantic versioning"What version is this?"myapp:1.0.0Production stability
Image variant"How big or lean is it?"python:3.11-alpineBalancing size vs. compatibility
Environment tag"Where is this going?"myapp:staging-v2.1.0Tracking deployments
Git commit hash"What exact code is inside?"myapp:sha-a3f8c2dDebugging and traceability

In practice, most real-world tags combine two or three of these in one string - myapp:staging-v2.1.0 and myapp:v1.4.2-sha-a3f8c2d are both already doing that above. Pick the question you most need answered when someone looks at the tag six months from now, and build from there.


The Most Permanent Way to Reference an Image: Digests

Every image has a unique fingerprint called a digest, a long hash that looks like this:

docker pull nginx@sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a

Unlike tags (which can change), a digest never changes. It will always refer to the exact same image content, forever.

Use digests when you need 100% reproducibility. For example, in regulated industries, security-sensitive environments, or when debugging a production incident months after the fact.


Hands-On Practice: Tag an Image Yourself

The best way to understand tagging is to try it. Here's a quick exercise:

# Step 1: Download the official nginx image
docker pull nginx

# Step 2: Give it a new tag called webserver:v1.0
docker tag nginx webserver:v1.0

# Step 3: Give it another tag called webserver:stable
docker tag nginx webserver:stable

# Step 4: Confirm all three tags exist (they all point to the same image)
docker images | grep -E "nginx|webserver"

Notice that tagging doesn't create a new copy of the image - it just creates new pointers to the same data. Docker is efficient like that.


Key Takeaways

  • Docker image names follow the format registry/repository:tag. Docker uses the default values when any part is missed.
  • Tags are mutable labels, not fixed versions. The latest tag changes over time.
  • For production use, always pin to a specific version tag to avoid unexpected changes.
  • Pulling by digest (@sha256:...) gives you the strongest guarantee that you're always getting the exact same image.
  • Prefer official images as your base, over verified publisher's image and community images.
  • Follow good tagging practices which includes semantic versioning, variant labels, Git SHAs. This makes your Docker workflow more reliable and easier to debug.

Frequently Asked Questions

What happens if I don't specify a tag?

Docker automatically uses latest. This is fine for quick experiments but risky in production because latest can point to a different image version over time.

Can I create my own tags for someone else's image?

Yes! The docker tag command lets you add your own tags to any image you've pulled. The tags only exist locally on your machine unless you push them to a registry.

What's the difference between a registry and a repository?

A registry is the entire hosting platform (like Docker Hub). A repository is one specific image within that platform (like the nginx repo on Docker Hub). A registry can hold thousands of repositories.

Are Alpine images always better?

Not always. Alpine images are smaller and faster to pull, but they use a different C library (musl instead of glibc), which can cause compatibility issues with some software. Test Alpine images thoroughly before using them in production.

PreviousPrev
Next

Continue Learning

Installing Docker on Linux

Complete guide to installing Docker Engine on Linux distributions. Learn how to install Docker on Ubuntu, Debian, CentOS, and configure it properly.

25 min·Easy

Key Docker Concepts

Master essential Docker concepts including images, containers, Dockerfiles, registries, and Docker Compose. Learn how these components work together.

·

Docker Images

Master Docker images - the building blocks of containers. Learn to pull, build, manage, and optimize images for efficient containerized applications.

25 min·Easy

Explore Related Topics

Ku

Kubernetes Tutorials

Orchestrate your Docker containers at scale

CI

CI/CD Tutorials

Automate Docker builds and deployments in pipelines

Try the Tool

Dockerfile Linter

Instantly lint your Dockerfile for best-practice violations and security issues.

On This Page

Docker Image NameBreaking Down a Real Docker Image NameWhat Is a Docker Tag?How to Tag Docker Images Like a Pro1. Semantic Versioning - answers "what version is this?"2. Image Variant - answers "how big or lean is it?"3. Tag by Environment - answers "where does this go?"4. Tag with a Git Commit Hash - answers "what exact code is inside it?"Quick ReferenceUnderstanding Image SourcesThe Most Permanent Way to Reference an Image: DigestsHands-On Practice: Tag an Image YourselfKey TakeawaysFrequently Asked Questions