Docker images deprecation policy¶
This document describes how we manage the lifecycle of container images published to our public
dockerimages Docker registry.
Our goal is to ensure that all available images are secure, actively maintained, and aligned with
our current best practices, while providing users with clear communication and sufficient time to
migrate when older images are retired.
Image lifecycle stages¶
Each image in our registry goes through the following stages:
| Stage | Description | Duration |
|---|---|---|
| Active | The image is actively maintained, receives updates, and is recommended for general use. | Ongoing |
| Deprecated | The image remains available in the registry but is no longer maintained or included in our nightly and weekly build pipelines. It does not receive routine security or dependency updates. Users are strongly encouraged to migrate to a supported version. | 3 months |
| Removed | The image is untagged and removed from the registry. | Permanent |
Deprecation triggers¶
An image may be deprecated when one or more of the following conditions are met:
- The base image or dependencies reach end-of-life.
- Known vulnerabilities cannot be patched.
- A newer major or minor version replaces it.
- The image shows low usage or is no longer relevant.
Deprecation announcement¶
When an image is marked as deprecated, we will:
- Post to the UIS DevOps General Microsoft Teams channel.
- Add the image to the
DEPRECATED_IMAGES.md
file in the
dockerimagesrepository to track its status.
Grace period¶
Deprecated images remain available in the registry for 90 days from the deprecation date, unless removal is required sooner for security or legal reasons.
During the grace period:
- No new builds or patches will be published.
- Users are encouraged to migrate to the recommended version.
- A warning may appear in logs or at container startup to notify users of deprecation.
Image removal¶
After the grace period expires:
- The deprecated image tags will be removed from the registry.
- This will cause the garbage collection process to delete the image manifests and layers in approximately 24 hours time.
- The
DEPRECATED_IMAGES.md
page in the
dockerimagesrepository will be updated to reflect the change.
Emergency removals¶
In the event of a critical security vulnerability, licensing issue, or other urgent matter, images may be removed immediately and without prior notice. Where feasible, an announcement will be published to the UIS DevOps General Microsoft Teams channel to explain the reason for removal.