Skip to main content
Version: 1.4.x

pull

A repository rule to pull image layers using Bazel's downloader.

Typical usage in WORKSPACE.bazel:

load("@rules_oci//oci:pull.bzl", "oci_pull")

# A single-arch base image
oci_pull(
    name = "distroless_java",
    digest = "sha256:161a1d97d592b3f1919801578c3a47c8e932071168a96267698f4b669c24c76d",
    image = "gcr.io/distroless/java17",
)

# A multi-arch base image
oci_pull(
    name = "distroless_static",
    digest = "sha256:c3c3d0230d487c0ad3a0d87ad03ee02ea2ff0b3dcce91ca06a1019e07de05f12",
    image = "gcr.io/distroless/static",
    platforms = [
        "linux/amd64",
        "linux/arm64",
    ],
)

Now you can refer to these as a base layer in BUILD.bazel. The target is named the same as the external repo, so you can use a short label syntax:

oci_image(
    name = "app",
    base = "@distroless_static",
    ...
)

Macros and Functions

oci_pull

Repository macro to fetch image manifest data from a remote docker registry.

To use the resulting image, you can use the @wkspc shorthand label, for example if name = "distroless_base", then you can just use base = "@distroless_base" in rules like oci_image.

This shorthand syntax is broken on the command-line prior to Bazel 6.2. See https://github.com/bazelbuild/bazel/issues/4385

Example usage (generated):

load("@rules_oci//oci:pull.bzl", "oci_pull")

oci_pull(
    # repository with this name is created
    name = "",
)

name

Required.

repository with this name is created

image

Optional. Default: None

the remote image, such as gcr.io/bazel-public/bazel. A tag can be suffixed with a colon, like debian:latest, and a digest can be suffixed with an at-sign, like debian@sha256:e822570981e13a6ef1efcf31870726fbd62e72d9abfdcf405a9d8f566e8d7028.

Exactly one of image or {registry,repository} should be set.

repository

Optional. Default: None

the image path beneath the registry, such as distroless/static. When set, registry must be set as well.

registry

Optional. Default: None

the remote registry domain, such as gcr.io or docker.io. When set, repository must be set as well.

platforms

Optional. Default: None

for multi-architecture images, a dictionary of the platforms it supports This creates a separate external repository for each platform, avoiding fetching layers.

digest

Optional. Default: None

the digest string, starting with "sha256:", "sha512:", etc. If omitted, instructions for pinning are provided.

tag

Optional. Default: None

a tag to choose an image from the registry. Exactly one of tag and digest must be set. Since tags are mutable, this is not reproducible, so a warning is printed.

reproducible

Optional. Default: True

Set to False to silence the warning about reproducibility when using tag.

is_bzlmod

Optional. Default: False

whether the oci_pull is being called from a module extension

Last updated on by Greg Magolan