Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / SUSE Linux Enterprise Server Documentation / Container Guide / Obtaining containers
Applies to SUSE Linux Enterprise Server 15 SP4

7 Obtaining containers

This chapter provides information on obtaining container images.

7.1 SUSE Linux Enterprise base images

SUSE offers several official base container images that can be used as a starting point for building custom containers. Each SLE base image provides a minimal environment with a shell and package management.

Base images are available from https://registry.suse.com. For information about the SUSE Registry, see Section 7.3, “SUSE Registry”. The base images in the SUSE Registry all have the status General Availability (that is, they are suitable for production use) and LTSS releases of SLES 12 and SLES 15. SUSE Linux Enterprise base images in the SUSE Registry receive security updates and are covered by the SUSE support plans. For more information about these support plans, see Chapter 15, Compatibility and support conditions.

7.2 SUSE container properties

SUSE container images have identifiers that provide information about their version, origin, and creation time. The individual identifiers listed below can be accessed after you pull a container image from the repository and run podman inspect on it.

7.2.1 Repository names

Repository names start with the name of the product, for example: suse/sle... and opensuse/tumbleweed. The SLE 15 containers for all service packs reside in the repository suse/sle15. However, for SLE 12, there is a separate repository name for each service pack, for example, suse/sles12sp3, suse/sles12sp4, and suse/sles12sp5.

7.2.2 Labels

Labels help to identify images. All SLE container image labels begin with com.suse.PRODUCTCONTAINER_NAME followed by a further specification. Container images also contain org.opencontainers.image labels.

Below is a list of all currently defined labels.

org.opencontainers.image.title, com.suse.sle.base.title
  • Must be provided by derived images: Yes

  • OCI notation: org.opencontainers.image.title

  • Description: Title of the image

  • Example: SUSE Linux Enterprise 15 Base Container

org.opencontainers.image.description, com.suse.sle.base.description
  • Must be provided by derived images: Yes

  • OCI notation: org.opencontainers.image.description

  • Description: Short description of the image

  • Example: Image containing a minimal environment for containers based on SUSE Linux Enterprise 15

org.opencontainers.image.version, com.suse.sle.base.version
  • Must be provided by derived images: Yes

  • OCI notation: org.opencontainers.image.version

  • Description: Image version (MAJOR.SP.CICOUNT.BUILDCOUNT)

  • Example:

org.opencontainers.image.created, com.suse.sle.base.created
  • Must be provided by derived images: Yes

  • OCI notation: org.opencontainers.image.created

  • Description: Timestamp of image build

  • Example: 2018-07-27T14:12:30Z

org.opencontainers.image.vendor, com.suse.sle.base.vendor
  • Must be provided by derived images: No

  • OCI notation: org.opencontainers.image.vendor

  • Description: Image vendor

  • Example: SUSE LLC

org.opencontainers.image.url, com.suse.sle.base.url
  • Must be provided by derived images: No

  • OCI notation: org.opencontainers.image.url

  • Description: Additional information

  • Example: https://www.suse.com/products/server/

org.openbuildservice.disturl, com.suse.sle.base.disturl
  • Must be provided by derived images: Yes

  • OCI notation: org.openbuildservice.disturl

  • Description: Image OBS URL

  • Example: obs://build.suse.de/SUSE:SLE-15:Update:CR/images/2951b67133dd6384cacb28203174e030-sles15-image

org.opensuse.reference, com.suse.sle.base.reference
  • Must be provided by derived images: Yes

  • OCI notation: org.opensuse.reference

  • Description: Reference pointing to the image. The image you get with docker pull REF_NAME must not change.

  • Example: registry.suse.com/suse/sle15:4.2 SLE Base Container Image labels

SLE Base Container Images feature the following labels.


Shows whether this is a pure SLE Base Container Image or an application container based on another SLE Base Container Image.


Marks which section of the SUSE EULA applies to the container image.


Indicates the current release stage of the image.


Shows the support level for the container.

  • l2 Problem isolation, which means technical support designed to analyze data, reproduce customer problems, isolate problem areas, and provide a resolution for problems not resolved by Level 1, or prepare for Level 3.

  • l3 Problem resolution, which means technical support designed to resolve problems by engaging engineering to resolve product defects which have been identified by Level 2 Support.

  • techpreview The image is unsupported and intended for use in proof-of-concept scenarios.

    unsupported No support is provided for the image.


Points to the https://www.suse.com/lifecycle/ page that offers information about the lifecycle of the image. Working with SLE Base Container Image labels

Use Podman and the jq tool to retrieve labels of a local image. The following command lists all labels of the bci-base:15.4 image:

podman inspect registry.suse.com/bci/bci-base:15.4 | \
jq '.[0].Labels'

It is also possible to retrieve the value of a specific label:

podman inspect registry.suse.com/bci/bci-base:15.4 | \
jq '.[0].Labels["com.suse.sle.base.supportlevel"]'

The preceding command retrieves the value of the com.suse.sle.base.supportlevel label.

The skopeo tool makes it possible to examine labels of an image without pulling it first. For example:

skopeo inspect docker://registry.suse.com/bci/bci-base:15.4 | \
jq '.Labels'
skopeo inspect docker://registry.suse.com/bci/bci-base:15.4 | \
jq '.Labels["com.suse.sle.base.supportlevel"]'

7.2.3 Tags

Tags are used to refer to images. A tag forms a part of the image's name. Unlike labels, tags can be freely defined, and they are usually used to indicate a version number.

If a tag exists in multiple images, the newest image is used. The image maintainer decides which tags to assign to the container image.

The conventional tag format is repository name: image version specification (usually version number). For example, the tag for the latest published image of SUSE Linux Enterprise Server 15 SP2 would be suse/sle15:15.2.

7.3 SUSE Registry

The official SUSE Registry is available at https://registry.suse.com. It contains tested and updated SUSE Linux Enterprise base container images. All images in the SUSE Registry undergo a maintenance process. The images are built to contain the latest available updates and fixes. The SUSE Registry's Web user interface lists a subset of the available images.

7.4 Verifying containers

Signatures for images available through SUSE Registry are stored in the Notary. You can verify the signature of a specific image using the following command:

docker trust inspect --pretty registry.suse.com/suseIMAGE:TAG

For example, the command docker trust inspect --pretty registry.suse.com/suse/sle15:latest verifies the signature of the latest SLE15 base image.

To automatically validate an image when you pull it, set the environment DOCKER_CONTENT_TRUST to 1. For example:

env DOCKER_CONTENT_TRUST=1 docker pull registry.suse.com/suse/sle15:latest

7.5 Comparing containers

The container-diff tool can be used for analyzing and comparing container images. container-diff can examine images along several criteria, including the following:

  • Docker image history

  • Image file system

  • DEB packages

  • RPM packages

  • PyPI packages

  • NPM packages

You can inspect a single image or perform a diff operation on two images. container-diff supports Docker images located in both a local Docker daemon and a remote registry. It is also possible to use the tool with .tar, .tar.gz, and .tgz archives.

The container-diff package is part of the SUSE Linux Enterprise Server 15 SP4 Containers Module. Alternatively, it can be installed separately. For instructions on installing it, see the container-diff documentation.