This document describes the new rootless docker images and provides instructions for migrating Docker images used in existing TD Workflows.

We strongly recommend migrating to the new secure, rootless Docker image because these images reduce potential security risks, provide a better user experience through new semantic versioning scheme, and provide the latest stable versions of packages.

Learn more about:

Rootless Docker Images

The following rootless docker images are based on the latest stable Python’s official docker image, “3.9-slim-buster”, which is composed of the latest stable Debian 10 buster (LTS) and the latest stable Python version 3.9.

  • digdag/digdag-python:3.9 (major version)
  • digdag/digdag-python:3.9.1 (minor version)

Learn more about versioning in Understanding Versioning. 

We generally recommend using the major version and only use the minor version for a temporary workaround when you find API compatibility issues. (then, please start migration). Contact Support if you need assistance with the migration process.

Migration to the Rootless Docker Image 

Minimum changes are required. Changes the image version to use the new rootless docker image in the treasure workflow as follows:

    py>: tasks.scipy_numpy.main
      image: "digdag/digdag-python:3.9"

    py>: tasks.scipy_numpy.main
      image: "digdag/digdag-python:3.9.1"

Existing pip install code does not require changes because pip install falls back to user space install (--user option). 

import os
import sys

# falls back to --user space install
os.system(f"{sys.executable} -m pip install asn1")

# same as the above
# os.system(f"{sys.executable} -m pip install --user asn1")

  • “pip install” automatically falls back to “pip install --user” installing libraries to user space. Unless your pip installation requires root user privileges, no changes are required. Please confirm python library APIs etc. when using new rootless Docker image.
  • “apt-get install” is prohibited in the rootless Docker image. So, you cannot run os.system("apt-get install xxx") in python.
  • Some libraries may require root privileges for pip install. It’s a known limitation in the rootless Docker image considering security risks. Contact Support with questions about this issue.
  • If you are using pre-installed python libraries (such as scikit, numpy, or lightgbm), please check that it still works. APIs may be changed among versions.

Changes With the New Docker Images

Here is the list of pre-installed libraries (with version information) in the new rootless Docker image. “+” indicates libraries introduced from digdag-python:3.9.1.


All existing libraries in digdag/digdag-python:3.7 are supported in digdag/digdag-python:3.9 except TensorFlow because they do not support Python 3.9.
Contact Support to request the complete list of libraries and their dependencies. 

  • No labels