Docker images and security updates

Hello Docker Community,
I am pretty new to Docker, so please excuse my beginner question. I am wondering about security updates and docker images. I guess when a new parent image (e.g. Ubuntu) becomes available, I build my own image again and replace the old one. Can that process be automated so I don’t have to do it manually? Otherwise, it could become tedious for several containers.
(I guess I could also run a cron job inside the container and install any updates via apt, but those would be lost if the container were restarted.)

Bad idea. Containers should usually run only one application, not an app and a cronjob, but you could run a cronjob on the host to check the status of the images or just use something like Watchtower

I wouldn’t let my production Docker containers update automatically unless I have a test running before the update or at least after so it can roll back. Of course it depends on your usae case so if you don’t mind if something breaks because of an automatic update and you only worry about security, then it could be fine without testing too,


Thank you @rimelek. I had a look at Watchtower and it it pretty much what I was looking for. In my case automatic updates are OK. It is unlikely that they break sth and if they do, no major problem either.
What about updates to packages that are installed in a container? For example, if I use a bare Ubuntu and add an Apache server, or any any other software, then it my understanding that Watchtower notices when the parent image (Ubuntu in his case) gets updated. But what about security updates for the other programs in the container, which are not part of the parent image but were added my me? Is there also some kind of automatism, which can at least notify me when a security update for those is available?

I hope this translates to “if I create an image with Apache or any other software using an Ubuntu base image.”. If this is not your current approach, I would highly suggest acquainting yourself with how to write and maintain Dockerfiles. You can scan vulnerabilities in images with tools like Snyk or trivy.

Everything installed or modified in a container will be lost after watchtower performed an upgrade (=deleted the old container, created a new container based on the new image). Please keep in mind that containers are mend to be disposable, and all persistent state is mend to be stored outside the container in a volume.

That is exactly what I meant. :+1:

To be honest I don’t use Watchtower, so I could be wrong , but it will update the image from which you created the container. If that image is based on another image, you need to deal with that wherever you build your image.

Let’s say you build on Docker Hub. Docker Hub can notify you about a changed parent image, but as far as I know, it doesn’t work if the parent image is an official image kile “nodejs” simply “ubuntu”. I guess that would trigger too many builds during a very short time and slow down the build server. You can also run a cronjob somehwre and check if the image was updated but than you are back to the first step. You can built your image every day scheduled at chosen time and use your original image as cash:

docker build --cache-from

So you would not actually rebuild the image unless the base image of your custom image has changed which invalidates the cache. At least thiis is what I reember I did before (apparently) I broke it when I switched from docker build to docker buildx build and removed the --cache-from parameter… So thanks for the question so I had to look at my images :slight_smile:

So the point was that even when I pushed a new image tag after the build, the digest was still the same.