Docker Community Forums

Share and learn in the Docker community.

Docker Images= Package Upgrades and Security updates

What is the best way to manage package upgrade and security updates in Docker images?

For example to ensure that every week the docker images in the running containers or docker-compose stack get sudo apt update done!!!

My images usualy run in an air gapped environment. I realy do hate that images get bloated when you do an upgrade while building the image - this is why I prefer pull&rebuild of updated image tags and rebuild of my images. The ubuntu base image I use typcialy gets updated every month. Though, you can actualy do upgrades and squash the image to a single layer… this is kind of loosing the exact history of an image.

I do not apply upgrades inside a running container, as the upgrades would be written into the copy on write container layer and would disappear once the container is recreated.

thanks for your answer. I dont understand this part images get bloated when you do an upgrade while building the image. Is there another way for you to explain this to me?

sure :slight_smile:

Image layers are immutable. Whenever a file is created within a layer it will remain there, even if it gets deleted or overwritten in a consequtive layer. A delete in fact is only a marker to not show the file anymore. An overwrite will simply be stacked on top of the existing file; the latest overwrite is what the image will present to the container. So if you do an apt update && apt upgrade -y, all the updated files will be added to a new layer, while the old files from the base image still remain in the base image. Upgrading a base-image without squashing will result in a generaly bigger image.

Does that make sense?

1 Like

yes. makes more sense now. I will update in the decision taken. thanks so much.