My images usualy run in an air gapped environment. I realy do hate that images get bloated when you do an upgrade while building the image - this is why I prefer pull&rebuild of updated image tags and rebuild of my images. The ubuntu base image I use typcialy gets updated every month. Though, you can actualy do upgrades and squash the image to a single layer… this is kind of loosing the exact history of an image.

I do not apply upgrades inside a running container, as the upgrades would be written into the copy on write container layer and would disappear once the container is recreated.