Docker Community Forums

Share and learn in the Docker community.

Security updates in Docker AWS AMIs (Moby Linux)


(Carsten Lohmann) #1

I would like to know how to make sure the AWS EC2 instances created via the Docker cloudformation template ([1]) are regularly kept up-to-date concerning latest security updates.

Are the AMIs referenced in the cloudformation template regularly updated with security updates?

I see that currently this AMI is used for our instances: “Moby Linux aws-v17.03.0-ce-aws1 (ami-2acd1845)”. Taking a look inside reveals that is is based on Alpine Linux 3.5.0 (output of “cat /etc/alpine-release”). But there is already a 3.5.2 release (see [2]) containing some security fixes.

How about an approach to automatically apply security updates as part of the boot-up of the AMI (like it is done with the Amazon Linux AMI)?
I’ve followed the steps in [3] to apply the updates (doing “sudo apk update” and “sudo apk upgrade”), but initiating this on boot-up would mean a change to the cloudformation template, I guess.

Are there plans on future improvements in this area?

TIA

[1] https://editions-us-east-1.s3.amazonaws.com/aws/stable/Docker.tmpl
[2] https://wiki.alpinelinux.org/wiki/Alpine_Linux:Releases
[3] https://wiki.alpinelinux.org/wiki/Alpine_Linux_package_management


(Michael Friis) #2

Moby is maintained and regularly updated as new version of Docker are released. To ensure you’re on the latest version, make sure to continuously update to the latest Docker version.


(Carsten Lohmann) #3

Regarding latest docker version: We are using the above mentioned Docker cloudformation template.

What I mean is a scenario where there is a security update for some package (e.g. libressl) inside the Moby Linux AMI. Having the rollout of such an update being dependent on the Docker release cycle doesn’t look flexible enough - there may be a case where we need to apply the update as soon as the corresponding apk package is available.

Or is it that “Docker Enterprise Edition (EE) for AWS” has different security update mechanisms in that respect (also since EE gets released less frequently than CE Edge)?


(Michael Friis) #4

What I mean is a scenario where there is a security update for some package (e.g. libressl) inside the Moby Linux AMI

The Moby system image is kept very minimal for this very reason. Almost all of the complexity is in container images running on top of the Docker platform, and which can be updated out of band.

Even then, Docker for AWS can and will release package updates independent of the rest of the Docker platform is security or other critical bugs unique to Docker for AWS show up (the same goes for other Docker “packages”).

Or is it that “Docker Enterprise Edition (EE) for AWS” has different security update mechanisms in that respect (also since EE gets released less frequently than CE Edge)?

In terms security updates, fixes are released promptly for both CE and EE for as long as a particular version is supported. EE releases are supported for longer while CE users may have to upgrade to the next major version to get an update. Details here: https://blog.docker.com/2017/03/docker-enterprise-edition/


(Davidillumio) #5

I used the CloudFormation template to deploy an AWS Docker EE Swarm. What is the process for updating the cluster nodes’ Docker Engine? Doesn’t look like apk is used to deploy/manage Docker Engine. I also registered this Swarm as a “bring your own swarm” in Docker Cloud and don’t see anything there for lifecycle management of the cluster.

This is missing from the Docker EE upgrade document:


(Emily Shepherd) #6

Kernel updates are important too. There needs to be a way to do this.

Like Meltdown? :stuck_out_tongue: Any word on an update? x