Hi,
Can anyone suggest the optimal way to perform tomcat patching in docker?

Probably take a Tomcat Docker image as base for a new Dockerfile, apply patches and create a new image.

Pretty much the same way as it is done without containers, just with the difference that the actions need to be scripted in RUN statements in the Dockerfile and a new image must be built.

Unless, of course the image you use gets already patched, remove the old container, and create a new container using the repo:tag of the patched image.