Docker Community Forums

Share and learn in the Docker community.

Update container image base OS without rebuilding?


Is it possible to update the base OS image layer of your container without rebuilding your container image?
i.e. if the base OS has security updates in the latest version can you download it and automatically apply that to be used by your existing container image without rebuilding?

Also, can you deploy a container image to DockerHub which has a dependency on a base OS without containing the image layer for the base OS? This would improve performance when downloading your container from DockerHub onto other servers that already have the base OS image layer downloaded.


You can use a Dockerfile ARG directive to modify the FROM line (see Understand how ARG and FROM interact in the Dockerfile documentation). One possible approach here would be to have your CI system inject the base image tag.

ARG base=latest
FROM me/base-image:${base}

This has the risk that individual developers would build test images based on an older base image; if the differences between images are just OS patches then you might consider this a small and acceptable risk, so long as only official images get pushed to production.

Beyond that, there aren’t a lot of alternatives beyond modifying the individual Dockerfiles. You could script it

Individually check out everything first

for d in ; do
cd “$BASE/$d”
sed -i.bak "s@FROM me/base-image.
@FROM:me/base-image:$TAG/" Dockerfile
git checkout -b “base-image-$TAG”
git commit -am “Update Dockerfile to base-image:$TAG”
git push
hub pull-request --no-edit
There are automated dependency-update tools out there too and these may be able to manage the scripting aspects of it for you.

Hi, doesn’t that solution require the container to be rebuilt again?


It is not possible with the default tooling. Your image bases on an image, which itself consists of a set of image layer. You can not “change the link” to a different base image.

Actualy only the delta of your image layers will be pushed - but they will refence the version of the base image present on your system during build time.

I can imagine that it might be possible to apply a dirty hack:

  • export your image as tar
  • extract the tar to a folder
  • manipulate the manifest to use the new base images layers instead the old ones
  • repackage the foler as tar
  • import the modified tar as image
  • push it to dockerhub

though, even if this succeeds: it remains a dirty hack. Not recommended!