Updating software in a container

garymce · January 10, 2018, 1:36pm

Hi, I’m a Docker newbie and I’m wondering how to go about updating a piece of software that’s held in a container.

Basically, I have a single Ubuntu 16.04 server that’s running Docker currently, which is providing a Netboot service for a small estate of Mac computers. I’ve pulled bruienne/bsdpy to act as the BSDP server and it’s working perfectly, and was simple to set up (go Docker!)

My issue is that bsdpy contains an instance of nginx, and our vulnerability scans have identified that it’s an older version (1.9, latest version is 1.13) and I’ve been asked to patch this as soon as possible. I’m just a little confused as to how Docker would handle this.

As far as I can see, the dockerfile (see here) for bsdpy contains the below:

RUN apt-get install -y -qq nginx tftpd-hpa nfs-common inotify-tools

So I would expect that it’s pulling the latest version of nginx when the docker image gets pulled, however even if I re-run the pull command, stop the container and start it again and re-run the vulnerability scan, it’s still identifying the old version of nginx. Is this not the case?

Can someone please point me in the right direction on how I’d get this updated to the latest version?

Thanks
Gary

sdetweil · January 10, 2018, 1:53pm

apt-get install package=version
Example:
$ apt-get install gparted=0.16.1-1

so I guess

apt-get update
apt-get install nginx=1.13

rajchaudhuri · January 11, 2018, 4:50am

When you pull a docker image, docker does not run the commands in the Dockerfile at that point. The image was built at some point in the past, and pushed to the registry. The version of nginx would have been whatever was the latest in the ubuntu precise reposotory at that point.

Also, if you stop a container, pull a more recent version of its base image, and restart the container, the changes in the latest image will not reflect on the (already created) container. You will have to create a new container. I hope your container does not have any persistent data - it’s not supposed to.

Finally, to solve your problem: check if a later version of the bdspy image actually has a later version of nginx. If it does, create a new container. It it doesn’t, consider creating your own image, which starts from bdspy and adds the required version of nginx, and create your container(s) from that.

garymce · January 11, 2018, 10:38am

Ahh, thanks for the explanation, that makes more sense now.

I don’t believe there’s a newer version of bsdpy, so I’ll try creating my own image then.

Thanks!