Somebody is always wrong on the Internet, and bad Docker packaging advice is quite common. But one particular piece of advice keeps coming up, and it’s dangerous enough to merit its own article.
In a whole bunch of places you will be told not to install security updates on your Docker image. This advice is given by the official Docker docs’ best practices page:
Avoid
RUN apt-get upgrade
anddist-upgrade
, as many of the “essential” packages from the parent images cannot upgrade inside an unprivileged container.
You’ll see it in the hadolint
Dockerfile
linter (it cites the above), and you’ll even see it in the OWASP Docker cheatsheet:
Avoid the use of
apt/apk upgrade
For the vast majority of people creating Dockerfile
s this is absolutely awful advice. And since this bad advice is so common, let’s consider some of the justifications and why they are wrong.
from Planet Python
via read more
No comments:
Post a Comment