How to handle security updates within Docker containers?

security docker linux redhat containers

When deploying applications onto servers, there is typically a separation between what the application bundles with itself and what it expects from the platform (operating system and installed packages) to provide. One point of this is that the platform can be updated independently of the application. This is useful for example when security updates need to be applied urgently to packages provided by the platform without rebuilding the entire application.

Traditionally security updates have been applied simply by executing a package manager command to install updated versions of packages on the operating system (for example "yum update" on RHEL). But with the advent of container technology such as Docker where container images essentially bundle both the application and the platform, what is the canonical way of keeping a system with containers up to date? Both the host and containers have their own, independent, sets of packages that need updating and updating on the host will not update any packages inside the containers. With the release of RHEL 7 where Docker containers are especially featured, it would be interesting to hear what Redhat's recommended way to handle security updates of containers is.

Thoughts on a few of the options:

  • Letting the package manager update packages on the host will not update packages inside the containers.
  • Having to regenerate all container images to apply updates seems to break the separation between the application and the platform (updating the platform requires access to the application build process which generates the Docker images).
  • Running manual commands inside each of the running containers seems cumbersome and changes are at risk of being overwritten the next time containers are updated from the application release artifacts.

So none of these approaches seems satisfactory.


Solution 1:

A Docker image bundles application and "platform", that's correct. But usually the image is composed of a base image and the actual application.

So the canonical way to handle security updates is to update the base image, then rebuild your application image.

Solution 2:

The containers are supposed to be lightweight and interchangeable. If your container has a security problem, you rebuild a version of the container that's patched and deploy the new container. (many containers use a standard base image that uses standard package management tools like apt-get to install their dependencies, rebuilding will pull the updates from the repositories)

While you could patch inside containers, that's not going to scale well.

Solution 3:

This is handled automatically in SUSE Enterprise Linux using zypper-docker(1)

SUSE/zypper-docker

Docker Quick Start

Related

How do I rename a task in Task Scheduled on Windows Server 2008 R2
Meaning of directories on Unix and Unix like systems
How do I diff two text files in Windows Powershell?
How do you make it obvious you are on a production system?
How to install tzdata on a ubuntu docker image?
Running a cron job manually and immediately
What port should I open to allow remote desktop?
How to fix "W: Duplicate sources.list entry"?
How to install Eclipse?
Realtek RTL8723BE Wi-Fi incredibly weak
How to extend my root (/) partition?
bcmwl-kernel-source broken on kernel: 5.8.0-34-generic