How to keep applications in own Docker images up to date?
Let's say my own Docker image is based on the Debian image and I install Apache using RUN apt-get.
When the base image gets updated, I need to remove my container and create a new one. This can be automated, e.g. with Watchtower.
But how can I keep the application inside the container (Apache in my example) up to date? The base image does not change just because a security issue in one package that is not shipped with the base image was fixed. When I create a new container with my Dockerfile, Apache is still not updated thanks to Docker's image cache.
How can I handle application updates as easy as it would be if I would install Apache on the host using the package manager?
Solution 1:
The procedure is to:
- Build new images. For steps that change, you can pass an unused build arg as a variable that changes with each build and forces the cache to be invalidated. Or you can rebuild the entire image with the
--pull --no-cache
options which also updates the base image. - Save the images in your registry if you are running this on multiple nodes (or running it on a different machine from the build server).
- Update the running containers. With compose, you can run
docker-compose pull && docker-compose up -d
. With swarm, you can run thedocker stack deploy -c compose.yml --with-registry-auth
and it will pull the latest version from the registry as of release 17.06. If you calldocker run
by hand, then you'd need to call the appropriatedocker pull
first (to pull the image from the registry), and then delete/recreate your container.
To automate all of this, a CI-CD tool like Jenkins, GoCD, Drone.io, etc, would be used to perform all of these steps.