Is it a good practice to put update/upgrade statements inside the Dockerfile?

The main reason why you'll want to either use an updated base image (which itself been built from up-to-date packages) or update it yourself (eg, apt-get upgrade) is to get security fixes, as well as other bug fixes.

You don't say much about what software is in there, but "a lot of dependencies" probably means there will be security fixes to track.

The overall idea for using containers is that you build an up-to-date image with the software you need, test it, it then stays frozen throughout its lifetime and later gets discarded as a whole when a new version is released and a new image is deployed.

From a security perspective, this of course implies regular releases.

As for what you will get in terms of updated packages in Debian (if we assume Debian, from your use of apt-get), they have stable (ie, unchanging) releases. Ie, they don't ship new versions of the packaged software (with rare exceptions), but backport fixes to their packaged version.
This may be helpful in your "deep freeze" effort, as the chance of changed behaviour is much lower than with new versions.


You are correct, apt-get upgrade will of course upgrade packages in the future, but what you are trying to do with the Dockerfile is to build the docker container in the correct state. After the docker image is built, it's frozen, and the apt-get upgrade won't run anymore.

If you re-build your image, well, then of course the packages are updated, well, don't use apt-get upgrade!. You only need to run apt-get update to refresh the package list.

So what you need to do is to run apt update when building, then install specific versions of each package you need:

apt-cache madison openssl
    openssl | 1.1.0f-3+deb9u2 | http://deb.debian.org/debian stretch/main amd64 Packages
   openssl | 1.1.0f-3+deb9u2 | http://security.debian.org/debian-security stretch/updates/main amd64 Packages

So, to install openssl 1.1.0f-3+deb9u2 , do apt-get install openssl=1.1.0f-3+deb9u2.

You would need to do this for each and every package that needs a specific version.

Another way could be to not run apt-get update at all, but with Debian, packages are upgraded because of security issues, then are no longer available in the regular distribution sites, so that might break your docker build in the future. Depending on the way your scripts are built and the dependencies needed it might be worth a shot. Since it doesn't cost anything to build images (more than disk space), try both!