Avoid using out-of-date operating system images in Docker by always using the docker build --pull
I wrote down a note on my task list on the current project, "Investigate whether docker build
always gets the latest version of the base image". The answer is, it does not, by default. Always use the --pull
option to get the latest version.
When installing any software, it's important to have security updates applied to all its components, including the operating system. When security fixes are released, new Docker base images are produced, and you can rebuild your software based on the new images, test your software, and deploy it. You should be doing this regularly.
There is a discussion here https://github.com/moby/moby/issues/4238 about the introduction of the --pull
option (which is now implemented and works well). People are not enthusiastic about it. The reasons boil down to:
People reckon there's no need for a
--pull
option, because you can just do the following instead:docker pull $(awk '/^FROM[ \t\r\n\v\f]/ { print /:/ ? $2 : $2":latest" }' Dockerfile
People saying there should be a
--pull
option. I agree, but why make it an option, why not make it the default?People consider that
--pull
could be tolerated "as long as it's fast". I mean, firstly, if it's an option, you don't have to use it at all. Secondly, how is shaving 0.5s off a build process preferable to having a secure operating system?
It baffles me that the --pull
option is not the default. Not using --pull
is like saying, the version that I want to test and deploy shall be based on the version of the base image which was current at the time I started using this computer. Why would you ever want that?
That's just "insecure by default".