12/28/2021

Update Docker On Ubuntu

11

Oct 22, 2018 Step 3: Install Docker on Ubuntu 18.04. Step 4: Start and Automate Docker. Step 5 (Optional): Check Docker Version. Option 2: Install Docker from Official Repository. Step 1: Update Local Database. Step 2: Download Dependencies. Step 3: Add Docker’s GPG Key. Install Latest Docker and Docker-compose on Ubuntu. # Ask for the user password. # Script only works if sudo caches the password for a few minutes. # Install kernel extra's to enable docker aufs support. # sudo apt-get -y install linux-image-extra-$ (uname -r).

Somebody is always wrong on the Internet, and bad Docker packaging advice is quite common.But one particular piece of advice keeps coming up, and it’s dangerous enough to merit its own article.

In a whole bunch of places you will be told not to install security updates when building your Docker image.I’ve been submitting PRs to fix this, so it’s up in fewer places now.

But previously this advice was given by the official Docker docs’ best practices page:

Avoid RUN apt-get upgrade…, as many of the “essential” packages from the parent images cannot upgrade inside an unprivileged container.

To be clear: RUN commands happen during image build, not during container startup.The documentation there is saying “build your images without installing security updates”.

And you’ll see the same advice in the hadolintDockerfile linter (it cites the above).This should also be fixed soon.

Update

For the vast majority of people creating Dockerfiles this is absolutely awful advice.And since this bad advice is so common, let’s consider some of the justifications and why they are wrong.

How to update docker on ubuntu

Note: An earlier version of this post also mentioned OWASP, but I opened a PR and they have since removed the bad advice.

Bad argument #1: You can’t upgrade inside an unprivileged container

As we saw above, Docker’s own documentation until very recently suggested that you not install security updates because you “cannot upgrade inside an unprivileged container.”

In order to install security updates, you need to be running as root or some other privileged user.And it’s true, you don’t want your Docker image to run as root.

But just because you’re installing security updates doesn’t mean your image needs to run as root.Behold the not-so-secret, quite obvious solution—first you install security updates, then you switch to another user:

What if your base image already changes to a non-root user?That’s still not a problem, you can switch back and forth between different users throughout your Dockerfile.So you can switch to root, install security updates, and then switch back to the non-root user.

Update Docker-compose Ubuntu 18.04

Just to demonstrate:

If we run this:

Note: Outside the very specific topic under discussion, the Dockerfiles in this article are not examples of best practices, since the added complexity would obscure the main point of the article.

To ensure you’re following all the best practices you need to have a secure, correct, fast Dockerfiles, check out the Python on Docker Production Handbook.

Bad argument #2: The maintainers of the base image should install security updates

The Docker best practices documentation also used to say that “if a package contained in the parent image is out-of-date, contact its maintainers.”

Update Docker On Ubuntu

It would indeed be nice if base images always had security updates.But let’s see what real world base images are like.

Here’s our Docker file, using the official ubuntu image as its base image.ubuntu is currently the third-most popular image on Docker Hub, so this is not an obscure example.

I’m going to pull the latest base image, then build the image:

As you can see, three packages were installed—and at least one of them was a security update.

At the time of writing, March 23rd 2021, the ubuntu:20.04 image was last rebuilt on March 3rd.On March 8th Ubuntu put out a security update for libzstd1, which is why we had to download and install a new version.

In short, relying on the base image just isn’t good enough.And remember, this is the official Ubuntu Docker image, blessed by Docker the company, maintained by a company with plenty of resources.Who knows what some small open source project, maintained in someone’s spare time, will do.

Bad argument #3: If you install security updates you will get the latest version of packages

This argument is made in a Cloudberry Engineering blog post: “This might be a bit of a stretch but the reasoning is the following: you want to pin the version of your software dependencies, if you do apt-get upgrade you will effectively upgrade them all to the latest version.”

Docker

This is, in fact, a stretch.

It’s true, there is an implicit process suggested here, one which they don’t make explicit and therefore most people are going to miss, but a security process nonetheless:

  1. You keep a pinned list of every single system package.
  2. You keep track of all security updates for your upstream packages.
  3. Whenever a security update happens you update your pinned list manually.

If you’re doing that, great, that does actually ensure security updates.But realistically this is a lot of work, and most people are not going to do this.

Nor is it clear that manual pinning of system packages is actually useful for most people.Many users of Docker base images like python:3.9 never install any new system packages.So all they’re installing is the base system, which in a stable operating system is mostly updated for—significant bug fixes and security updates.

You know what’s a good, easy way to make sure you have both security updates and fixes for major bugs?apt-get upgrade.

And yes, you don’t want everything changing out from under you, but that’s why you’re using a stable base image that only changes every couple years, like Debian Stable or Ubuntu LTS.

Bad argument #4: Upgrades don’t work

Hadolint is a Dockerfile linter, and it complains if you apt-get upgrade (though this will get fixed soon).The relevant wiki page cites some of the arguments we’ve already seen, as well as this argument: “[updating packages] can often fail if something is trying to modify init or make device changes inside a container.”

Now in all fairness to the author of the article being quoted, that original article was written in 2014, a very different time (in fact the article link 404s, I had to use the Wayback Machine to see the original).Docker’s initial release was in 2013, so yes, at the time Linux distributions did not necessarily work out of the box with Docker.

It’s not 2014 anymore, though, and Linux distributions are very much aware that they need package upgrades to work on Docker.

Update Docker On Ubuntu

Please install security updates

To conclude, the idea you shouldn’t install security updates is based on either:

  • Obsolete problems (“upgrades don’t work”).
  • Theoretical ideal worlds we don’t live in (“the base image will install updates”).
  • Non-sequiturs (“you can’t upgrade inside an unprivileged container”).
  • Requiring a heavyweight process most people don’t need, namely pinning all system packages.You should be pinning your Python dependencies, though, since they’ll change meaningfully far more frequently than packages in a long-term-support Linux distribution.

Upgrade Docker On Ubuntu 18.04

Please, run dnf/apk/apt-get upgrade in your Dockerfile, you really do want to install security updates in your Docker image.And after that, make sure Docker caching doesn’t break your updating.

  • Most Viewed News

    • Itunes 12.5 Download Mac
    • Kies Mac Catalina
    • Fl Studio Mac Os Torrent
    • Bootcamp Windows 10 El Capitan