Dockerfiles: Upgrade packages on BASE_IMAGE. #2126
Conversation
eiffel-fl
force-pushed
the
francis/docker-fix-cve
branch
from
dba66fa
to
caa80ca
Compare
|
It will definitely help avoid CVEs in the base image. The only tricky bit I would like to understand is how docker cache in the CI will behave. Essentially everything people experienced here: moby/moby#3313. |
This avoids releasing an image with CVE. Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
eiffel-fl
force-pushed
the
francis/docker-fix-cve
branch
from
caa80ca
to
133e25d
Compare
OK... |
Agreed. I am not sure how much time are we getting out of cache anyways. Probably not a lot! |
There was a problem hiding this comment.
I'm not sure why it's something we should take care of. Shouldn't it be done by the base image publisher?
Indeed, but they do not.
I think they only upgrade the base image when the distro is updated (e.g. passing from 12.1 to 12.2).
So, we can indeed wait for a distro update and wait again for this update to be propagated to the docker image, but that's a lot of waiting where we get a flawed image.
So, let's take the bull by the horns and handle it ourselves: on n'est jamais mieux servi que par soi-même !
Moreover, I think this whole thing is temporary as my final plan is to switch to distroless.
Nonetheless, this will not solve the waiting problem, but at least there will be less packages to care about and we would not have a package manager so need for this ¯\_(ツ)_/¯.
|
OK, I will close it as the images were updated and the flawed libraries is no more here: |
I totally agree with this, it'll avoid a lot of pain for us. |
This avoids releasing an image with CVE.