How to handle security updates within Docker containers?
Solution 1:
A Docker image bundles application and "platform", that's correct. But usually the image is composed of a base image and the actual application.
So the canonical way to handle security updates is to update the base image, then rebuild your application image.
Solution 2:
The containers are supposed to be lightweight and interchangeable. If your container has a security problem, you rebuild a version of the container that's patched and deploy the new container. (many containers use a standard base image that uses standard package management tools like apt-get to install their dependencies, rebuilding will pull the updates from the repositories)
While you could patch inside containers, that's not going to scale well.
Solution 3:
This is handled automatically in SUSE Enterprise Linux using zypper-docker(1)
SUSE/zypper-docker
Docker Quick Start