How to handle security updates within Docker containers?

Solution 1:

A Docker image bundles application and "platform", that's correct. But usually the image is composed of a base image and the actual application.

So the canonical way to handle security updates is to update the base image, then rebuild your application image.

Solution 2:

The containers are supposed to be lightweight and interchangeable. If your container has a security problem, you rebuild a version of the container that's patched and deploy the new container. (many containers use a standard base image that uses standard package management tools like apt-get to install their dependencies, rebuilding will pull the updates from the repositories)

While you could patch inside containers, that's not going to scale well.


Solution 3:

This is handled automatically in SUSE Enterprise Linux using zypper-docker(1)

SUSE/zypper-docker

Docker Quick Start