Somebody is always wrong on the Internet, and bad Docker packaging advice is quite common. But one particular piece of advice keeps coming up, and it’s dangerous enough to merit its own article.
In a whole bunch of places you will be told not to install security updates when building your Docker image.
This advice is given by the official Docker docs’ best practices page (but they’ve merged a PR fixing it, so hopefully that should change soon):
Avoid
RUN apt-get upgradeanddist-upgrade, as many of the “essential” packages from the parent images cannot upgrade inside an unprivileged container.
To be clear: RUN commands happen during image build, not during container startup.
The documentation there is saying “build your images without installing security updates”.
And you’ll see the same advice in the hadolintDockerfile linter (it cites the above).
Again, I hope to have this fixed soon.
For the vast majority of people creating Dockerfiles this is absolutely awful advice.
And since this bad advice is so common, let’s consider some of the justifications and why they are wrong.
Read more...Note: An earlier version of this post also mentioned OWASP, but I opened a PR and they have since removed the bad advice.