Handling security updates with Docker

Keeping your system updated with security patches is quite easy. Your distribution’s package manager like apt or yum will do it for you, even fully automated if you wish.

However, with technologies that give applications their own filesystem - the most popular being Docker - it’s different. Applications running in Docker containers are supposed to be more secure than normal applications, since they can be completely encapsulated from the rest of the executing system. But each image comes with software that your package manager does not know about, making updating the traditional way impossible.

Update the container

You could update the container’s packages either by issuing the command apt-get update (or something different) via docker exec or automatically when running the update command via CMD or ENTRYPOINT. But this has downsides! The container will grow in size, because Docker works with layers to store files. If you change the container, the old state will always remain available in the image itself. Another problem is that this would defeat the image’s purpose of being reproducible and thereby rob it of its main advantage. Practically this method fails when you run several containers out of one image. Updating each of these containers is a waste of time and resources.

Update the image

Usually Docker images are obtained from Docker Hub or from a private registry for your own applications if you happen to have one. I’ll focus on the first. Docker Hub can have two types of images. First, the automatic builds (called Autobuild) that must be linked with GitHub or Bitbucket. These builds will check out the project on Docker’s CI, build it there, and push the image to the registry, making the whole process visible to the user.

Another way is to push an image to the registry directly. The build process is not visible and these repositories don’t even need to be linked to a git repository. In many cases you won’t be able to rebuild the image on your own, thus you have no possibility to make any updates. These images are not trustworthy, because you don’t about the contents of the box and therefore completely depend on the repository maintainer to get the latest security patches.

Autobuild repositories are easier to use. If the maintainer is updating the images regularly, you’re fine and just have to docker pull the image in the same frequency. Don’t forget to recreate the containers afterwards. When the maintainer isn’t updating the image, then you can do it on your own. All you need to do is to obtain the Dockerfile and all linked resources, run docker build - done.

Of course this is a lot more work than just running a package manager. Keep this in mind when you decide to move an application into a container. Depending on the applications features there are different requirements for security. An application that links ports to the outside needs to be updated more often than a text editor, but in any case your images should not become too old. Always take a look on the column created in docker images.