Please update base images frequently. about official-images HOT 9 CLOSED

Hi,

People who do that are doing it wrong (first off, you should always specify a tag name in your FROM directive, i.e. FROM debian:wheezy. And apt-get dist-upgrade is unnecessary, as well as bad practice -- see rule 3). Our images are updated frequently (we had heartbleed-proof images the day following the announcement of the vulnerability). If you believe an image needs to be updated but isn't, feel free to contribute to the project via pull requests.

from official-images.

The Dockerfile Reference states:

FROM

FROM <image>
Or
FROM <image>:<tag>

...

If no tag is given to the FROM instruction, latest is assumed. If the used tag does not exist, an error will be returned.

Are you saying the documentation is wrong?

Rule 3 states "Updates will be baked into the based images you don't need to apt-get upgrade your containers." That's great in theory but it's not working in practice:

$ docker run -ti debian:stable
root@9fcd5e791b4d:/# apt-get update
...
root@9fcd5e791b4d:/# apt-get upgrade  
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages will be upgraded:
  base-files dpkg
2 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

FAIL! I need to upgrade my container.

Even if I don't apt-upgrade it's impossible to install packages without apt-get update to avoid errors like this:

$ docker run -ti debian:jessie
root@c87099dd2f68:/# apt-get --assume-yes install npm
...
Err http://http.debian.net/debian/ jessie/main libssl1.0.0 amd64 1.0.1g-1                                     
  404  Not Found [IP: 108.59.10.97 80]
Err http://http.debian.net/debian/ jessie/main libgmp10 amd64 2:5.1.3+dfsg-1              
  404  Not Found [IP: 108.59.10.97 80]
Err http://http.debian.net/debian/ jessie/main libsqlite3-0 amd64 3.8.4.1-1               
  404  Not Found

Rather than asking me to submitting a pull request for you to update the base image every day, why not automate the process?

from official-images.

@NodeGuy Updating the images needlessly every single day isn't the right way to do this. If you have to update some critical package which has been included in the base image, you can apt-get update first and then reinstall that package to get the latest package.

Images are going to be updated periodically, when there's a security vulnerability and when a bug has been reported and fixed in a package.

Yes, apt-get update as the first step during build will still be required to ensure the lists of packages are up to date. This step is part of the best practices. Updating images daily isn't required.

If you don't like the fact that these images don't include the latest packages and latest package lists, you can always build your own images using mkimage-debootstrap.sh from https://raw.githubusercontent.com/dotcloud/docker/master/contrib/mkimage-debootstrap.sh

from official-images.

@unclejack OK, thanks for the explanation.

from official-images.

I do not understand how updates to base images are pulled into my system.

Take for example these images on my installation:

$ docker images
REPOSITORY           TAG                         IMAGE ID            CREATED              VIRTUAL SIZE
[…]
ubuntu               14.04                       5506de2b643b        11 weeks ago         199.3 MB
ubuntu               latest                      5506de2b643b        11 weeks ago         199.3 MB

The Ubuntu image is certainly outdated, since the official-images repository was updated "20 days ago" (according to github). Still the image on my system is far older. Why?

from official-images.

@devurandom Your local image doesn't get updated automatically - therefore, the Ubuntu image on your machine represents what was available when you last pulled it from the official repo.

If you would like to update your Ubuntu image to match what is currently in the repo, you need to run docker pull ubuntu, and then rebuild any of your images that are FROM ubuntu.

As far as the Ubuntu image in the official-images repository being outdated, we update the Ubuntu image as soon as upstream releases their core tarball. If you feel that is not frequent enough, take it up Canonical.

from official-images.

Thanks for this hint!

("outdated" was referring to the image on my system, not to the ones provided by you.)

from official-images.

docker pull -a ubuntu will pull all tags associated with ubuntu (which might be more than you currently have), or just docker pull ubuntu:tag for each version you need.

from official-images.

Oooh, good catch @yosifkit. Definitely something I should have mentioned! 👍

from official-images.