Home > Enterprise >  Should we install package updates for Alpine base image in Docker?
Should we install package updates for Alpine base image in Docker?

Time:09-04

I was told it's a good practice to install security updates for all packages in my base image like this:

RUN apt-get update
RUN apt-get upgrade -y

I did this for my Ubuntu-based images. But since Snyk told us we should minimize our attack surface using up to date base images containing no unnecessary tools I have switched to Alpine.

Should I still try to get the most up to date updates for installed packages? Like this:

RUN apk -U upgrade

I am asking because I have tried and nothing was installed. I have found this explanation regarding ncurses package. Seems like my version of OS (3.14) only checks package versions listed here.

Should I expect any newer package version to be available in the index for particular OS version 3.14? Or is it more like once published -> no changes happen?

CodePudding user response:

Should I expect any newer package version to be available in the index for particular OS version 3.14?

Yes.

apk -U upgrade will indeed update the package index and upgrade to the latest packages. The reason that nothing is installed is most probably that the base Alpine image version used is already updated with the latest packages in Dockerhub.

As an experiment, I have tried this with a very old Alpine version, 3.7. apk -U upgrade did upgrade musl and musl-utils, by bumping them one version - from 1.1.18-r3 to 1.1.18-r4:

$ sudo docker run -it alpine:3.7
Unable to find image 'alpine:3.7' locally
3.7: Pulling from library/alpine
5d20c808ce19: Pull complete 
Digest: sha256:8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10
Status: Downloaded newer image for alpine:3.7
/ # apk -U upgrade
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
(1/2) Upgrading musl (1.1.18-r3 -> 1.1.18-r4)
(2/2) Upgrading musl-utils (1.1.18-r3 -> 1.1.18-r4)
Executing busybox-1.27.2-r11.trigger
OK: 4 MiB in 13 packages

The fact that only two packages were upgraded and by a single revision implies that the 3.7 base image is already updated with the latest packages for this distribution (besides these two). This makes sense, because when there are security fixes to packages, you'd want them to be broadcast to all affected images as fast as possible. If the fix is for a severe issue, it is likely it will be back-ported to all affected Alpine versions.

When there are security updates to packages, they are done "in place", and the old package version is replaced with the new one, so when you update the package index of your image, you'd get the new package version. The old package version is then no longer available for download.

All in all, using apk -U upgrade to keep your images up to date sounds like a solid advice.

  • Related