发表新帖
发表新帖

How to automatically update your docker containers, if base-images are updated

后端 未结
关注
16 711
别那么骄傲
别那么骄傲 2020-12-04 04:17

Say I have a trivial container based on the ubuntu:latest. Now there is a security update and ubuntu:latest is updated in the docker repo .

16条回答
  • 萌比男神i
    萌比男神i (楼主)
    2020-12-04 05:22

    I had the same issue and thought it can be simply solved by a cron job calling unattended-upgrade daily.

    My intention is to have this as an automatic and quick solution to ensure that production container is secure and updated because it can take me sometime to update my images and deploy a new docker image with the latest security updates.

    It is also possible to automate the image build and deployment with Github hooks

    I've created a basic docker image with that automatically checks and installs security updates daily (can run directly by docker run itech/docker-unattended-upgrade ).

    I also came across another different approach to check if the container needs an update.

    My complete implementation:

    Dockerfile

    FROM ubuntu:14.04   

RUN apt-get update \
&& apt-get install -y supervisor unattended-upgrades \
&& rm -rf /var/lib/apt/lists/*

COPY install /install
RUN chmod 755 install
RUN /install

COPY start /start
RUN chmod 755 /start

    Helper scripts

    install

    #!/bin/bash
set -e

cat > /etc/supervisor/conf.d/cron.conf <

    start

    #!/bin/bash

set -e

echo "Adding crontab for unattended-upgrade ..."
echo "0 0 * * * root /usr/bin/unattended-upgrade" >> /etc/crontab

# can also use @daily syntax or use /etc/cron.daily

echo "Starting supervisord ..."
exec /usr/bin/supervisord -n -c /etc/supervisor/supervisord.conf

    Edit

    I developed a small tool docker-run that runs as docker container and can be used to update packages inside all or selected running containers, it can also be used to run any arbitrary commands.

    Can be easily tested with the following command:

    docker run --rm -v /var/run/docker.sock:/tmp/docker.sock itech/docker-run exec

    which by default will execute date command in all running containers and display the results. If you pass update instead of exec it will execute apt-get update followed by apt-get upgrade -y in all running containers

    0 讨论(0)
 看不清?
提交回复
热议问题