How to automatically update your docker containers, if base-images are updated

Question

Say I have a trivial container based on the ubuntu:latest. Now there is a security update and ubuntu:latest is updated in the docker repo .

Answer 1

Premise to my answer:

1. Containers are run with tags.
2. The same tag can be pointed to different image UUID as we please/ feel appropriate.
3. Updates done to an image can be committed to a new image layer

Approach

1. Build all the containers in the first place with a security-patch update script
2. Build an automated process for the following
   • Run an existing image to new container with security patch script as the command
   • Commit changes to the image as
     • existing tag -> followed by restarting the containers one by one
     • new version tag -> replace few containers with new tag -> validate -> move all containers to new tag

Additionally, the base image can be upgraded/ the container with a complete new base image can be built at regular intervals, as the maintainer feels necessary

Advantages

1. We are preserving the old version of the image while creating the new security patched image, hence we can rollback to previous running image if necessary
2. We are preserving the docker cache, hence less network transfer (only the changed layer gets on the wire)
3. The upgrade process can be validated in staging before moving to prod
4. This can be a controlled process, hence the security patches only when necessary/ deemed important can be pushed.