Avoid using out-of-date operating system images in Docker by always using the docker build --pull

I wrote down a note on my task list on the current project, "Investigate whether docker build always gets the latest version of the base image". The answer is, it does not, by default. Always use the --pull option to get the latest version.

When installing any software, it's important to have security updates applied to all its components, including the operating system. When security fixes are released, new Docker base images are produced, and you can rebuild your software based on the new images, test your software, and deploy it. You should be doing this regularly.

There is a discussion here https://github.com/moby/moby/issues/4238 about the introduction of the --pull option (which is now implemented and works well). People are not enthusiastic about it. The reasons boil down to:

  1. People reckon there's no need for a --pull option, because you can just do the following instead:

    docker pull $(awk '/^FROM[ \t\r\n\v\f]/ { print /:/ ? $2 : $2":latest" }' Dockerfile
  2. People saying there should be a --pull option. I agree, but why make it an option, why not make it the default?

  3. People consider that --pull could be tolerated "as long as it's fast". I mean, firstly, if it's an option, you don't have to use it at all. Secondly, how is shaving 0.5s off a build process preferable to having a secure operating system?

It baffles me that the --pull option is not the default. Not using --pull is like saying, the version that I want to test and deploy shall be based on the version of the base image which was current at the time I started using this computer. Why would you ever want that?

That's just "insecure by default".

This article is © Adrian Smith.
It was originally published on 6 Sep 2017
More on: FAIL | Operations & Servers | Security