Docker images are built at some point in time and later they are fetched by the users of those images, and they create containers based on them.
Seeing how often updates show up on Linux distros (like Ubuntu), doesn't it mean that the images are outdated pretty much the day after they get published to image repository?
Let's say someone creates an image for their app:
FROM ubuntu
RUN apt update -y # or whatever the command to update on Ubuntu is
WORKDIR /myapp
COPY ./* ./
# and some other stuff
The app gets built one day (using the ubuntu:latest
from that day), all the latest patches are applied thanks to the RUN apt update -y
, and the image gets pushed to a Docker repository.
Now, what if next day some critical update is published on Ubuntu's apt repo (like some openssl patch). What about my app? Is it unsafe now until I manually decide to rebuild the image and push it again?
Maybe we actually shouldn't care about the image/container being outdated and only worry about the host running the containers being up to date? If so, why?