Saturday, May 4, 2024
Homepage · docker
 Popular · Latest · Hot · Upcoming
1
rated 0 times [  1] [ 0]  / answers: 1 / hits: 384  / 2 Years ago, sun, august 14, 2022, 1:26:04

Docker images are built at some point in time and later they are fetched by the users of those images, and they create containers based on them.
Seeing how often updates show up on Linux distros (like Ubuntu), doesn't it mean that the images are outdated pretty much the day after they get published to image repository?


Let's say someone creates an image for their app:


FROM ubuntu

RUN apt update -y # or whatever the command to update on Ubuntu is



WORKDIR /myapp

COPY ./* ./

# and some other stuff

The app gets built one day (using the ubuntu:latest from that day), all the latest patches are applied thanks to the RUN apt update -y, and the image gets pushed to a Docker repository.
Now, what if next day some critical update is published on Ubuntu's apt repo (like some openssl patch). What about my app? Is it unsafe now until I manually decide to rebuild the image and push it again?
Maybe we actually shouldn't care about the image/container being outdated and only worry about the host running the containers being up to date? If so, why?


More From » docker
 Answers
5

Instead of posting comments, I'll summarize my thoughts in an answer:



[are] the images (...) outdated pretty much the day after they get published to image repository



Yes, but only to the extent this is also true for any server on any operating system and platform. Arguably the window of vulnerability is on average probably shorter for containers since they upgrade their base OS layer more often than a "normal" server would, but this does not mean they should be ignored, and this is of course not always true -- it's easy to imagine that there are VMs out there that are patched more often than other containers are re-deployed.


If you install a regular Ubuntu VM and leave it for 30 days, you will most likely have un-applied security fixes. The same goes for a container that stays deployed for 30 days, which means that in both cases, you should have patching procedures in place if you do not otherwise ensure the OS level stays up to date (for example, by re-deploying the entire container/vm from a new OS image).



What about my app? Is it unsafe now until I manually decide to rebuild the image and push it again?



This depends of course on what the dependencies of your application are. The degree of which your application is "unsafe" relates to how critical the hypothetical security-fixed package is for your application.


If you are running a java application that is using log4j and there's a critical vulnerability which is fixed in the Ubuntu repos, you are equally vulnerable regardless of whether you're running on a container or a VM until you update that package -- whether that is done via apt-get or re-deploying the entire vm/container from a new OS image that includes the new package is not the important part.


The fundamental question "is my application safe or affected by vulnerabilities in outdated packages" is not really Docker or even Ubuntu specific, the issue is the same everywhere except for the one case that clearly does differ between VMs and containers, which is that all containers share a kernel with their host, so a kernel vulnerability can't be patched from within a container but is directly dependent on the kernel version running on the host where the container is deployed.


[#158] Sunday, August 14, 2022, 2 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
amelican
Add To Favorites
Follow
Total Points: 162
Total Questions: 116
Total Answers: 108
Location: Guam
Member since Mon, May 29, 2023
1 Year ago
amelican questions
Mon, Apr 24, 23, 18:12, 1 Year ago
Wed, Apr 5, 23, 04:30, 1 Year ago
Thu, Sep 1, 22, 02:14, 2 Years ago
Mon, Sep 19, 22, 23:08, 2 Years ago
Wed, Jun 8, 22, 04:42, 2 Years ago
View All
;