我们是否应该在 Docker 中为 Alpine 基础映像安装 package 更新?
[英]Should we install package updates for Alpine base image in Docker?
问题描述
I was told it's a good practice to install security updates for all packages in my base image like this:
有人告诉我,为我的基本映像中的所有软件包安装安全更新是一个很好的做法,如下所示:
RUN apt-get update
RUN apt-get upgrade -y
I did this for my Ubuntu-based images.我为基于 Ubuntu 的图像执行了此操作。 But since Snyk told us we should minimize our attack surface using up to date base images containing no unnecessary tools I have switched to Alpine .但是自从Snyk 告诉我们应该使用不包含不必要工具的最新基础镜像来最小化我们的攻击面,我已经切换到 Alpine 。
Should I still try to get the most up to date updates for installed packages?我是否仍应尝试获取已安装软件包的最新更新? Like this:像这样:
RUN apk -U upgrade
I am asking because I have tried and nothing was installed.我问是因为我已经尝试过并且没有安装任何东西。 I have found this explanation regarding ncurses package.我找到了关于ncurses package 的解释。 Seems like my version of OS (3.14) only checks package versions listed here .好像我的操作系统版本(3.14)只检查 package 版本在这里列出。
Should I expect any newer package version to be available in the index for particular OS version 3.14?我是否应该期望任何更新的 package 版本在特定操作系统版本 3.14 的索引中可用? Or is it more like once published -> no changes happen?还是更像是一旦发布-> 没有发生变化?
1 个解决方案
解决方案1
0 2022-09-02 18:40:32
Should I expect any newer package version to be available in the index for particular OS version 3.14?
Yes.是的。
apk -U upgrade will indeed update the package index and upgrade to the latest packages. apk -U upgrade确实会更新 package 索引并升级到最新的软件包。 The reason that nothing is installed is most probably that the base Alpine image version used is already updated with the latest packages in Dockerhub.没有安装任何东西的原因很可能是使用的基本 Alpine 映像版本已经使用 Dockerhub 中的最新包进行了更新。
As an experiment, I have tried this with a very old Alpine version, 3.7.作为一个实验,我用一个非常旧的 Alpine 版本 3.7 进行了尝试。 apk -U upgrade did upgrade musl and musl-utils , by bumping them one version - from 1.1.18-r3 to 1.1.18-r4 : apk -U upgrade确实升级musl和musl-utils ,通过将它们提升一个版本 - 从1.1.18-r3到1.1.18-r4 :
$ sudo docker run -it alpine:3.7
Unable to find image 'alpine:3.7' locally
3.7: Pulling from library/alpine
5d20c808ce19: Pull complete
Digest: sha256:8421d9a84432575381bfabd248f1eb56f3aa21d9d7cd2511583c68c9b7511d10
Status: Downloaded newer image for alpine:3.7
/ # apk -U upgrade
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
(1/2) Upgrading musl (1.1.18-r3 -> 1.1.18-r4)
(2/2) Upgrading musl-utils (1.1.18-r3 -> 1.1.18-r4)
Executing busybox-1.27.2-r11.trigger
OK: 4 MiB in 13 packages
The fact that only two packages were upgraded and by a single revision implies that the 3.7 base image is already updated with the latest packages for this distribution (besides these two).仅升级了两个软件包并通过一个修订版这一事实意味着 3.7 基本映像已使用此发行版的最新软件包进行了更新(除了这两个)。 This makes sense, because when there are security fixes to packages, you'd want them to be broadcast to all affected images as fast as possible.这是有道理的,因为当包有安全修复时,您希望它们尽快广播到所有受影响的图像。 If the fix is for a severe issue, it is likely it will be back-ported to all affected Alpine versions.如果修复是针对严重问题的,它很可能会被反向移植到所有受影响的 Alpine 版本。
When there are security updates to packages, they are done "in place", and the old package version is replaced with the new one, so when you update the package index of your image, you'd get the new package version.当软件包有安全更新时,它们“就地”完成,并且旧的 package 版本被新版本替换,因此当您更新映像的 package 索引时,您将获得新的 ZEFE90A8E604A7F6B7D8Z 版本。 The old package version is then no longer available for download.旧的 package 版本不再可供下载。
All in all, using apk -U upgrade to keep your images up to date sounds like a solid advice.总而言之,使用apk -U upgrade使您的图像保持最新听起来是一个可靠的建议。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.