:: Re: [DNG] What's wrong with apt-get…
Góra strony
Delete this message
Reply to this message
Autor: Olaf Meeuwissen
Data:  
Dla: Tomasz Torcz
CC: dng
Temat: Re: [DNG] What's wrong with apt-get upgrade? Was: help with docker - running entrypoint as root
Hi Tomasz,

Thanks for answering! I'll inline my slightly belated comments inline.

Tomasz Torcz <tomek@???> writes:

> On Wed, Jul 10, 2024 at 10:09:49AM +0200, Didier Kryn wrote:
>> Le 08/07/2024 à 16:06, Steve Litt a écrit :
>> > Olaf Meeuwissen via Dng said on Mon, 08 Jul 2024 20:26:58 +0900
>> >
>> >
>> > > Rather that running apt-get upgrade (which is generally advised against
>> > > IIRC),
>> > I'm not knowledgeable with the apt system. What's wrong with apt-get
>> > upgrade?
>>
>>     I often run apt-get upgrade. I too would like to know why it isn't


I said that in the context of building Docker container images. In the
context of virtual and bare metal machines, running

apt-get update
apt list --upgradable

is a Good Thing. Whether you then run

apt-get upgrade

or selectively upgrade only packages that come from your *-security
suite is up to you.

Back to the context of building Docker container images. This relies
heavily on caching. Meaning that Lorenzo's

FROM debian:sid

will *not* pull a new debian:sid image if you already have a debian:sid
image in *your* local cache. If you do, that image is likely to be very
different from the debian:sid I pull or have in *my* cache.

The same holds for the

RUN apt-get update && apt-get upgrade -y

statement. It only gets run the first time you build the image after
pulling the debian:sid image. After that, whatever ended up in the
cache will get reused as is. Meaning that you will *not* be upgrading
anything!

Combined, that leads to Tomasz' observations that

> It makes container images non-reproductible. Each build could end up
> with different package versions. It breaks collaboration with others.


> On the other hand, if you are building containers on the same machine,
> apt-get invocation will be cached and not repeated. So if you build
> container again after few months and expect to have fresh upgrades
> applied, it won't work.


Exactly, you will be happily running with the upgrades you did a few
months ago and never be the wiser.

BTW, I'll be getting back to Tom's reply separately.

Hope this helps,
--
Olaf Meeuwissen