:: Re: [DNG] What's wrong with apt-get…
Top Page
Delete this message
Reply to this message
Author: Didier Kryn
Date:  
To: dng
Subject: Re: [DNG] What's wrong with apt-get upgrade? Was: help with docker - running entrypoint as root
Le 10/07/2024 à 13:27, Olaf Meeuwissen via Dng a écrit :
> Hi Tomasz,
>
> Thanks for answering!  I'll inline my slightly belated comments inline.
>
> Tomasz Torcz <tomek@???> writes:
>
>> On Wed, Jul 10, 2024 at 10:09:49AM +0200, Didier Kryn wrote:
>>> Le 08/07/2024 à 16:06, Steve Litt a écrit :
>>>> Olaf Meeuwissen via Dng said on Mon, 08 Jul 2024 20:26:58 +0900
>>>>
>>>>
>>>>> Rather that running apt-get upgrade (which is generally advised against
>>>>> IIRC),
>>>> I'm not knowledgeable with the apt system. What's wrong with apt-get
>>>> upgrade?
>>>      I often run apt-get upgrade. I too would like to know why it isn't
> I said that in the context of building Docker container images.  In the
> context of virtual and bare metal machines, running
>
>    apt-get update
>    apt list --upgradable
>
> is a Good Thing.  Whether you then run
>
>    apt-get upgrade
>
> or selectively upgrade only packages that come from your *-security
> suite is up to you.
>
> Back to the context of building Docker container images.  This relies
> heavily on caching.  Meaning that Lorenzo's
>
>    FROM debian:sid
>
> will *not* pull a new debian:sid image if you already have a debian:sid
> image in *your* local cache.  If you do, that image is likely to be very
> different from the debian:sid I pull or have in *my* cache.
>
> The same holds for the
>
>    RUN apt-get update && apt-get upgrade -y
>
> statement.  It only gets run the first time you build the image after
> pulling the debian:sid image.  After that, whatever ended up in the
> cache will get reused as is.  Meaning that you will *not* be upgrading
> anything!
>
> Combined, that leads to Tomasz' observations that
>
>>    It makes container images non-reproductible. Each build could end up
>> with different package versions. It breaks collaboration with others.
>>    On the other hand, if you are building containers on the same machine,
>> apt-get invocation will be cached and not repeated. So if you build
>> container again after few months and expect to have fresh upgrades
>> applied, it won't work.
> Exactly, you will be happily running with the upgrades you did a few
> months ago and never be the wiser.
>
> BTW, I'll be getting back to Tom's reply separately.
>
> Hope this helps,


    If I understand well: no problem on bare metal. Never used containers.

--     Didier