Author: Olaf Meeuwissen Date: To: Amin Bandali CC: dng Subject: Re: [DNG] What's wrong with apt-get upgrade? Was: help with docker
- running entrypoint as root
Hi Amin,
Amin Bandali via Dng <dng@???> writes:
> Tomasz Torcz wrote:
>
>> On Wed, Jul 10, 2024 at 10:09:49AM +0200, Didier Kryn wrote:
>>> Le 08/07/2024 à 16:06, Steve Litt a écrit :
>>> > Olaf Meeuwissen via Dng said on Mon, 08 Jul 2024 20:26:58 +0900
>>> >
>>> >
>>> > > Rather that running apt-get upgrade (which is generally advised against
>>> > > IIRC),
>>> > I'm not knowledgeable with the apt system. What's wrong with apt-get
>>> > upgrade?
>>>
>>> I often run apt-get upgrade. I too would like to know why it isn't
>>
>> It makes container images non-reproductible. Each build could end up
>> with different package versions. It breaks collaboration with others.
>> On the other hand, if you are building containers on the same machine,
>> apt-get invocation will be cached and not repeated. So if you build
>> container again after few months and expect to have fresh upgrades
>> applied, it won't work.
>
> As much as I love reproducible environments, docker was not designed
> or implemented with an eye toward reproducibility. If you do care
> about reproducible builds and environments, I'd suggest looking into
> a distro like GNU Guix (similar in several technical aspects to NixOS,
> but doesn't use systemd like NixOS does) for a GNU/Linux distro and
> accompanying tools where reproducibility is a first-class citizen.
The debian images include commented out URIs to snapshot.debian.org in
their /etc/apt/sources.list.d/debian.sources. It is my understanding
that these were the ones that were used when building the images. If
interested in reproducability you could edit the debian.sources file and
switch to using snapshot.debian.org.
> Please see the links Tom posted in another part of this thread for
> more on why you *should* do 'apt-get upgrade', most importantly to
> install security upgrades for the packages you'll be building into
> your docker image, rather than using potentially-vulnerable ones.
As I also mentioned in my other post, where you should run `apt-get
upgrade` in your Dockerfile is a case-by-case decision. For widely
shared base images, yes. For images used to back production services,
yes. For images running test suites in CI/CD pipelines, probably not.