Christopher Allan Webber

Christopher Allan Webber at

@warp @Claes Wallin (韋嘉誠)

Avoid RUN apt-get upgrade or dist-upgrade, since many of the “essential” packages from the base images will fail to upgrade inside an unprivileged container. If a base package is out of date, you should contact its maintainers. If you know there’s a particular package, foo, that needs to be updated, use apt-get install -y foo and it will update automatically.

official Docker best practices

Claes Wallin (韋嘉誠) likes this.

Christopher Allan Webber shared this.


j1mc at 2015-05-31T21:04:18Z

Yeah, that is weird advice.  I wonder why a base package would fail to upgrade, I haven't seen that happen in the Docker containers I use.

warp at 2015-06-01T12:02:46Z

@warp I think the rationale is that "the promise that docker images give you is that these containers will work without your intervention". But many general apt-get update && apt-get upgrade runs actually require manual intervention to finish safely.

Christopher Allan Webber at 2015-06-01T14:23:53Z

Plus, if your containers diverge too far from the standard image, they def can't take advantage of the supposed benefit of having a shared base storage-wise, since they'll all break off.

Christopher Allan Webber at 2015-06-01T14:24:50Z