Christopher Allan Webber

Audit finds 2/3 of popular docker images have medium to high security issues

Christopher Allan Webber at

Arthur Lutz likes this.

Claes Wallin (韋嘉誠), Olivier Mehani shared this.

Show all 6 replies
Indeed that doesn't seem surprising.  It's like saying most debian iso images available at http://cdimage.debian.org/mirror/cdimage/archive/ have security issues.
Ofcourse they do if you don't run "apt-get -y update && apt-get -y upgrade" on them.  A typical Dockerfile will start with apt-get -y update && apt-get -y upgrade.

warp at 2015-05-29T14:51:30Z

Sorry for not being well-versed in Docker stuff, but if you are running the docker file, aren't you bypassing the whole binary image conundrum? And the point is that people are using binary images and that's where the problem lies?

Claes Wallin (韋嘉誠) at 2015-05-31T11:41:19Z

@warp @Claes Wallin (韋嘉誠)

Avoid RUN apt-get upgrade or dist-upgrade, since many of the “essential” packages from the base images will fail to upgrade inside an unprivileged container. If a base package is out of date, you should contact its maintainers. If you know there’s a particular package, foo, that needs to be updated, use apt-get install -y foo and it will update automatically.

official Docker best practices

Christopher Allan Webber at 2015-05-31T14:51:45Z

Claes Wallin (韋嘉誠) likes this.

(Discussion of that on the LWN thread I posted, too)

Christopher Allan Webber at 2015-05-31T14:52:53Z