Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Ubuntu Security Updates Inside Docker Images

Ubuntu Security Updates Inside Docker Images

Scheduled Pinned Locked Moved Solved Support
updates
3 Posts 2 Posters 312 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C Offline
    C Offline
    crazybrad
    wrote on last edited by girish
    #1

    I was looking at the Git repo for creating docker images and trying to understand how Cloudron applies security updates to underlying docker images.

    It seems that when a docker image is updated, the core Ubuntu inside (currently based on 22.04) is updated using available security patches. Is my understanding correct?

    What happens for "stale" apps? For example, an app that has not been updated in 3 months or longer? Is that docker image missing 3 months of Ubuntu security updates? There are other apps that have been removed from the App store but if previously installed on someone's Cloudron, they can continue to use the app. The app might have a really old Ubuntu code.

    Can stale or discontinued apps have their Ubuntu core updated inside the docker image?

    girishG 1 Reply Last reply
    1
    • girishG Offline
      girishG Offline
      girish Staff
      replied to crazybrad on last edited by
      #2

      @crazybrad said in Ubuntu Security Updates Inside Docker Images:

      It seems that when a docker image is updated, the core Ubuntu inside (currently based on 22.04) is updated using available security patches. Is my understanding correct?

      They do not get security updates. We use a tagged Ubuntu image as our base image - https://git.cloudron.io/cloudron/docker-base-image/-/blob/master/Dockerfile?ref_type=heads#L2 . Currently, this is from Aug last year. Even for apps that are frequently updated the underlying ubuntu libraries won't get updated (unless there is an explicit apt update call in the app's Docker image, but this is usually not the case).

      While there is a theoretical risk, practically the risk is negligible. This is because the container images are not exposed directly. There is a reverse proxy in the front (nginx). We also have a bunch of packaging philosophies like read only file system, not running as root, sandboxed filesystem etc which mitigate the problem further.

      That said, we are subscribed to https://ubuntu.com/security/notices . So far, we are yet to encounter anything that requires updating all the apps at once. But indeed, if it happens, we have to update each and every app.

      1 Reply Last reply
      2
      • C Offline
        C Offline
        crazybrad
        wrote on last edited by
        #3

        @girish Thanks for the complete and thorough explanation. I guess I was fooled by the apt update I saw in one of your docker image definitions (thinking that others would be following your best practice). If you are comfortable with the risk/reward balance then I am comfortable:)

        1 Reply Last reply
        1
        • girishG girish marked this topic as a question on
        • girishG girish has marked this topic as solved on

        • Login
        • Don't have an account? Register
        • Login or register to search.
        • First post
          Last post
        0
        • Categories
        • Recent
        • Tags
        • Popular
        • Bookmarks
        • Search