Ubuntu Security Updates Inside Docker Images
-
I was looking at the Git repo for creating docker images and trying to understand how Cloudron applies security updates to underlying docker images.
It seems that when a docker image is updated, the core Ubuntu inside (currently based on 22.04) is updated using available security patches. Is my understanding correct?
What happens for "stale" apps? For example, an app that has not been updated in 3 months or longer? Is that docker image missing 3 months of Ubuntu security updates? There are other apps that have been removed from the App store but if previously installed on someone's Cloudron, they can continue to use the app. The app might have a really old Ubuntu code.
Can stale or discontinued apps have their Ubuntu core updated inside the docker image?
-
I was looking at the Git repo for creating docker images and trying to understand how Cloudron applies security updates to underlying docker images.
It seems that when a docker image is updated, the core Ubuntu inside (currently based on 22.04) is updated using available security patches. Is my understanding correct?
What happens for "stale" apps? For example, an app that has not been updated in 3 months or longer? Is that docker image missing 3 months of Ubuntu security updates? There are other apps that have been removed from the App store but if previously installed on someone's Cloudron, they can continue to use the app. The app might have a really old Ubuntu code.
Can stale or discontinued apps have their Ubuntu core updated inside the docker image?
@crazybrad said in Ubuntu Security Updates Inside Docker Images:
It seems that when a docker image is updated, the core Ubuntu inside (currently based on 22.04) is updated using available security patches. Is my understanding correct?
They do not get security updates. We use a tagged Ubuntu image as our base image - https://git.cloudron.io/cloudron/docker-base-image/-/blob/master/Dockerfile?ref_type=heads#L2 . Currently, this is from Aug last year. Even for apps that are frequently updated the underlying ubuntu libraries won't get updated (unless there is an explicit
apt updatecall in the app's Docker image, but this is usually not the case).While there is a theoretical risk, practically the risk is negligible. This is because the container images are not exposed directly. There is a reverse proxy in the front (nginx). We also have a bunch of packaging philosophies like read only file system, not running as root, sandboxed filesystem etc which mitigate the problem further.
That said, we are subscribed to https://ubuntu.com/security/notices . So far, we are yet to encounter anything that requires updating all the apps at once. But indeed, if it happens, we have to update each and every app.
-
@girish Thanks for the complete and thorough explanation. I guess I was fooled by the apt update I saw in one of your docker image definitions (thinking that others would be following your best practice). If you are comfortable with the risk/reward balance then I am comfortable:)
-
G girish marked this topic as a question on
-
G girish has marked this topic as solved on