Automatically update Docker images
Docker is cool. Jails tools into containers. That of course sounds clean and safe and beautiful etc. However, the tools are still buggy and subject to usual attacks, just as they were running on your main host! Thus, you still need to make sure your containers are up to date.
But how would you do that?
Approaches so far
On the one hand, let’s assume you’re using Docker Compose, then you can go to the directory containing the
docker-compose.yml and call
However, this will just update the images used in that Docker Compose setup – all the other images on your system wouldn’t be updated. And you need to do that for all Docker Compose environments. And if you’re running 30 containers of the same image it would check 30 times for an update of that image – quite a waste or power and time..
On the other hand, you may use the dupdate tool, introduced earlier:
It is able to go through all your images and update them, one after the other.
That way, all the images on your system will be updated.
dupdate doesn’t know about running containers.
Thus, currently running tools and services won’t be restarted..
Better: Docker Auto-Update
Therefore, I just developed a tool called Docker Auto-Update that combines the benefits of both approaches.
It first calls
dupdate -s to update all your images and then iterates over a pre-defined list of Docker Compose environments to call a
docker-compose up -d --remove-orphans.
The tool consists of three files:
/etc/cron.daily/docker-updaterreads the configuration in
/etc/default/docker-updaterand does the regular update
/etc/default/docker-updaterstores the configuration. You need to set the
1, otherwise the update tool won’t run.
/etc/docker-compose-auto-update.confcarries a list of Docker Compose environments. Add the paths to the
docker-compose.ymlfiles on your system, one per line
As it’s installed in
/etc/cron.daily/, cron will take care of the job and update your images and containers on a daily basis.
If your system is configured properly, cron will send an email to the systems administrator when it updates an image or restarts a container.
You see, no magic, but a very convenient workflow! :)
To install the Docker Auto-Update tool, you may clone the git repository at GitHub. Then,
- move the
- move the
./etc/default/docker-updaterconfig file to
- update the setup in
/etc/default/docker-updater– at least set
- create a list of Docker Compose config files in
/etc/docker-compose-auto-update.conf- one path to a
If you’re using a Debian based system you may install the Docker-Tools through my apt-repository:
/etc/default/docker-updater and at least set
This way, you’ll stay up-to-date with bug fixes etc.
The tool will update your images and containers automatically – very convenient but also dangerous! The new version of an image may break your tool or may require an updated configuration.
Therefore, I recommend to monitor your tools through Nagios/Icinga/check_mk or whatever. And study the mails generated by cron!
- bash (15) ,
- docker (16) ,
- git (7) ,
- virtual (4) ,
- update (9) ,
- monitoring (4) ,
- nagios (2) ,
- icinga (2) ,
- security (31)
Leave a comment
There are multiple options to leave a comment: