System security upgrades in Docker images

[pflanze]

This is about system level security upgrades that come from upstream Ubuntu via apt update && apt dist-upgrade -y.

Since PR #519, the (now Ubuntu) base image is already being upgraded while our docker images are being built. But there is no upgrade happening while it is running. This is not good if the docker image runs for a long time before being replaced with a new one. How this should be improved, is to be decided. Review what other docker users do may be useful.

As discussed in the dev meeting today:

• a stop-gap measure (decided?) is to just rebuild new docker images every day

Further points:

• One idea is to run apt update && apt dist-upgrade -y every time an image is (re)started. This slows down startup, though, and still doesn't bring in upgrades when the images is not restarted for a long time.

• The way the siloApi is started, no daemon from the Ubuntu distro will run, thus no cronjob would run. The ENTRYPOINT could be changed to run either cron or something else (it could perhaps also run /sbin/init ?), but silo would need restarting after an upgrade, best just the whole docker image, and filesystem changes need to be persisted.

• Another idea could be to just check, independently of the running silo image, if our docker image would do upgrades (via --dry-run), and if so, trigger a chain of rebuilding the docker image, pulling it to the servers, and restarting it there.

• Double check: is the Ubuntu base image that we use actually pulling from the security repositories (in sources.list files)? Hopefully this was not removed.

[Taepper]

@chaoran-chen mentioned that we should rebuild images using intervals of 1-2 days, such that we always have images with recent security updates installed

[pflanze]

That is mentioned above as "a stop-gap measure (decided?) is to just rebuild new docker images every day".

[Taepper]

Oh, I see. Missed out on that one