CentOS Question posted in
The official documentation can be found here.

Docker image Package Patch within Dockerfile – CentOS

I have below docker image, where I need to update patch to curl package, in below Docker image, in Line number 3 I am already doing update, but it is shown up in Vulnerabilities report.

I have added, RUN yum -y update curl at the end of Dockerfile, then it is not showing up in Vulnerabilities report.

Any fix?, All Packages must install with latest version, I dont want to be mention explicitly

or any mistakes in Dockerfile?

FROM    centos:7 AS base

FROM        base AS build


# Install all dependenticies
RUN yum -y update 
    && yum install -y openssl-devel bzip2-devel libffi-devel 
                      zlib-devel wget gcc make
# Below compile python from source


FROM        base

ENV         LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib
COPY --from=build /usr/local/ /usr/local/

# Copy Code
COPY . /app/
WORKDIR /app

#Install code dependecies.
RUN /usr/local/bin/python -m pip install --upgrade pip 
    && pip install -r requirements.txt

# Why, I need this step, when I already update RUN in line 3?, If I won't perform I see in compliance report, any fix?
RUN yum -y update curl

# run Application
ENTRYPOINT ["python"]
CMD ["test.py"]
Tags:

2

Answers


  1. 0

    docker build and friends have a cache system, based on the text of the input. So if the text of the command yum -y update doesn’t change, it will continue using the same cached version of the output forever (or until the cache is deleted). Try running the build with --no-cache and see if that helps.

    Login or Signup to reply.
  2. 0

    In order to understand what constitutes an image, you need to look at a Dockerfile in a different way:

    • Every step (with the exception of FROM) creates a new image, with the results of the previous step as a base.
    • FROM doesn’t use the previous step, but an explicitly specified one.

    Now, looking at your Dockerfile, you seem to wonder why RUN yum -y update curl doesn’t work as expected. For easier understanding, let’s trace it backwards:

    • RUN yum -y update curl
    • RUN /usr/local/bin/python -m pip install --upgrade pip && pip install -r requirements.txt
    • WORKDIR /app
    • COPY . /app/
    • COPY --from=build /usr/local/ /usr/local/
    • ENV LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib
    • FROM base — at this point, the previous step is changed to the last step of base
    • FROM centos:7 AS base — here, the previous step is changed to centos:7

    As you see, nowhere in the earlier steps is yum update -y curl!

    BTW: Typing this, I’m wondering what your precise question is, i.e. whether this works or doesn’t or whether you wonder why it’s necessary. Are you aware of the difference between yum update and yum update curl even?

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search