On 01/02/2017 05:22 PM, Lukas Slebodnik wrote:
The bug is in the user-supplied container build scripts. Recommended
practice is to run “dnf update” (or “yum update”) as part of the build
process.
Could you provide some link where it is recommended?
Because most of pages say exactly opposite or does not mention that at all
https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practi...
"""
You should avoid RUN apt-get upgrade or dist-upgrade, as many of the “essential” packages
from the base images won’t upgrade inside an unprivileged container. If a package
contained in the base image is out-of-date, you should contact its maintainers.
"""
https://docs.openshift.com/container-platform/3.3/creating_images/guideli...
"""
Wherever possible, we recommend that you base your image on an appropriate upstream image
using the FROM statement. This ensures your image can easily pick up security fixes from
an upstream image when it is updated, rather than you having to update your dependencies
directly.
"""
Another problem with upgrading all packages in base image is that
it a little bit breaks caching of intermediate layers when building an image.
Most distributions do not automatically respin containers for
every package update in the base image.
Update of glibc should not be considered as a update ofa any other package.
glibc is very special. And updating glibc in rawhide base image would be just a
workaround
for improper release of git master into rawhide. The ideal would be to follow guidelines
for adding symbols to the latest version in glibc
LS