Info
I published recently more up to date article. Check here .
TL;DR
CentOS base images sucks! They’re old, not updated for months!
As a professional DevOps I concern about a lot of things… but security is always close to the top of the list. With Docker build environments and deployments became much more stable, which often is a result of just being stale ;/
I’ve been talking about this for long time but it’s still hard for people to believe it. Let’s check then few, most popular images and when were they last time updated. I wrote a script for that, so feel free to check your list:
Results show that not all images are frequently updated and if we get a little bit deeper and check how many packages require upgrade:
| Image | Creation date | Age (in days) | Packages to upgrade |
|---|---|---|---|
| centos:7 | 2020-11-14T00:20:04.644613188Z | 75 | 16 |
| centos:8 | 2020-12-08T00:22:53.076477777Z | 51 | 12 |
| debian:9 | 2021-01-12T00:35:06.08981705Z | 16 | 0 |
| debian:10 | 2021-01-12T00:32:37.071722022Z | 16 | 0 |
| ubuntu:18.04 | 2021-01-21T03:38:05.801776526Z | 7 | 2 |
| ubuntu:20.04 | 2021-01-21T03:38:23.37559427Z | 7 | 4 |
| alpine:3.11 | 2020-12-17T00:19:49.284211148Z | 42 | 0 |
| alpine:3.12 | 2020-12-17T00:19:42.11518025Z | 42 | 0 |
| alpine:3.13 | 2021-01-15T02:23:51.238454884Z | 13 | 5 |
| node:10 | 2021-01-27T20:32:54.257201224Z | 0 | 13 |
| node:12 | 2021-01-12T10:36:27.349274428Z | 15 | 13 |
| node:14 | 2021-01-12T10:33:48.195283512Z | 15 | 13 |
| node:15 | 2021-01-27T20:29:39.779176105Z | 0 | 13 |
| openjdk:8 | 2021-01-21T02:40:05.312239007Z | 7 | 0 |
| openjdk:11 | 2021-01-21T02:38:20.819671373Z | 7 | 0 |
| openjdk:15 | 2021-01-20T00:45:36.664060993Z | 8 | ? |
Personally, I consider running yum upgrade or apt upgrade/apt dist-upgrade in Dockerfile as anti-pattern - instead builds should be running so frequently to automatically pull all new upgrades from base images. That’s theory, but with images like CentOS, you have to do it or risk running your software on unpatched and potentially unsecure system. That’s why I don’t like CentOS images as a base in general, they just suck from this perspective.
There’s also another issue here - running those upgrades makes your image just bigger. Sometimes significantly bigger. That’s not what I expect from base images.