How to keep your Dockerfile container image references up-to-date

on
Jan 30, 2021
in

Whenever you build a container image, chances are that you are using public images as a base. But how do you keep your image up-to-date with the latest releases? In this blog I will introduce a utility which will allow you to keep your Dockerfile container image references up-to-date.

In classic IT operations, "patch management" is a thing. On a frequent basis, all the components in the data center are updated to run the latest release of the software. With the Cloud-native principle of immutable infrastructure this no longer applies. There are no machines to log into and any changes you do make will not persist.

For this reason, we created a utility named "fromage" which will allow you to detect out-of-date container images references. It will also allow you to update them automatically.

install the utility

To install the utility, type:

git clone https://github.com/binxio/fromage
cd fromage
git checkout 0.2.4
go install

You can also use the docker image binxio/fromage:0.2.4.

list container image references

To list container image references in your git repository, type:

fromage list --branch master --verbose https://github.com/binxio/kritis

It iterates over all dockerfiles in all branches in the repository and print out all container
image references and list newer versions if available.

IMAGE PATH BRANCH NEWER
golang:1.12 helm-hooks/Dockerfile master 1.13,1.14,1.15
gcr.io/gcp-runtimes/ubuntu_16_0_4 helm-release/Dockerfile master
ubuntu:trusty vendor/golang.org/x/net/http2/Dockerfile master
golang:1.12 deploy/Dockerfile master 1.13,1.14,1.15
gcr.io/distroless/base:latest deploy/Dockerfile master
gcr.io/google-appengine/debian10:latest deploy/gcr-kritis-signer/Dockerfile master
gcr.io/gcp-runtimes/ubuntu_16_0_4 deploy/kritis-int-test/Dockerfile master
gcr.io/google-appengine/debian10:latest deploy/kritis-signer/Dockerfile master

checking out-of-date references

To check whether there are newer references available, type:

./fromage check --branch master --verbose https://github.com/binxio/kritis

It iterates over all dockerfiles in all branches in the repository and print out all container
image references which are out-of-date. If found, it exits with code 1.

IMAGE PATH BRANCH NEWER
golang:1.12 helm-hooks/Dockerfile master 1.13,1.14,1.15
golang:1.12 deploy/Dockerfile master 1.13,1.14,1.15

You can use this in your CI/CD pipeline as a quality control gate.

bring container references up-to-date

To update the container image references to the next available version, type:

$ ./fromage bump --branch master --verbose git@github.com:binxio/kritis.git
2021/01/21 21:05:42 INFO: updating reference golang:1.12 to golang:1.13 in helm-hooks/Dockerfile
2021/01/21 21:05:42 INFO: updating reference golang:1.12 to golang:1.13 in helm-hooks/Dockerfile
2021/01/21 21:05:46 INFO: updating reference golang:1.12 to golang:1.13 in deploy/Dockerfile
2021/01/21 21:05:46 INFO: changes committed with 67847a0
2021/01/21 21:05:46 INFO: pushing changes to git@github.com:binxio/kritis.git

It will update references to the next available version. You can repeat this process until you are at the highest level. Alternatively, you can specify --latest to bump to the highest level. If you are scared of major version upgrades, add --pin major. Changes are committed and pushed to the repository.

Conclusion

With this utility you will never have to run with out-of-date base images, ever again. It will allow you to detect the use of out-of-date images and automatically update the image references to trigger a new build of your CI/CD pipline.

Image by PublicDomainPictures from Pixabay

Mark van Holsteijn is a senior software systems architect, and CTO of binx.io. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Share this article: Tweet this post / Post on LinkedIn