Docker is cool. Jails tools into containers. That of course sounds clean and safe and beautiful etc. However, the tools are still buggy and subject to usual attacks, just as they were running on your main host! Thus, you still need to make sure your containers are up to date.

But how would you do that?

Approaches so far

docker-compose pull

On the one hand, let’s assume you’re using Docker Compose, then you can go to the directory containing the docker-compose.yml and call

docker-compose pull
docker-compose up -d --remove-orphans

However, this will just update the images used in that Docker Compose setup – all the other images on your system wouldn’t be updated. And you need to do that for all Docker Compose environments. And if you’re running 30 containers of the same image it would check 30 times for an update of that image – quite a waste or power and time..

dupdate

On the other hand, you may use the dupdate tool, introduced earlier:

dupdate -s

It is able to go through all your images and update them, one after the other. That way, all the images on your system will be updated. However, dupdate doesn’t know about running containers. Thus, currently running tools and services won’t be restarted..

Better: Docker Auto-Update

Therefore, I just developed a tool called Docker Auto-Update that combines the benefits of both approaches. It first calls dupdate -s to update all your images and then iterates over a pre-defined list of Docker Compose environments to call a docker-compose up -d --remove-orphans.

The tool consists of three files:

• /etc/cron.daily/docker-updater reads the configuration in /etc/default/docker-updater and does the regular update
• /etc/default/docker-updater stores the configuration. You need to set the ENABLED variable to 1, otherwise the update tool won’t run.
• /etc/docker-compose-auto-update.conf carries a list of Docker Compose environments. Add the paths to the docker-compose.yml files on your system, one per line

As it’s installed in /etc/cron.daily/, cron will take care of the job and update your images and containers on a daily basis. If your system is configured properly, cron will send an email to the systems administrator when it updates an image or restarts a container.

You see, no magic, but a very convenient workflow! :)

Installation

Manual

To install the Docker Auto-Update tool, you may clone the git repository at GitHub. Then,

1. move the ./etc/cron.daily/docker-updater script to /etc/cron.daily/docker-updater
2. move the ./etc/default/docker-updater config file to /etc/default/docker-updater
3. update the setup in /etc/default/docker-updater – at least set ENABLED=1
4. create a list of Docker Compose config files in /etc/docker-compose-auto-update.conf - one path to a docker-compose.yml per line.

Debian Package

If you’re using a Debian based system you may install the Docker-Tools through my apt-repository:

aptitude install bf-docker-tools

Afterwards, configure /etc/default/docker-updater and at least set ENABLED=1. This way, you’ll stay up-to-date with bug fixes etc.

Disclaimer

The tool will update your images and containers automatically – very convenient but also dangerous! The new version of an image may break your tool or may require an updated configuration.

Therefore, I recommend to monitor your tools through Nagios/Icinga/check_mk or whatever. And study the mails generated by cron!