Blog
How to keep your Dockerfile container image references up-to-date
Whenever you build a container image, chances are that you are using public images as a base. But how do you keep your image up-to-date with the latest releases? In this blog I will introduce a utility which will allow you to keep your Dockerfile container image references up-to-date. In classic IT operations, "patch management" is a thing. On a frequent basis, all the components in the data center are updated to run the latest release of the software. With the Cloud-native principle of immutable infrastructure this no longer applies. There are no machines to log into and any changes you do make will not persist. For this reason, we created a utility named "fromage" which will allow you to detect out-of-date container images references. It will also allow you to update them automatically.
install the utility
To install the utility, type:
git clone https://github.com/binxio/fromage
cd fromage
git checkout 0.2.4
go install
You can also use the docker image binxio/fromage:0.2.4.
list container image references
To list container image references in your git repository, type:
fromage list --branch master --verbose https://github.com/binxio/kritis
It iterates over all dockerfiles in all branches in the repository and print out all container
image references and list newer versions if available.
| IMAGE | PATH | BRANCH | NEWER |
|---|---|---|---|
| golang:1.12 | helm-hooks/Dockerfile | master | 1.13,1.14,1.15 |
| gcr.io/gcp-runtimes/ubuntu_16_0_4 | helm-release/Dockerfile | master | |
| ubuntu:trusty | vendor/golang.org/x/net/http2/Dockerfile | master | |
| golang:1.12 | deploy/Dockerfile | master | 1.13,1.14,1.15 |
| gcr.io/distroless/base:latest | deploy/Dockerfile | master | |
| gcr.io/google-appengine/debian10:latest | deploy/gcr-kritis-signer/Dockerfile | master | |
| gcr.io/gcp-runtimes/ubuntu_16_0_4 | deploy/kritis-int-test/Dockerfile | master | |
| gcr.io/google-appengine/debian10:latest | deploy/kritis-signer/Dockerfile | master |
checking out-of-date references
To check whether there are newer references available, type:
./fromage check --branch master --verbose https://github.com/binxio/kritis
It iterates over all dockerfiles in all branches in the repository and print out all container
image references which are out-of-date. If found, it exits with code 1.
| IMAGE | PATH | BRANCH | NEWER |
|---|---|---|---|
| golang:1.12 | helm-hooks/Dockerfile | master | 1.13,1.14,1.15 |
| golang:1.12 | deploy/Dockerfile | master | 1.13,1.14,1.15 |
You can use this in your CI/CD pipeline as a quality control gate.
bring container references up-to-date
To update the container image references to the next available version, type:
$ ./fromage bump --branch master --verbose [email protected]:binxio/kritis.git
2021/01/21 21:05:42 INFO: updating reference golang:1.12 to golang:1.13 in helm-hooks/Dockerfile
2021/01/21 21:05:42 INFO: updating reference golang:1.12 to golang:1.13 in helm-hooks/Dockerfile
2021/01/21 21:05:46 INFO: updating reference golang:1.12 to golang:1.13 in deploy/Dockerfile
2021/01/21 21:05:46 INFO: changes committed with 67847a0
2021/01/21 21:05:46 INFO: pushing changes to [email protected]:binxio/kritis.git
It will update references to the next available version. You can repeat this process until you are at the highest level. Alternatively, you can specify --latest to bump to the highest level. If you are scared of major version upgrades, add --pin major. Changes are committed and pushed to the repository.
Conclusion
With this utility you will never have to run with out-of-date base images, ever again. It will allow you to detect the use of out-of-date images and automatically update the image references to trigger a new build of your CI/CD pipline. Image by PublicDomainPictures from Pixabay
Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Contact