I’m interested in trying the wordpress image for Docker. I think I understand the general concept. What am I supposed to do about security updated to something like PHP, or the Ubuntu image underneath? How do I keep the whole stack secure, while still keeping my blog intact?
How do I deal with security updates in Docker images?
The WordPress image builds on top of the PHP image, which in turn builds on top of Debian.
It’s the responsibility of the owner of the WordPress image to keep it updated with new versions of WordPress and to rebuild the image when the PHP or debian base images are updated (this can be automated to a certain extent with repository links).
It’s your responsibility to make sure you are using an up-to-date version of the WordPress image. This means regularly running
docker pulland removing out-of-date containers. You will probably use volumes or data volume containers to hold your site, which can be easily moved to new containers when updating.Things get more complex if you are using user images that aren’t updated frequently; you may find it easier to pull the source code and keep the packages updated yourself.
In the future, you can expect to see more tooling to check for vulnerabilities and help ensure images are up-to-date.
I guess you have a Dockerfile so that you can built easily your image. When a vulnerability is disclosed, you apply the fix and build a new image and deploy it. A good read is this recent post http://jpetazzo.github.io/2015/05/27/docker-images-vulnerabilities/