Best practices for following base image updates

[ceejatec]

Our official image (couchbase) extends the ubuntu base image. We would like to have our official image rebuilt with some frequency (monthly?) to pick up any security updates that have been integrated into that base image. Is that something you already do for official images? If not, how would you recommend we trigger it? I'm not sure if we can make a PR to docker-library/official-images as our library/couchbase control file would not have changed, unless we introduced an empty commit in our Dockerfile repository (which we're happy to do if that's the current best practice).

[yosifkit]

That is automatic; anytime that an image is updated, all images that are FROM it are rebuilt.

We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need, e.g. docker-library/official-images#2171. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file).

- https://github.com/docker-library/faq/blob/master/README.md#why-does-my-security-scanner-show-that-an-image-has-cves

[ceejatec]

Ah, excellent! I missed that part of the FAQ. Thanks for the response.