We regularly notice Windows/Linux update. These updates can be automatically applied, if we configure like this. Can we expect similar approach for docker as well? This document will try to help you understand.
Software has lifecycle and modification is part of this. Below are reasons for software releases/upgrades
New feature
Maintenance and bug-fixes
Security update
Since docker runs application, it should also provide way to upgrade applications
An upgrade/downgrade works by deleting all instances and replacing them with new instances running the new version.
MySQL upgrade example
docker pull mysql
docker stop my-mysql-container
docker rm my-mysql-container
docker run --name=my-mysql-container --restart=always \
-e MYSQL_ROOT_PASSWORD=mypwd -v /my/data/dir:/var/lib/mysql -d mysql
The containers are supposed to be lightweight and interchangeable.
Updates will be baked into the based images you don't need to apt-get upgrade your containers. Because of the isolation that happens this can often fail if something is trying to modify init or make device changes inside a container. It also produces inconsistent images because you no longer have one source of truth of how your application should run and what versions of dependencies are included in the image.
If there are security updates that a base image needs, let upstream know so that they can update it for everyone and ensure that your builds are consistent again.
Watchtower is an application that will monitor your running Docker containers and watch for changes to the images that those containers were originally started from. If watchtower detects that an image has changed, it will automatically restart the container using the new image
Watchtower pull
root@ubuntu:~/ws1/TOT/usr.src/cpx# docker pull centurylink/watchtower
Using default tag: latest
latest: Pulling from centurylink/watchtower
a3ed95caeb02: Already exists
802d894958a2: Already exists
411fca6de37d: Already exists
Digest: sha256:1b208177d603af4bad6d64c77baf59e5dd166db18d1ad87853a91801ace66ce7
Status: Image is up to date for centurylink/watchtower:latest
root@ubuntu:~/ws1/TOT/usr.src/cpx# docker images centurylink/watchtower
REPOSITORY TAG IMAGE ID CREATED SIZE
centurylink/watchtower latest d7c1fe761b15 9 months ago 5.871 MB
An script can be written which periodically checks if the base version is updated. If updated, then it applies new version to associated docker instances
Sample automation script for upgrade
#!/usr/bin/env bash
set -e
BASE_IMAGE="registry"
REGISTRY="registry.hub.docker.com"
IMAGE="$REGISTRY/$BASE_IMAGE"
CID=$(docker ps | grep $IMAGE | awk '{print $1}')
docker pull $IMAGE
for im in $CID
do
LATEST=`docker inspect --format "{{.Id}}" $IMAGE`
RUNNING=`docker inspect --format "{{.Image}}" $im`
NAME=`docker inspect --format '{{.Name}}' $im | sed "s/\///g"`
echo "Latest:" $LATEST
echo "Running:" $RUNNING
if [ "$RUNNING" != "$LATEST" ];then
echo "upgrading $NAME"
stop docker-$NAME
docker rm -f $NAME
start docker-$NAME
else
echo "$NAME up to date"
fi
done
http://stackoverflow.com/questions/26734402/how-to-upgrade-docker-container-after-its-image-changed
http://stackoverflow.com/questions/26423515/how-to-automatically-update-your-docker-containers-if-base-images-are-updated
https://github.com/CenturyLinkLabs/watchtower
http://crosbymichael.com/dockerfile-best-practices-take-2.html
https://cloud.google.com/container-engine/docs/clusters/upgrade
http://stackoverflow.com/questions/26734402/how-to-upgrade-docker-container-after-its-image-changed
http://stackoverflow.com/questions/26423515/how-to-automatically-update-your-docker-containers-if-base-images-are-updated
http://serverfault.com/questions/611082/how-to-handle-security-updates-within-docker-containers
http://serverfault.com/questions/677059/automatically-update-docker-containers-using-webhooks