I like to believe I'm security conscious. I have different passwords for different services. I try to keep my mobile phones, laptops and servers up-to-date. I try to keep a tight firewall. I generally do a little more than the absolute minimum to protect myself from random cyber accidents. But what about my shining new Internet facing Docker containers?
A lot of people fire up their Docker containers and don't touch them for months or years, just as long as they work. But Docker containers have vulnerabilities, just like any other piece of code glued together and then being exposed to users. I didn't want to be like a lot of people, ignoring my Docker containers completely after launch, so how could I quickly proceed to keep my containers up to date? Of course, being a sofware engineer at heart, my first step was to craft a quick and dirty solution!
Right now, I run this script every night, and it makes me sleep just a little tighter: https://github.com/remimikalsen/theawesomegarage/blob/master/docker/example-docker-setup/update-docker-containers.sh
The script shuts down my containers, pulls new images from the remote registry and then performs a forceful rebuild and restarts my containers according to my docker-compose.yml file. In the end, old images are pruned in order to save space.
The solution is quick! I get approximately 45 seconds downtime on each update. I spent a bare couple of hours with research to help me understand Docker better plus an hour to write and test the script.
The solution is dirty! I take down all my containers every time, even if there are no changes in the underlying images. And I don't pull any updates to Git repositories automatically (but it's easy enough to add it). It's by no means a viable CI/CD solution, but it's good enough for my single home developer/production/experimentation server - for now.
I'm fully aware there are methods to diff hashes of images and identify when I need to build new containers. I'm aware there is a Docker API to assist me. I could also be better off using Docker Swarm, Kubernetes or OpenShift to get no downtime to my setup. But I'm happy with my simple docker-compose setup, so when i endeavour to do better updates, I'll probably fire up a ourobouros container, a local Docker registry and leave my quick and dirty script behind.
For now, I think it's nice to have a simple script that gets the job done with very little trouble and dependencies.
If you want to check out my setup, see The aweome garage on GitHub.