> On 01/02/2017 05:22 PM, Lukas Slebodnik wrote: > The bug is in the user-supplied container build scripts. Recommended > practice is to run “dnf update” (or “yum update”) as part of the build > process. Could you provide some link where it is recommended?
Because most of pages say exactly opposite or does not mention that at all https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/ """ You should avoid RUN apt-get upgrade or dist-upgrade, as many of the “essential” packages from the base images won’t upgrade inside an unprivileged container. If a package contained in the base image is out-of-date, you should contact its maintainers. """ https://docs.openshift.com/container-platform/3.3/creating_images/guidelines.html """ Wherever possible, we recommend that you base your image on an appropriate upstream image using the FROM statement. This ensures your image can easily pick up security fixes from an upstream image when it is updated, rather than you having to update your dependencies directly. """ Another problem with upgrading all packages in base image is that it a little bit breaks caching of intermediate layers when building an image. > Most distributions do not automatically respin containers for > every package update in the base image. > Update of glibc should not be considered as a update ofa any other package. glibc is very special. And updating glibc in rawhide base image would be just a workaround for improper release of git master into rawhide. The ideal would be to follow guidelines for adding symbols to the latest version in glibc LS _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
