Skip to main content

Attention Linux users, developers and sysadmins: Don't forget to regularly update your Linux containers! They're essentially miniature Linux systems that need the same care and attention. By keeping them updated, you'll avoid running outdated and potentially vulnerable software like OpenSSL, PHP, Python, MySQL, PostgreSQL, and more. Protect your systems and data. Update today!

Luis Ferreira reshared this.

in reply to nixCraft 🐧

Bob Thomson
Bob Thomson
one of the biggest challenges in k8s, just keeping all those base image versions updated and software supply chain security generally. A real pain point.
in reply to nixCraft 🐧

flipflap
flipflap

are you referring to docker and kubernetes containers?

I am still learning πŸ˜…

in reply to flipflap

nixCraft 🐧
nixCraft 🐧
@flipflap I'm talking about all Linux containers. Docker, LXD/Incus, Podman, rkt, LXC, CRI-O etc. They all use Linux kernel features but have different management tools and use case. But at the end of the day they all need updates. That is what we need to remember.
@flipflap
in reply to nixCraft 🐧

Scott Wilson 🌈
Scott Wilson 🌈
What are your thoughts on updating versus destroying them and deploying new, updated containers?
in reply to Scott Wilson 🌈

nixCraft 🐧
nixCraft 🐧
@scottwilson Containers are ephemeral. The best practice is to stop, destroy, and redeploy Linux containers. Since data is stored outside of containers, you only need to deploy a new, updated container with your application. At least that is how I do it. Hah...
@Scott Wilson 🌈
in reply to nixCraft 🐧

defnull
defnull
BUT do not blindly trust those 'vulnerability scanners' the compliance people like so much. Hits for binaries or libraries that are not touched at all by the container at runtime are false positives. A buffer overflow in `grep` does not affect your PostgreSQL container. This unfortunately renders those scanners useless most of the time, because actual relevant warnings are drowned in false positives and you constantly rebuild images and redeploy applications for nothing.
in reply to defnull

nixCraft 🐧
nixCraft 🐧
@defnull I agree. Those scanners are useful and have their place. However, it's crucial to pay attention to the email lists or RSS feeds of distributions like Debian, RHEL, or Ubuntu. These communities or companies are often the first to fix and release information about major security issues. Since containers build using the same software, you can test and redeploy/rebuild your Linux containers.
@defnull
⇧