Is manually upsetting based on trusting the accuracy of the release notes any more secure than just trusting “latest”?
Comment on Docker Hub's trust signals are a lie — and Huntarr is just the latest proof
wilo108@lemmy.ml 20 hours agoI use digests in my docker compose files, and I update them when new versions are released (after reading the release notes) 🤷
BradleyUffner@lemmy.world 16 hours ago
CameronDev@programming.dev 19 hours ago
You might, but I bet the majority of people set and forget.
I rely on watchtower to keep things up to date.
suicidaleggroll@lemmy.world 18 hours ago
Unfortunately that approach is simply not feasible unless you have very few containers or you make it your full time job.
wilo108@lemmy.ml 17 hours ago
I dunno, I’ve never found it all that onerous.
I have a couple of dozen (perhaps ~50) containers running across a bunch of servers, I read the release notes via RSS so I don’t go hunting for news of updates or need to remember to check, and I update when I’m ready to. Security updates will probably be applied right away (unless I’ve read the notes and decided it’s not critical for my deployment(s)), for feature updates I’ll usually wait a few days (dodged a few bullets that way over the years) or longer if I’m busy, and for major releases I’ll often wait until the first point release unless there’s something new I really want.
Unless there are breaking changes it takes a few moments to update the docker-compose.yaml and then
dcp(aliased todocker compose pull) anddcdup(aliased todocker compose down && docker compose up -d && docker compose logs -f).I probably do spend upwards of maybe 15 or 20 minutes a week under normal circumstances, but it’s really not a full time job for me 🤷.
suicidaleggroll@lemmy.world 5 hours ago
I guess it depends on the containers that are being run. I have 175 containers on my systems, and between them I get somewhere around 20 updates a day. It’s simply not possible for me to read through all of those release notes and fully understand the implications of every update before implementing them.
So instead I’ve streamlined my update process to the point that any container with an available update gets a button on an OliveTin page, and clicking that button pulls the update and restarts the container. With that in place I don’t need fully autonomous updates, I can still kick them off manually without much effort, which lets me avoid updating certain “problematic” containers until after I’ve read the release notes while still blindly updating the rest of them. Versions all get logged as well, so if something does go wrong with an update (which does happen from time to time, though it’s fairly rare) I can easily roll back to the previous image and then wait for a fix before updating again.
irmadlad@lemmy.world 4 hours ago
@suicidaleggroll is running a Docker Hub backup. LOL
RIotingPacifist@lemmy.world 16 hours ago
Yeah this is why I use Debian instead of containers, you can read the release notes on a stable release.