Staying secure by breaking Docker caching
When building Docker images, caching lets you speed up rebuilding images.
But this has a downside: it can keep you from installing security updates from your base Linux distribution.
If you cache the image layer that includes the security update… you’re not getting new security updates!
There are a number of ways you can try to balance caching with getting security updates, with different tradeoffs.
In this article we’ll cover:
- Caching by default, with recurring rebuild and redeploys.
- Deliberately breaking caching.
- Caching during development, never caching in production builds.
Recap: the problem
I’ve written a separate article about this problem but here’s a recap.
Consider the following Dockerfile:
FROM python:3.11-slim
RUN apt-get update &&