The worst so-called “best practice” for Docker
Somebody is always wrong on the Internet, and bad Docker packaging advice is quite common.
But one particular piece of advice keeps coming up, and it’s dangerous enough to merit its own article.
In a whole bunch of places you will be told not to install security updates when building your Docker image.
I’ve been submitting PRs to fix this, so it’s up in fewer places now.
But previously this advice was given by the official Docker docs’ best practices page:
Avoid
RUN apt-get upgradeanddist-upgrade, as many of the “essential” packages from the parent images cannot upgrade inside an unprivileged container.
To be clear: RUN commands happen during image build, not during container startup.
The documentation there is saying “build