Details
Do not use update instructions such as apt-get update alone or in a single line in the
Dockerfile.Adding the update instructions in a single line on the Dockerfile will cache the update layer.
Thus, when you build any image later using the same instruction, previously cached update
layer will be used. This could potentially deny any fresh updates to go in the later builds.
Solution
Use update instructions along with install instructions (or any other) and version pinning
for packages while installing them. This would bust the cache and force to extract the
required versions.Alternatively, you could use –no-cache flag during docker build process to avoid using
cached layers.Impact-None
Default Value-By default, docker does not enforce any restrictions on using update instructions.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.