As part of Oracle's ongoing commitment to security, we regularly release updates to the official Oracle Linux base images hosted on the Docker Hub and in the official Oracle GitHub repository. In the past month, we have released 5 updates across the Oracle Linux 5, 6 and 7 images to cover several CVEs that have been fixed.
Here are some tips and tricks to help ensure that applications and services you publish using the Oracle Linux base images are as secure as possible.
Use the version tag to ensure you get the latest version of Oracle LinuxWhen constructing your Dockerfile, Oracle recommends using FROM oraclelinux:7 to ensure that your build process uses the latest version of the Oracle Linux image hosted on the Docker Hub.
Pull the latest version of the base image before building your imageDocker uses a local cache to improve the performance of building images. However, this can result in images being built using older base images. Before building your image, it's good to update any base images by using the docker pull command. Using the latest image from the Docker Hub means that your images will have the latest security and bug fix errata applied.
Update the image during the build processOf course, even pulling the latest Oracle Linux base image doesn't ensure that the latest updates have been applied. To be absolutely sure, you can add an update line to your Dockerfile to pull the latest updates during the build process.
For example, to use the Oracle Linux 7 base image and update it during build, you could use something like this in your Dockerfile:
FROM oraclelinux:7 RUN yum -y update && yum clean allThese two directives tell Docker to use the available Oracle Linux 7 base image and then use yum (which is pre-configured inside the official image) to update the image immediately and remove the yum-created metadata. This is required to keep the resulting Docker layer as small as possible.