« Back to projectatomic.io
Ask Your Question

Does OS patching require container patching?

asked 2014-12-01 08:15:07 +0000

Saurabh gravatar image

Let us assume I have 100 containers running on 10 hosts all running Atomic and each of the container using Atomic as base image. Now, a vulnerability was detected in Atomic and needs to be patched. I assume we will update 10 hosts quite easily by running package manager update utility. How about 100 containers? Would they require to be rebuilt, reimaged, and then I kill my 100 containers (in say a rolling update) and restart them with the new image? Previously, we had a clean separation of app and platform worlds where each can be patched independently. But now, an OS patch (not Kernel patch) requires everything to be rebuilt and redeployed. Is this really necessary? What are the choices for resolving this? Thanks, AB

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-12-10 17:08:14 +0000

jzb gravatar image

Several questions here - let me try to hit them all.

Whether your containers require a rebuild depends on the vulnerability and whether it's in the containr as well as the host. Shellshocked (bash vuln) for example - if you were using Fedora containers and Fedora Atomic host - all would require an update.

Not sure I agree that the previous version was any cleaner - if you had an app running in a VM you still had to deal with the same rebuiild, etc. - you just had more overhead as well. If the app is running directly on the host, sure - you patch once.

As far as resolving.. not quite sure what you're asking there?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

[hide preview]


Asked: 2014-12-01 08:15:07 +0000

Seen: 143 times

Last updated: Dec 10 '14