The other day I was building a container image to pick up some security fixes. When the image was built, it still had older versions of packages which were supposedly updated in the latest base image, now how can that be?
Well, as it turned out, I had a latest tagged base image in my local registry from the last time I built my container image — it was the latest at the time, but not anymore obviously. When the build ran, it happily used that “latest” base image.
The solution to this problem was to build with the --pull flag, which forces a pull of the base image even if it is available in the local registry. Maybe this tip is not for every situation, but in this case with respect to security, always pulling a newer base image seems like the right thing to do.
