Yes, but then you're on that specific version of nginx. A lot of containers are built using a multi stage build process where the first stage uses a container with build tooling to build the application, then a second stage installs the result. So your end image doesn't have the build tooling and no way to update. That's intentional for security reasons. Images are meant to be immutable.
FlexibleToast
joined 2 years ago
Back into an OCI image? I don't know if lxc can do that, but podman can. I think it is podman save that allows you to save your current container as an image. Or, even better would be to use buildah. With buildah your expected workflow is to kind of run a container, run a script against that container, then save it at the end. In fact I'm specifically thinking of images I've created with buildah as being almost completely useless with this LXC technique. I've used the RHEL UBI micro image before and it doesn't even have a package manager. You actually mount the container to the host and use the host's package manager to install what is needed and then unmount it to save. It makes a super slim image with as little attack surface as possible.
Right, but these containers are usually not designed to be updated like that. It totally defeats the nature of the OCI image and delivering something that has been tested to work. I'm sure there is a use case for this, but it seems more like a gimmick than a useful feature.
Okay, what importance does that have?
OCI images is very exciting. But, I don't see any way to keep them updated. You don't normally do an update on the applications inside an OCI container, you usually rebuild the container on a new image.
Yeah, we don't export the most advanced ones. There are limitations on the things we include in the export versions. Also, supposedly NGAD is right around the corner.
Wait, the insurrectionist would commit treason?
I think Kim is from her underwear brand, I don't know about the others.
Yeah, normally. But I will use their generous free tier at their expense.
Had mine for years at this point. No such problem.
view more: next ›
With buildah you can take it even farther and build a container "from scratch." So, no packages at all. Then use your package manager to install the bare minimum to get things done.