Run apt-get upgrade to patch known vulnerabilities faster

jupyter · Dec 15, 2021 · bc68192 · bc68192
1 parent 9e53812
commit bc68192
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/base-notebook/Dockerfile b/base-notebook/Dockerfile
@@ -19,9 +19,14 @@ USER root
 
 # Install all OS dependencies for notebook server that starts but lacks all
 # features (e.g., download as all possible file formats)
-# Install tini: init for containers
+# - tini is installed as a helpful container entrypoint that reaps zombie
+#   processes and such of the actual executable we want to start, see
+#   https://github.com/krallin/tini#why-tini for details.
+# - apt-get upgrade is run to patch known vulnerabilities in apt-get packages as
+#   the ubuntu base image is rebuilt too seldom (less than once a month)
 ENV DEBIAN_FRONTEND noninteractive
 RUN apt-get update --yes && \
+    apt-get upgrade --yes && \
     apt-get install --yes --no-install-recommends \
     tini \
     wget \