> Instead of building and filing away heaps of immutable (read: security nightmare) containers [...]
Is there a consensus on what is(are) the best method(s) to handle security patches automatically in Docker? For example, the official images at https://registry.hub.docker.com/ are fixed in time and you should apply security patches before using them?
The official images aren't fixed in time, assuming you're pulling using a tag e.g redis:3.0. That image may be updated at any point and should be updated with minor patches and security updates. Rather than manually apply patches, just pull the image again to get the updates. If the image hasn't been updated, complain loudly.
If you want your image to be "fixed in time", pull by digest instead.
Is there a consensus on what is(are) the best method(s) to handle security patches automatically in Docker? For example, the official images at https://registry.hub.docker.com/ are fixed in time and you should apply security patches before using them?