You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@solr.apache.org by Jan Høydahl <ja...@cominvent.com> on 2022/02/03 14:40:40 UTC

Solr Docker images and timely security patching in production

Hi,

The project produces official Docker images for every release, including our own bugfix releases.
These images are based on an OpenJDK base image, which is again based on a Linux base image.
Once in a while, when there is a serious bugfix in either Linux or Java the Solr image gets re-built by Docker.

I wanted to invite to a discussion on how you as users handle security patching in your Docker/k8s production environments.

Do you:

A) just pull the image once and let it sit there until next upgrade?
B) pin the exact version, e.g. solr:8.11.1 and pull routinely for Linux / JDK updates?
C) pin the minor version only, e.g. solr:8.1 and pull regularly for any new patch releases
D) pin the major oversion only, e.g. solr:8 and pull regularly for any new minor releases
E) make a custom Dockerfile FROM solr:8 and add "RUN apt upgrade" or similar to stay up to date? How often?
F) Neither of the above. Please share your best practice

This thread was triggered from https://issues.apache.org/jira/browse/SOLR-15967, which is really about RPM but strayed into security patching in general.

Thanks,
Jan