UPDATE 2015-04-03: As it turns out, I was not successfully updating the base Ubuntu image for my app. That aspect of this post has been revised.
I've been doing some playing around with Dokku recently to deploy a private app I've been working on. Despite the fact that it's a bit nitpicky to set up, it's a really great deployment platform. If you're willing to spend a little bit of time setting it up, it's worth it.
However, one thing that's sorely missing from the Dokku docs is the maintenance of the server, specifically how to keep up to date with security issues. With Heartbleed, Shellshock, POODLE, GHOST, and others over the last year, I care a lot about that.
What I've discovered is that there are three levels you need to monitor: your app, the base OS, and your containers.
First, and most obvious, is your app. I'm working on a Rails app, and so a regular gem update; git commit -am 'Update Gemfile' is a necessary maintenance step. What I haven't found yet (if this exists let me know) is something that notifies you when any dependencies in your Gemfile have an available update. If this doesn't exist, you'll get Kudos from me if you build it. If you don't I'll get to it eventually.
Second, there's your host OS. Since Dokku runs on Ubuntu, an aptitude update && aptitude full-upgrade keeps me up to date, and apticron tells me when there's updates to apply. Solved.
For the third, I'm not sure if Dokku provides a tool for this yet (asking on #dokku on Freenode), but you need to update the base image for your container at the same time you update your host OS. This isn't obvious to anyone who hasn't worked with Docker before.
I found there are a few steps to keeping your apps substrate secure:
- I needed to install the dokku-rebuild plugin. Not strictly necessary, but it helps.
- Whenever apticron notifies me of new packages I need to install on the host, I also run:
- docker pull ubuntu:trusty (Dokku is built on Ubuntu Trusty)
- dokku rebuild:all (Or git push to Dokku again)
I hope that next time someone out there is Googling for this answer that they find this post and it saves them some time and helps them sleep better at night.